Windows
Analysis Report
pikabot_core.bin.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- pikabot_core.bin.exe (PID: 1084 cmdline:
"C:\Users\ user\Deskt op\pikabot _core.bin. exe" MD5: F207A52477086EAF27141C780530336D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Pikabot | Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PikaBot | Yara detected PikaBot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PikaBot | Yara detected PikaBot | Joe Security | ||
JoeSecurity_PikaBot | Yara detected PikaBot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PikaBot | Yara detected PikaBot | Joe Security | ||
JoeSecurity_PikaBot | Yara detected PikaBot | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0088C6E0 |
Source: | Code function: | 0_2_00876489 | |
Source: | Code function: | 0_2_0085C49C | |
Source: | Code function: | 0_2_0084F4EC | |
Source: | Code function: | 0_2_00874222 | |
Source: | Code function: | 0_2_0086E233 | |
Source: | Code function: | 0_2_0084843C | |
Source: | Code function: | 0_2_0085BC4A | |
Source: | Code function: | 0_2_0084DE57 | |
Source: | Code function: | 0_2_00855661 | |
Source: | Code function: | 0_2_00850279 | |
Source: | Code function: | 0_2_0085D07B | |
Source: | Code function: | 0_2_0084E380 | |
Source: | Code function: | 0_2_00872B99 | |
Source: | Code function: | 0_2_00855BAF | |
Source: | Code function: | 0_2_0084E7AA | |
Source: | Code function: | 0_2_0084FFD0 | |
Source: | Code function: | 0_2_0084D1F2 | |
Source: | Code function: | 0_2_00861B3E | |
Source: | Code function: | 0_2_0087AB3A | |
Source: | Code function: | 0_2_00853B7B | |
Source: | Code function: | 0_2_0085E6A6 | |
Source: | Code function: | 0_2_008448A8 | |
Source: | Code function: | 0_2_00871AA8 | |
Source: | Code function: | 0_2_0087D6BB | |
Source: | Code function: | 0_2_00888EC9 | |
Source: | Code function: | 0_2_008844DE | |
Source: | Code function: | 0_2_0087BAD0 | |
Source: | Code function: | 0_2_0084B4DD | |
Source: | Code function: | 0_2_00874CFE | |
Source: | Code function: | 0_2_008462FE | |
Source: | Code function: | 0_2_0085E809 | |
Source: | Code function: | 0_2_0088B04C | |
Source: | Code function: | 0_2_0086FA55 | |
Source: | Code function: | 0_2_0086027C | |
Source: | Code function: | 0_2_0087CBB5 | |
Source: | Code function: | 0_2_008669BB | |
Source: | Code function: | 0_2_00886FD9 | |
Source: | Code function: | 0_2_00885FE8 | |
Source: | Code function: | 0_2_00857FEE | |
Source: | Code function: | 0_2_0086D3ED | |
Source: | Code function: | 0_2_0084C1FB | |
Source: | Code function: | 0_2_00870316 | |
Source: | Code function: | 0_2_00877518 | |
Source: | Code function: | 0_2_00851522 | |
Source: | Code function: | 0_2_00882723 | |
Source: | Code function: | 0_2_0085252B | |
Source: | Code function: | 0_2_00889547 | |
Source: | Code function: | 0_2_0086C968 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00855BAF |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | Code function: | 0_2_00855BAF |
Source: | Code function: | 0_2_0088C744 |
Source: | Check user administrative privileges: | graph_0-14994 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_0085E4FD | |
Source: | Code function: | 0_2_0085E511 |
Source: | Code function: | 0_2_00850279 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_0084EC90 |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_0084DA84 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 12 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 1 Account Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 System Owner/User Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 21 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
50% | ReversingLabs | Win32.Trojan.Pikabot | ||
100% | Avira | HEUR/AGEN.1306576 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.32.188.56 | unknown | United States | 20473 | AS-CHOOPAUS | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431279 |
Start date and time: | 2024-04-24 19:10:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | pikabot_core.bin.exe |
Detection: | MAL |
Classification: | mal76.troj.evad.winEXE@1/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: pikabot_core.bin.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
45.32.188.56 | Get hash | malicious | CryptOne, PikaBot | Browse | ||
Get hash | malicious | CryptOne, PikaBot | Browse | |||
Get hash | malicious | CryptOne, PikaBot | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
AS-CHOOPAUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
File type: | |
Entropy (8bit): | 6.6791949052321185 |
TrID: |
|
File name: | pikabot_core.bin.exe |
File size: | 333'312 bytes |
MD5: | f207a52477086eaf27141c780530336d |
SHA1: | cb3ea1f333d8b80b5ddda33bb1366a46b22dbeaa |
SHA256: | ce742b7cc94a5c668116d343b6a9677523dc13b358294bba3cd248fba8b880da |
SHA512: | 65d4487f3b0d38f1c0b09b9f770048d29881db7628f97bde0d1a74895d1bb9113a2bd9ef60852336f238ec8e58ae2ef64a72de4b1fc78eaa00c746513aa72d71 |
SSDEEP: | 6144:sbjgxWB7mwVBDJVxqrU8eLgL02n8ifnC8nlBe:sbx9mwzlVxqr1ep28ECilB |
TLSH: | 5B643A81EA5791A9E2D760F478974BF240287E32305CC8523FD03F4A9A757ECD682F62 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>P.A_>.A_>.A_>..'?.D_>.A_?.W_>.+.6.U_>.+.=.B_>.+...@_>.+.<.@_>.RichA_>.........................PE..L.....pe...............&... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x435aa8 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6570C0B0 [Wed Dec 6 18:42:56 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | df9a4b633da6240db7237139a3412baa |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 10h |
push esi |
xor eax, eax |
mov dword ptr [ebp-0Ch], 00000046h |
push edi |
mov edi, eax |
mov dword ptr [ebp-08h], 0000002Bh |
mov dword ptr [ebp-04h], FFFFFF8Fh |
mov dword ptr [0044D93Ch], A5010600h |
mov dword ptr [0044D938h], 05010000h |
mov ecx, eax |
sub edi, dword ptr [ebp+ecx*4-0Ch] |
inc ecx |
cmp ecx, 03h |
jl 00007FE5FD3F3698h |
push 00000037h |
pop edx |
mov dword ptr [ebp-08h], 00000016h |
mov dword ptr [ebp-04h], FFFFFFB3h |
add edx, dword ptr [ebp+eax*4-08h] |
inc eax |
cmp eax, 02h |
jl 00007FE5FD3F3698h |
push 00000026h |
pop eax |
mov dword ptr [ebp-08h], eax |
mov ecx, edi |
mov dword ptr [ebp-10h], 00000047h |
mov dword ptr [ebp-0Ch], 00000051h |
mov dword ptr [ebp-04h], FFFFFF1Dh |
movups xmm1, dqword ptr [ebp-10h] |
movaps xmm0, xmm1 |
psrldq xmm0, 08h |
paddd xmm1, xmm0 |
movups xmm0, xmm1 |
psrldq xmm0, 04h |
paddd xmm1, xmm0 |
movd esi, xmm1 |
add esi, eax |
call 00007FE5FD3CEC83h |
pop edi |
mov eax, esi |
pop esi |
leave |
ret |
push ebp |
mov ebp, esp |
push ecx |
push ecx |
push ebx |
xor edx, edx |
mov eax, 00402F34h |
push esi |
mov ecx, edx |
push edi |
inc ecx |
lea eax, dword ptr [eax+02h] |
cmp ecx, 0000038Fh |
je 00007FE5FD3F36AFh |
cmp word ptr [eax], dx |
jne 00007FE5FD3F3691h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4f058 | 0x3c | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x50000 | 0xa78 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x51000 | 0x26b4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4f000 | 0x58 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4b828 | 0x4ba00 | f4cdce8f4620b7487b7a6ec55417832a | False | 0.5423230888429752 | data | 6.670063157178187 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x4d000 | 0x1f2c | 0x2000 | 9553a8388e13503facb72f88d9d842d3 | False | 0.315673828125 | data | 3.3393620641765187 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x4f000 | 0x26e | 0x400 | eb7880713f7b4b15393c5ab80ec511c3 | False | 0.3681640625 | data | 3.6019733009428014 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x50000 | 0xa78 | 0xc00 | 7f5a012fb4ea4e0a14d86b1fbffee048 | False | 0.3743489583333333 | data | 4.451007548948245 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x51000 | 0x26b4 | 0x2800 | 3d2522f4014a5d904c2a51f752960bd8 | False | 0.80390625 | data | 6.705203558784059 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x500a0 | 0x3ac | data | English | United States | 0.4351063829787234 |
RT_MANIFEST | 0x50450 | 0x621 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.43849585723390694 |
DLL | Import |
---|---|
KERNEL32.dll | GetOEMCP, SetLastError, GetCurrentProcess, GetUserDefaultLangID, GetLargePageMinimum, lstrlenA, IsValidCodePage, GetTickCount, GetProcessHeap, GetModuleHandleA, GetLastError, GetCommandLineA |
USER32.dll | IsZoomed, IsWindow, GetLastActivePopup, GetMessageTime, GetMessageExtraInfo, GetTopWindow, GetDialogBaseUnits, GetWindowTextLengthA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 19:11:13.299273968 CEST | 49707 | 2967 | 192.168.2.5 | 45.32.188.56 |
Apr 24, 2024 19:11:14.456037998 CEST | 49707 | 2967 | 192.168.2.5 | 45.32.188.56 |
Apr 24, 2024 19:11:16.465903997 CEST | 49707 | 2967 | 192.168.2.5 | 45.32.188.56 |
Apr 24, 2024 19:11:20.465759039 CEST | 49707 | 2967 | 192.168.2.5 | 45.32.188.56 |
Apr 24, 2024 19:11:28.465805054 CEST | 49707 | 2967 | 192.168.2.5 | 45.32.188.56 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 19:10:52 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\Desktop\pikabot_core.bin.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x840000 |
File size: | 333'312 bytes |
MD5 hash: | F207A52477086EAF27141C780530336D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 27.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 81.6% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 13 |
Graph
Function 00861B3E Relevance: 179.9, APIs: 8, Strings: 92, Instructions: 4914networkCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084843C Relevance: 98.7, Strings: 78, Instructions: 1161COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00855BAF Relevance: 93.3, APIs: 5, Strings: 47, Instructions: 2316processCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00850279 Relevance: 42.8, APIs: 3, Strings: 21, Instructions: 764memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00872B99 Relevance: 32.3, APIs: 1, Strings: 20, Instructions: 818stringCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0087AB3A Relevance: 29.7, Strings: 23, Instructions: 948COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00874222 Relevance: 26.9, Strings: 21, Instructions: 633COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084F4EC Relevance: 25.8, Strings: 20, Instructions: 759COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084DE57 Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 334windowtimeCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085C49C Relevance: 21.8, APIs: 1, Strings: 11, Instructions: 810windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084D1F2 Relevance: 16.9, Strings: 13, Instructions: 606COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00855661 Relevance: 16.6, Strings: 13, Instructions: 325COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085D07B Relevance: 13.1, Strings: 10, Instructions: 601COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084E7AA Relevance: 7.8, Strings: 6, Instructions: 339COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084FFD0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0088C6E0 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00881F2C Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 406memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085F598 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 152windowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085F8A2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93libraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085E51B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085F789 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90libraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008669BB Relevance: 179.1, APIs: 6, Strings: 93, Instructions: 5834memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00857FEE Relevance: 159.3, APIs: 4, Strings: 85, Instructions: 3535COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00877518 Relevance: 97.6, APIs: 2, Strings: 52, Instructions: 3050windowtimeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0087D6BB Relevance: 90.4, APIs: 4, Strings: 46, Instructions: 2899windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0086027C Relevance: 82.0, APIs: 7, Strings: 39, Instructions: 1481memorywindowtimeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00882723 Relevance: 75.4, APIs: 4, Strings: 38, Instructions: 1895stringwindowtimeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00870316 Relevance: 55.8, APIs: 2, Strings: 29, Instructions: 1538stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084C1FB Relevance: 44.3, Strings: 35, Instructions: 599COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00851522 Relevance: 32.0, Strings: 25, Instructions: 702COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0086FA55 Relevance: 26.1, APIs: 1, Strings: 16, Instructions: 580stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00874CFE Relevance: 25.9, Strings: 20, Instructions: 913COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00885FE8 Relevance: 23.5, Strings: 18, Instructions: 1004COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0086D3ED Relevance: 23.4, Strings: 18, Instructions: 850COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0087CBB5 Relevance: 20.6, Strings: 16, Instructions: 624COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085252B Relevance: 19.1, Strings: 15, Instructions: 368COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00888EC9 Relevance: 11.4, Strings: 9, Instructions: 180COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084EC90 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085E4FD Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085E511 Relevance: .0, Instructions: 3COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0084418F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 70stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008618D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085DE60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008619E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84windowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0088251F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0085BB99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |