Edit tour

Windows Analysis Report
lustsorelfar.exe

Overview

General Information

Sample name:	lustsorelfar.exe
Analysis ID:	1431560
MD5:	837a823641bc5ba36bc3f49f4e9e8f2d
SHA1:	386b3cbf6be3512ee05638cf79225650dd9361a4
SHA256:	aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses dynamic DNS services

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64

lustsorelfar.exe (PID: 6000 cmdline: "C:\Users\user\Desktop\lustsorelfar.exe" MD5: 837A823641BC5BA36BC3F49F4E9E8F2D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:51:58.068344
SID:	2035903
Source Port:	5861
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:11.546095
SID:	2035903
Source Port:	5861
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:55:07.738908
SID:	2035903
Source Port:	5861
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:10.363246
SID:	2035903
Source Port:	5861
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:55:11.971760
SID:	2035903
Source Port:	5861
Destination Port:	49742
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson Receiving Command (ping) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:52:52.824852
SID:	2035904
Source Port:	5861
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:02.943081
SID:	2035903
Source Port:	5861
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson Receiving Command (ping) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:52.772701
SID:	2035904
Source Port:	5861
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:14.629046
SID:	2035903
Source Port:	5861
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:26.801836
SID:	2035903
Source Port:	5861
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:39.237898
SID:	2035903
Source Port:	5861
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:29.347705
SID:	2035903
Source Port:	5861
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:37.859965
SID:	2035903
Source Port:	5861
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:49.098065
SID:	2035903
Source Port:	5861
Destination Port:	49728
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson Receiving Command (ping) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:52.757541
SID:	2035904
Source Port:	5861
Destination Port:	49728
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:28.488451
SID:	2035903
Source Port:	5861
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:29.223505
SID:	2035903
Source Port:	5861
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:54:00.004127
SID:	2035903
Source Port:	5861
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:52:55.692622
SID:	2035903
Source Port:	5861
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:48.187424
SID:	2035903
Source Port:	5861
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:56.818212
SID:	2035903
Source Port:	5861
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:19.048838
SID:	2035903
Source Port:	5861
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:19.052139
SID:	2035903
Source Port:	5861
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:30.859129
SID:	2035903
Source Port:	5861
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:31.285645
SID:	2035903
Source Port:	5861
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:40.568129
SID:	2035903
Source Port:	5861
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MSIL/Crimson CnC Server Command (info) M1 - Source IP: 45.14.194.253 - Destination IP: 192.168.2.5

Timestamp:	04/25/24-12:53:41.755618
SID:	2035903
Source Port:	5861
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lustsorelfar.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: lustsorelfar.exe	ReversingLabs: Detection: 42%
Source: lustsorelfar.exe	Virustotal: Detection: 56%			Perma Link

Source: lustsorelfar.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lustsorelfar.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: e:\lustsorelfar\lustsorelfar\obj\Debug\lustsorelfar.pdb source: lustsorelfar.exe
Source:	Binary string: e:\lustsorelfar\lustsorelfar\obj\Debug\lustsorelfar.pdb< source: lustsorelfar.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49716
Source: Traffic	Snort IDS: 2035904 ET TROJAN MSIL/Crimson Receiving Command (ping) M1 45.14.194.253:5861 -> 192.168.2.5:49716
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49720
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49721
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49722
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49723
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49724
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49725
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49726
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49727
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49728
Source: Traffic	Snort IDS: 2035904 ET TROJAN MSIL/Crimson Receiving Command (ping) M1 45.14.194.253:5861 -> 192.168.2.5:49728
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49729
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49730
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49731
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49732
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49733
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49734
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49735
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49736
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49737
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49738
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49739
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49740
Source: Traffic	Snort IDS: 2035904 ET TROJAN MSIL/Crimson Receiving Command (ping) M1 45.14.194.253:5861 -> 192.168.2.5:49740
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49741
Source: Traffic	Snort IDS: 2035903 ET TROJAN MSIL/Crimson CnC Server Command (info) M1 45.14.194.253:5861 -> 192.168.2.5:49742

Uses dynamic DNS services

Source: unknown

DNS query: name: ur253.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49716 -> 45.14.194.253:5861

Source: Joe Sandbox View

ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ur253.duckdns.org

Source: C:\Users\user\Desktop\lustsorelfar.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\lustsorelfar.exe	Code function: 0_2_00007FF848F15066		0_2_00007FF848F15066
Source: C:\Users\user\Desktop\lustsorelfar.exe	Code function: 0_2_00007FF848F12E1C		0_2_00007FF848F12E1C

Source: lustsorelfar.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.winEXE@1/0@3/1

Source: C:\Users\user\Desktop\lustsorelfar.exe

Mutant created: NULL

Source: lustsorelfar.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: lustsorelfar.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\lustsorelfar.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lustsorelfar.exe	ReversingLabs: Detection: 42%
Source: lustsorelfar.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: lustsorelfar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: lustsorelfar.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: lustsorelfar.exe

Static file information: File size 20822528 > 1048576

Source: lustsorelfar.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13b7800

Source: lustsorelfar.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: lustsorelfar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: e:\lustsorelfar\lustsorelfar\obj\Debug\lustsorelfar.pdb source: lustsorelfar.exe
Source:	Binary string: e:\lustsorelfar\lustsorelfar\obj\Debug\lustsorelfar.pdb< source: lustsorelfar.exe

Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe	Memory allocated: 1B6A8620000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Memory allocated: 1B6C2110000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe	Window / User API: threadDelayed 8233			Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Window / User API: threadDelayed 1620			Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -42094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41831s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -41047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -40031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -39922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -39812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -39703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -39594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe TID: 4672	Thread sleep time: -39484s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 45000	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44891	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44781	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44672	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44562	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44453	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44344	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44219	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44109	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 44000	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43891	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43781	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43672	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43562	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43453	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43344	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43219	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43108	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 43000	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42891	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42781	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42672	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42563	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42438	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42313	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42203	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 42094	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41969	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41831	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41702	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41594	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41484	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41375	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41266	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41156	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 41047	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40937	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40828	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40719	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40609	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40500	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40391	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40266	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40141	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 40031	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 39922	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 39812	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 39703	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 39594	Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Thread delayed: delay time: 39484	Jump to behavior

Source: lustsorelfar.exe, 00000000.00000002.4488797219.000001B6C5820000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'

Source: C:\Users\user\Desktop\lustsorelfar.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe	Queries volume information: C:\Users\user\Desktop\lustsorelfar.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\lustsorelfar.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\lustsorelfar.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
lustsorelfar.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
lustsorelfar.exe	57%	Virustotal		Browse
lustsorelfar.exe	100%	Avira	TR/Spy.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ur253.duckdns.org	45.14.194.253	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.14.194.253	ur253.duckdns.org	Germany		35913	DEDIPATH-LLCUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431560
Start date and time:	2024-04-25 12:50:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lustsorelfar.exe
Detection:	MAL
Classification:	mal68.troj.winEXE@1/0@3/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 85% Number of executed functions: 29 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target lustsorelfar.exe, PID 6000 because it is empty

Simulations

Behavior and APIs

Time	Type	Description
12:51:10	API Interceptor	14828166x Sleep call for process: lustsorelfar.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DEDIPATH-LLCUS	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	185.228.19.37
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	185.228.19.54
	EXCEL_DOCUMENT_OPEN.js	Get hash	malicious	Unknown	Browse	103.124.105.125
	EXCEL_DOCUMENT_OPEN.js	Get hash	malicious	Unknown	Browse	103.124.105.125
	4_10_AC-7539.xlsx	Get hash	malicious	DarkGate, MailPassView	Browse	103.124.105.125
	https://yesterwebring.neocities.org	Get hash	malicious	Phisher	Browse	45.89.106.174
	statapril2024-5892.xlsx	Get hash	malicious	DarkGate, MailPassView	Browse	103.124.106.237
	statapril2024-7320.xlsx	Get hash	malicious	DarkGate, MailPassView	Browse	103.124.106.237
	MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs	Get hash	malicious	DarkGate, MailPassView	Browse	103.124.106.237
	30ab11853092ccfc7359bb9cf99fe27b2179a1dc11037515b9367b6c28395850.zip	Get hash	malicious	DarkGate, MailPassView	Browse	103.124.106.237

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.889485833380952
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lustsorelfar.exe
File size:	20'822'528 bytes
MD5:	837a823641bc5ba36bc3f49f4e9e8f2d
SHA1:	386b3cbf6be3512ee05638cf79225650dd9361a4
SHA256:	aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c
SHA512:	b263b861b7362e10dd1adc6c4ee7acf2adabee72d7dfb61498bf2e9e72fc5a43d25327270d247635e075eb8b592def7565b81df4c2003c6b9484dbdac065f7ab
SSDEEP:	3072:0VIVsVWWw52dMi5snX65eHsUNBN8Jc2SUnKr9fE/C822c5:8vMrWJOBE/C8P
TLSH:	4D275D53689371AAB15A42A34734CCC96E4748C70C133E842CDCAB14B957EFE9DBF46A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._>e.................x;..@......n.;.. ....;...@.. ........................>...........`................................

File Icon


Icon Hash:	cf8d85454742661c

Static PE Info

General

Entrypoint:	0x17b966e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x653E5FF3 [Sun Oct 29 13:36:51 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13b9614	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13ba000	0x23cd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13de000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13b94dc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x13b7674	0x13b7800	ff0c47628543804e59f2932807e931ee	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x13ba000	0x23cd0	0x23e00	a9f1e91da0039ae66fd10e061707a223	False	0.5207017639372822	data	5.823792470625165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13de000	0xc	0x200	a67dbdda6321d551c6b899fd36b7a06a	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x13ba460	0xaea9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9950573658667502
RT_ICON	0x13c5310	0x161f8	Device independent bitmap graphic, 148 x 296 x 32, image size 0	0.2922110885494835
RT_ICON	0x13db508	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4451244813278008
RT_GROUP_ICON	0x13ddab0	0x30	data	0.8958333333333334
RT_VERSION	0x13ba190	0x2d0	data	0.4236111111111111
RT_MANIFEST	0x13ddae0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-12:51:58.068344	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49716	45.14.194.253	192.168.2.5
04/25/24-12:54:11.546095	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49733	45.14.194.253	192.168.2.5
04/25/24-12:55:07.738908	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49741	45.14.194.253	192.168.2.5
04/25/24-12:54:10.363246	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49732	45.14.194.253	192.168.2.5
04/25/24-12:55:11.971760	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49742	45.14.194.253	192.168.2.5
04/25/24-12:52:52.824852	TCP	2035904	ET TROJAN MSIL/Crimson Receiving Command (ping) M1	5861	49716	45.14.194.253	192.168.2.5
04/25/24-12:54:02.943081	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49731	45.14.194.253	192.168.2.5
04/25/24-12:54:52.772701	TCP	2035904	ET TROJAN MSIL/Crimson Receiving Command (ping) M1	5861	49740	45.14.194.253	192.168.2.5
04/25/24-12:54:14.629046	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49734	45.14.194.253	192.168.2.5
04/25/24-12:54:26.801836	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49735	45.14.194.253	192.168.2.5
04/25/24-12:54:39.237898	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49740	45.14.194.253	192.168.2.5
04/25/24-12:54:29.347705	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49738	45.14.194.253	192.168.2.5
04/25/24-12:54:37.859965	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49739	45.14.194.253	192.168.2.5
04/25/24-12:53:49.098065	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49728	45.14.194.253	192.168.2.5
04/25/24-12:53:52.757541	TCP	2035904	ET TROJAN MSIL/Crimson Receiving Command (ping) M1	5861	49728	45.14.194.253	192.168.2.5
04/25/24-12:54:28.488451	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49736	45.14.194.253	192.168.2.5
04/25/24-12:54:29.223505	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49737	45.14.194.253	192.168.2.5
04/25/24-12:54:00.004127	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49730	45.14.194.253	192.168.2.5
04/25/24-12:52:55.692622	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49720	45.14.194.253	192.168.2.5
04/25/24-12:53:48.187424	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49727	45.14.194.253	192.168.2.5
04/25/24-12:53:56.818212	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49729	45.14.194.253	192.168.2.5
04/25/24-12:53:19.048838	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49721	45.14.194.253	192.168.2.5
04/25/24-12:53:19.052139	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49722	45.14.194.253	192.168.2.5
04/25/24-12:53:30.859129	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49723	45.14.194.253	192.168.2.5
04/25/24-12:53:31.285645	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49724	45.14.194.253	192.168.2.5
04/25/24-12:53:40.568129	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49725	45.14.194.253	192.168.2.5
04/25/24-12:53:41.755618	TCP	2035903	ET TROJAN MSIL/Crimson CnC Server Command (info) M1	5861	49726	45.14.194.253	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 12:51:57.306894064 CEST	49716	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:51:57.526997089 CEST	5861	49716	45.14.194.253	192.168.2.5
Apr 25, 2024 12:51:57.527096033 CEST	49716	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:51:58.068344116 CEST	5861	49716	45.14.194.253	192.168.2.5
Apr 25, 2024 12:51:58.076210976 CEST	49716	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:51:58.349601984 CEST	5861	49716	45.14.194.253	192.168.2.5
Apr 25, 2024 12:52:52.824851990 CEST	5861	49716	45.14.194.253	192.168.2.5
Apr 25, 2024 12:52:52.869781017 CEST	49716	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:52:54.856534004 CEST	49720	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:52:54.856537104 CEST	49716	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:52:55.075040102 CEST	5861	49720	45.14.194.253	192.168.2.5
Apr 25, 2024 12:52:55.075392962 CEST	49720	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:52:55.075676918 CEST	5861	49716	45.14.194.253	192.168.2.5
Apr 25, 2024 12:52:55.692621946 CEST	5861	49720	45.14.194.253	192.168.2.5
Apr 25, 2024 12:52:55.694269896 CEST	49720	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:52:55.980974913 CEST	5861	49720	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:18.135567904 CEST	49720	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:18.278744936 CEST	49721	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:18.278794050 CEST	49722	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:18.358083010 CEST	5861	49720	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:18.502536058 CEST	5861	49722	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:18.504743099 CEST	5861	49721	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:18.506128073 CEST	49722	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:18.506129980 CEST	49721	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:19.048837900 CEST	5861	49721	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:19.052139044 CEST	5861	49722	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:19.053366899 CEST	49721	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:19.182313919 CEST	49722	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:19.331012964 CEST	5861	49721	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:30.122132063 CEST	49721	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:30.122136116 CEST	49723	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:30.336172104 CEST	5861	49723	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:30.336249113 CEST	49723	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:30.337371111 CEST	5861	49721	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:30.542001963 CEST	49723	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:30.543135881 CEST	49724	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:30.755223036 CEST	5861	49723	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:30.761245012 CEST	5861	49724	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:30.761332989 CEST	49724	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:30.859128952 CEST	5861	49723	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:30.859196901 CEST	49723	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:31.285645008 CEST	5861	49724	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:31.287836075 CEST	49724	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:31.551101923 CEST	5861	49724	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:39.808391094 CEST	49724	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:39.808393002 CEST	49725	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:40.028251886 CEST	5861	49724	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:40.029268980 CEST	5861	49725	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:40.030318022 CEST	49725	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:40.568129063 CEST	5861	49725	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:40.569797993 CEST	49725	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:40.849201918 CEST	5861	49725	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:40.995206118 CEST	49725	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:40.996186018 CEST	49726	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:41.214524031 CEST	5861	49726	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:41.214783907 CEST	5861	49725	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:41.218235970 CEST	49726	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:41.755618095 CEST	5861	49726	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:41.761904955 CEST	49726	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:42.036506891 CEST	5861	49726	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:47.432873011 CEST	49726	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:47.436296940 CEST	49727	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:47.649928093 CEST	5861	49727	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:47.650089025 CEST	49727	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:47.652240038 CEST	5861	49726	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:48.187423944 CEST	5861	49727	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:48.190507889 CEST	49727	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:48.307683945 CEST	49727	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:48.308867931 CEST	49728	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:48.468061924 CEST	5861	49727	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:48.536154032 CEST	5861	49727	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:48.542524099 CEST	5861	49728	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:48.542628050 CEST	49728	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:49.098064899 CEST	5861	49728	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:49.099734068 CEST	49728	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:49.379252911 CEST	5861	49728	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:52.757540941 CEST	5861	49728	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:52.807642937 CEST	49728	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:56.042237043 CEST	49728	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:56.043149948 CEST	49729	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:56.260341883 CEST	5861	49728	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:56.262516975 CEST	5861	49729	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:56.262581110 CEST	49729	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:56.818212032 CEST	5861	49729	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:56.820050001 CEST	49729	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:57.118767023 CEST	5861	49729	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:59.245374918 CEST	49729	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:59.246522903 CEST	49730	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:53:59.464832067 CEST	5861	49730	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:59.464849949 CEST	5861	49729	45.14.194.253	192.168.2.5
Apr 25, 2024 12:53:59.466026068 CEST	49730	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:00.004127026 CEST	5861	49730	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:00.009490967 CEST	49730	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:00.301064968 CEST	5861	49730	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:02.183037996 CEST	49730	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:02.184964895 CEST	49731	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:02.401268005 CEST	5861	49730	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:02.404422998 CEST	5861	49731	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:02.404491901 CEST	49731	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:02.943080902 CEST	5861	49731	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:02.944766045 CEST	49731	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:03.225172043 CEST	5861	49731	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:09.605612993 CEST	49732	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:09.605614901 CEST	49731	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:09.825328112 CEST	5861	49731	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:09.827991962 CEST	5861	49732	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:09.830554962 CEST	49732	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:10.363245964 CEST	5861	49732	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:10.364811897 CEST	49732	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:10.628736019 CEST	5861	49732	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:10.792332888 CEST	49732	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:10.793463945 CEST	49733	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:11.010966063 CEST	5861	49733	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:11.011060953 CEST	49733	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:11.014652967 CEST	5861	49732	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:11.546094894 CEST	5861	49733	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:11.550518990 CEST	49733	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:11.828237057 CEST	5861	49733	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:13.872653961 CEST	49733	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:13.872657061 CEST	49734	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:14.086355925 CEST	5861	49733	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:14.091029882 CEST	5861	49734	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:14.096554041 CEST	49734	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:14.629045963 CEST	5861	49734	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:14.631149054 CEST	49734	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:14.910126925 CEST	5861	49734	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:25.886662960 CEST	49734	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:26.035281897 CEST	49735	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:26.120286942 CEST	5861	49734	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:26.255247116 CEST	5861	49735	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:26.262649059 CEST	49735	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:26.801836014 CEST	5861	49735	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:26.932903051 CEST	49735	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:27.471553087 CEST	49735	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:27.714226007 CEST	49735	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:27.714915991 CEST	49736	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:27.764187098 CEST	5861	49735	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:27.945048094 CEST	5861	49736	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:27.945132017 CEST	49736	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:27.945307016 CEST	5861	49735	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:28.449580908 CEST	49737	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:28.449582100 CEST	49736	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:28.488451004 CEST	5861	49736	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:28.488663912 CEST	49736	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:28.590691090 CEST	49738	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:28.680303097 CEST	5861	49736	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:28.680399895 CEST	49736	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:28.681015968 CEST	5861	49737	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:28.681102991 CEST	49737	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:28.816634893 CEST	5861	49738	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:28.816821098 CEST	49738	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:29.223505020 CEST	5861	49737	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:29.339148045 CEST	49737	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:29.347704887 CEST	5861	49738	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:29.349337101 CEST	49738	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:29.628787994 CEST	5861	49738	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:29.727446079 CEST	5861	49734	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:37.106051922 CEST	49738	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:37.106055975 CEST	49739	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:37.321532011 CEST	5861	49739	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:37.324700117 CEST	5861	49738	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:37.325092077 CEST	49739	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:37.859965086 CEST	5861	49739	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:37.861429930 CEST	49739	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:38.141011953 CEST	5861	49739	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:38.401844978 CEST	49739	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:38.405472040 CEST	49740	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:38.649308920 CEST	5861	49739	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:38.654870033 CEST	5861	49740	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:38.656213045 CEST	49740	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:39.237898111 CEST	5861	49740	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:39.242182016 CEST	49740	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:39.520539045 CEST	5861	49740	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:52.772701025 CEST	5861	49740	45.14.194.253	192.168.2.5
Apr 25, 2024 12:54:52.839387894 CEST	49740	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:54:55.138940096 CEST	49716	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:06.981019020 CEST	49741	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:06.981033087 CEST	49740	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:07.199717045 CEST	5861	49740	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:07.201059103 CEST	5861	49741	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:07.205214024 CEST	49741	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:07.738908052 CEST	5861	49741	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:07.740751982 CEST	49741	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:08.020076990 CEST	5861	49741	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:11.217045069 CEST	49741	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:11.217103958 CEST	49742	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:11.435386896 CEST	5861	49742	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:11.435472965 CEST	49742	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:11.436804056 CEST	5861	49741	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:11.971760035 CEST	5861	49742	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:11.973859072 CEST	49742	5861	192.168.2.5	45.14.194.253
Apr 25, 2024 12:55:12.252947092 CEST	5861	49742	45.14.194.253	192.168.2.5
Apr 25, 2024 12:55:18.370781898 CEST	49720	5861	192.168.2.5	45.14.194.253

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 12:51:57.158112049 CEST	55695	53	192.168.2.5	1.1.1.1
Apr 25, 2024 12:51:57.302524090 CEST	53	55695	1.1.1.1	192.168.2.5
Apr 25, 2024 12:53:18.136365891 CEST	49162	53	192.168.2.5	1.1.1.1
Apr 25, 2024 12:53:18.277934074 CEST	53	49162	1.1.1.1	192.168.2.5
Apr 25, 2024 12:54:25.886893988 CEST	53207	53	192.168.2.5	1.1.1.1
Apr 25, 2024 12:54:26.033302069 CEST	53	53207	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 12:51:57.158112049 CEST	192.168.2.5	1.1.1.1	0x9596	Standard query (0)	ur253.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:53:18.136365891 CEST	192.168.2.5	1.1.1.1	0x3e8b	Standard query (0)	ur253.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:54:25.886893988 CEST	192.168.2.5	1.1.1.1	0x6c46	Standard query (0)	ur253.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 12:51:57.302524090 CEST	1.1.1.1	192.168.2.5	0x9596	No error (0)	ur253.duckdns.org	45.14.194.253	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:53:18.277934074 CEST	1.1.1.1	192.168.2.5	0x3e8b	No error (0)	ur253.duckdns.org	45.14.194.253	A (IP address)	IN (0x0001)	false
Apr 25, 2024 12:54:26.033302069 CEST	1.1.1.1	192.168.2.5	0x6c46	No error (0)	ur253.duckdns.org	45.14.194.253	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: lustsorelfar.exePID: 6000, Parent PID: 1028

General

Target ID:	0
Start time:	12:51:07
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\lustsorelfar.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\lustsorelfar.exe"
Imagebase:	0x1b6a6f20000
File size:	20'822'528 bytes
MD5 hash:	837A823641BC5BA36BC3F49F4E9E8F2D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: lustsorelfar.exePID: 6000, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848F15066 Relevance: 2.8, Instructions: 2844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72807be991e3fede41fb43e11fe98a032aee0f20460ec7c11e698eed928a39eb
Instruction ID: 3c6e93f8b5b3fc6ddbcc8c5c89ec39beda22935fc0668bc2895075255fb07eea
Opcode Fuzzy Hash: 72807be991e3fede41fb43e11fe98a032aee0f20460ec7c11e698eed928a39eb
Instruction Fuzzy Hash: 66334771D19A2D8FDB99EF14C890BA9B7B1FF58341F5041EAC00DA7285DB38AE81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F116FD Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

O_H, xrefs: 00007FF848F11A70

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID: O_H
API String ID: 0-1880849852
Opcode ID: 036765d02c1516ee662eccc93c485ed6a785ff54e42e27f0dd3fff9593579900
Instruction ID: 2ddd71e712af3ee460d492136e05bb51baac3424076905eaae3ba62cee322fc7
Opcode Fuzzy Hash: 036765d02c1516ee662eccc93c485ed6a785ff54e42e27f0dd3fff9593579900
Instruction Fuzzy Hash: 83C13D30919A4E8FEB88EF28C895AE9B7B1FF59340F5001B9D40DD7296CE35AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F177B1 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649f66da43a955d5f027324ddb6fe05f09b03abd4a30baabe81eb52b19b37638
Instruction ID: d8e56d6eb9a2e54ca8743c37f8d2434c1dfb9c2124855c25c1d833da55e062ca
Opcode Fuzzy Hash: 649f66da43a955d5f027324ddb6fe05f09b03abd4a30baabe81eb52b19b37638
Instruction Fuzzy Hash: C7F16F70A0AA5D8FDB85EB68C450BADB7F1FF59340F5401AAD00CE7292EB39AD41CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F138F4 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320bd8ea3b0454ffb9b2d003fb8f481fcbde22653be2c09d518bbc128c09ab62
Instruction ID: 1eb65ec18d853d12bfca2fc6c5f8ece5605196c50a1f03f092cd6e225b820ecf
Opcode Fuzzy Hash: 320bd8ea3b0454ffb9b2d003fb8f481fcbde22653be2c09d518bbc128c09ab62
Instruction Fuzzy Hash: A5411871D0EA8D4FE786AB2888297997FF2EF56351F4600BAC488DB2D3DA291D448711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F138ED Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc9713096ae2df5539961e8d4211373492277ddad29f79aba0c6787876697bd
Instruction ID: aad02db92f9e37e2c239b59e4336ccc1d40dc39c24f9bf2e50885f733e826056
Opcode Fuzzy Hash: 0fc9713096ae2df5539961e8d4211373492277ddad29f79aba0c6787876697bd
Instruction Fuzzy Hash: FC213A7190EA4C4FD782EB28C45439DBFB2EF9A341F4100BAD488EB292EA295D448721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10568 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3827b0115f921b6bc4d93975c8c30ea43605fff9d74752e5deffba92152c2a4
Instruction ID: 6ed4c6ecd058647333c7fc0bbbb10f33aa202e46955e7d5c401d8b0c974ca0f4
Opcode Fuzzy Hash: f3827b0115f921b6bc4d93975c8c30ea43605fff9d74752e5deffba92152c2a4
Instruction Fuzzy Hash: 9CB1C070E18A1D8FDB98EFA8D494AADBBF1FB59341F504069D40AE3281CB75A881CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10538 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44670938fa1d20abab32de126c75e8f254b91f7f332f4fc299af688a8dec01c5
Instruction ID: 7d43081b551405c88ec1e4c0f89089b12aa805ea6373deae968678db98af49f1
Opcode Fuzzy Hash: 44670938fa1d20abab32de126c75e8f254b91f7f332f4fc299af688a8dec01c5
Instruction Fuzzy Hash: 67A1AE70A09A1D8FDB98EF58C894BADBBF1FF58301F1041AAD40DE7295DB34A981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F104E5 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9951c497b951e528e212b7b4cedc8093c64cd6659cfc2143884ae6bfb51966e6
Instruction ID: 6b8c0f7abda77627126018c8b7f655ffcfca6a44c5d049a38cb90d1fd2a2c32a
Opcode Fuzzy Hash: 9951c497b951e528e212b7b4cedc8093c64cd6659cfc2143884ae6bfb51966e6
Instruction Fuzzy Hash: 31712370E0995D8FDB98EB68C894BADBBF0FF58301F1441AAD00DE7292DB349985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F135B2 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50c8edf7225588e86d532a50a499064a551b3213c98b82a4a10ff069ba4e80c
Instruction ID: 333a667b5686a8bf965c18c05812e261e5cef83e957f4892004c87cec8d0ff11
Opcode Fuzzy Hash: e50c8edf7225588e86d532a50a499064a551b3213c98b82a4a10ff069ba4e80c
Instruction Fuzzy Hash: B8518F71A09A4E8FDB88EF68D454AA9B7F1FF69340F00057AD009D7296DF39EC418B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1749D Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f922732fd9e92aaf32071d115dd27474372337639dfa1696e86f08308f23c6d6
Instruction ID: 6676bc751deee08bf3de431e8ea761f15cd7087a38a0b162839aa94c4c68bdda
Opcode Fuzzy Hash: f922732fd9e92aaf32071d115dd27474372337639dfa1696e86f08308f23c6d6
Instruction Fuzzy Hash: F261D070E08A1D8FDB98EF68D894BADBBF1FB58301F1041AAD00DE7295DB349985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F14811 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1519553c9b41732088eb577be71c6fc28a23b437c7874efabb4b0dff91f1c6
Instruction ID: 8f11b8a33c877ff4a244c599a641ca0d90aa9f60189b9083990baf0b6c7a1b1d
Opcode Fuzzy Hash: 6c1519553c9b41732088eb577be71c6fc28a23b437c7874efabb4b0dff91f1c6
Instruction Fuzzy Hash: 1051D33090968D8FDB49EF68D4946E9BBB2FF59301F50007AE009D7282CB39EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13EE9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5dae07e61f9712f01fb91df06a10f5e9d2a54a2706531c25c20b6ce52445b4
Instruction ID: 585cd74d8a7fef2107f50f99903c53eebfb713a468f9433eea3f3cfe95bcdb3e
Opcode Fuzzy Hash: cc5dae07e61f9712f01fb91df06a10f5e9d2a54a2706531c25c20b6ce52445b4
Instruction Fuzzy Hash: 88519F71909A4C8FDB85EF68C4547ADBBF1FF5A381F4500BAD048EB2A2DA395E84C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13C99 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0183e085c61710ff6468028d62f674ffd7284e70e220756db090b3db660ac6ef
Instruction ID: 7c57baa099e2db6ce2452d0628f7914484fbcfe2df41eb8e1a3bb12ea972c99d
Opcode Fuzzy Hash: 0183e085c61710ff6468028d62f674ffd7284e70e220756db090b3db660ac6ef
Instruction Fuzzy Hash: C5519D70909A4C9FDB85EF68C4547ADBBF1FF5A341F4500AAD048EB292DB395E44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13CB0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a70a7453a94f38bfe9fb3fae9fb705dd12d45f22b041edaa2df0fd77934b81
Instruction ID: f4980d2e19955871fee4470dbdf4abaf51d5712b0a81cb2757e348bd021bb750
Opcode Fuzzy Hash: 28a70a7453a94f38bfe9fb3fae9fb705dd12d45f22b041edaa2df0fd77934b81
Instruction Fuzzy Hash: A5517E70909A4C9FDB85EF68C4547ADBBF1FF5A341F85006AD048EB292DB355E84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13F00 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc9af5b07068fb5a091957de4c4b0ee15bc340e0860863229fef0d64aa2986e
Instruction ID: eb63172b003602004e90eb6ed888c3c63274dd06fc98b6a10a632cb8719fa645
Opcode Fuzzy Hash: 0bc9af5b07068fb5a091957de4c4b0ee15bc340e0860863229fef0d64aa2986e
Instruction Fuzzy Hash: F4516D70909A4C9FDB85EF68C4547ADBBF2FF5A381F85007AD049EB292DA355E80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F17E71 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6fb77d670a210e80fd53fcb5a56060263ede404a5e60666bc214e72471f47f
Instruction ID: 6e142763c46aeb7987f6d508c05f037a92bbd63e271586b9ea9885b55d4fc76a
Opcode Fuzzy Hash: 5e6fb77d670a210e80fd53fcb5a56060263ede404a5e60666bc214e72471f47f
Instruction Fuzzy Hash: 7741F531A1890D9FDF94EB5CD884AADBBF1FF69311F0401A5E009E72A1CB24AC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F17E90 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3aa199f003b3e5196e8a181d8b4dba69756284f4a2f4967a0d672fe1016767c
Instruction ID: 1e61f91efd5f308ba80635ad5e9913f2b1b326f298d3a375105ccf56b4490b7a
Opcode Fuzzy Hash: d3aa199f003b3e5196e8a181d8b4dba69756284f4a2f4967a0d672fe1016767c
Instruction Fuzzy Hash: A631B235A1890D9FDF94EB5CD485AADBBF1FF69311F010166E009E7265CB70AC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F146F1 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1115e0a305976f18a9e1fe0ce3e195306492d5e91f3802479f9d9e9ec7e4e842
Instruction ID: 2233b87c131a847abd994b5f6f85189f221e4d6f3089dd7a1fb6fedb0079ed12
Opcode Fuzzy Hash: 1115e0a305976f18a9e1fe0ce3e195306492d5e91f3802479f9d9e9ec7e4e842
Instruction Fuzzy Hash: 4F31C131C0965D8FDB85EF64E8546EDBBB1FF5A301F00016AE009E7292CB799D42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12B40 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06004db58d9dff61a660810d96a9277d901290fdb24f36bb4e0b2a286778cdfd
Instruction ID: cbfd485c3ba665ac4d44b8bfaff0ebede4104448c4e72558ed5fc418abe01ff9
Opcode Fuzzy Hash: 06004db58d9dff61a660810d96a9277d901290fdb24f36bb4e0b2a286778cdfd
Instruction Fuzzy Hash: 9D31683090965D8FDB84EFA8E4446EDB7B1FF59301F10156AE009E7292CB39A881CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12B58 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e2f3867df087ea58415be058ba135c57554bdacf9e4d404c0d4d98947af0b3
Instruction ID: 101793f5d5bcea0968cec081b0000cc475c8f9795e750df9f50439b4b23970d6
Opcode Fuzzy Hash: 64e2f3867df087ea58415be058ba135c57554bdacf9e4d404c0d4d98947af0b3
Instruction Fuzzy Hash: AE214830D09A5D8FDB88EF98E4547EDB7B1FF99301F10156AE009E3291CB75A891CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1097D Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad069d71a5e4e2240d222d531ed0c07bd85d9d650ef707646e75a6c75732f0c
Instruction ID: f0450b97d49663a953fef1c2298c5b7abe71ac82955e7abc6bd5448e52f6068c
Opcode Fuzzy Hash: bad069d71a5e4e2240d222d531ed0c07bd85d9d650ef707646e75a6c75732f0c
Instruction Fuzzy Hash: 1D3130B091878D8FE788EF28C4987A97BE1FF98304F5404E9D819C7382DB359856CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10858 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81aa50457d22388e31358ec3f1c5961f44c30c03297277e00c5afdee2fd3f80b
Instruction ID: b511c58e67cc7bed5f7bef2f8cab02cf60bf947298b435e61639c709a8a7ca0b
Opcode Fuzzy Hash: 81aa50457d22388e31358ec3f1c5961f44c30c03297277e00c5afdee2fd3f80b
Instruction Fuzzy Hash: E2110562D0EAD69EF265773818590B42FD0FFA6790F2908BAC4498B0C3ED189C08C385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13E51 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8999fcb04ad958bff65e30a43401aa801ea5e9991f693196dbb31c1a5fee095
Instruction ID: d816e480487e3daf12af570e7b8e367c4414f589559f392aa2648e741c0a2b55
Opcode Fuzzy Hash: d8999fcb04ad958bff65e30a43401aa801ea5e9991f693196dbb31c1a5fee095
Instruction Fuzzy Hash: 3311B27094D6CD4FDB42ABA888156EA7FB1EF46310F0500B6D088D71D2CA2C594AC765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F140A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f359cf977f6a34782ff5f6ddd28dc6b9242705f07db2fced457ee0f767d5634e
Instruction ID: 3321033ffbe9a883ae54587449601d41c8f76a1c6c645a6b015f3af17acfcf1b
Opcode Fuzzy Hash: f359cf977f6a34782ff5f6ddd28dc6b9242705f07db2fced457ee0f767d5634e
Instruction Fuzzy Hash: 3F11E23184E6CD4FDB42EB6488156EA7FB1EF96351F0500F6D448E71D3DA2C5946C325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F17343 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a04420df832b56a3bb82d1d29e27686630890da8d4bde30e676da24fd78e11f
Instruction ID: f17cdac99dd5f202527142c96dd7b12f8a013781f16dd8d243735d95e62f8bdf
Opcode Fuzzy Hash: 2a04420df832b56a3bb82d1d29e27686630890da8d4bde30e676da24fd78e11f
Instruction Fuzzy Hash: 66114C30A19A8E8FEB84EF18C840BAEB7B1FF59340F5045A5D409D3292CA35AD55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F108ED Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338d75d55dbac6c1f61cc3b4fa60832fbd1fbf3e0068f8da405dc63c92e0ebb2
Instruction ID: a1e993e7e6bc5f896ec4ecef516d233801d414b404192b057f7d784fa0eba5c3
Opcode Fuzzy Hash: 338d75d55dbac6c1f61cc3b4fa60832fbd1fbf3e0068f8da405dc63c92e0ebb2
Instruction Fuzzy Hash: 1D115E31D18A4E9FEB44FF28C8996E97BA0FF99340F4405BAE808D71D2DF3499558740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11CB2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2db586fd19558ce6da032227c00ab8b430a0c40bc29f63c4b103893ae3a24a6
Instruction ID: 93e443e5b44f1d8865ff15130da7de1757d2121a5d8db658927cfaf68b29e0f0
Opcode Fuzzy Hash: a2db586fd19558ce6da032227c00ab8b430a0c40bc29f63c4b103893ae3a24a6
Instruction Fuzzy Hash: 7E016D31A0DA4D8FDB84EF58D891AE973A2FF99340F4514A8E41DD32C2CE36AC52C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F140D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070f709b466dc51a20df05ce0853f1275e9a6d8c4d024f9439e8724b0bc04713
Instruction ID: c172a24f0a84bbcbc6ddbf77cf2433d5fac9bcfee9fa347885767f2ab0bf0619
Opcode Fuzzy Hash: 070f709b466dc51a20df05ce0853f1275e9a6d8c4d024f9439e8724b0bc04713
Instruction Fuzzy Hash: 7201693090990D8FEB41EF68C8046EEB7B2FBA9341F000176D108E3281DA3869508B54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F108CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d60ed63380434d8751e8bb9fcb9fa2a2164d79d36f9302d328dc81b1609e95
Instruction ID: 2b68984fb0e7b21e5654ae835390d13b3f1d54746bb72a4b98da74a42e6fbb73
Opcode Fuzzy Hash: 47d60ed63380434d8751e8bb9fcb9fa2a2164d79d36f9302d328dc81b1609e95
Instruction Fuzzy Hash: 73D0C971D0940CAEDB40EB58E8915ECB775FF89214F0012B6E40DD3192DF702AA18640

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF848F12E1C Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4493951051.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_lustsorelfar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d926a611efe885d738a9cb573cfe6493e2f040d629b15eafc89df42af19b6e66
Instruction ID: 4c9120f8d305ed7da4972b24dcf048143960377cc7af4dd73f11f9f4bcd7a52e
Opcode Fuzzy Hash: d926a611efe885d738a9cb573cfe6493e2f040d629b15eafc89df42af19b6e66
Instruction Fuzzy Hash: B1429170D09A5D8FDB86EB28C4547A8BBB2FF59341F5401BAC00EE7296DF396980CB54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lustsorelfar.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: lustsorelfar.exePID: 6000, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: lustsorelfar.exePID: 6000, Parent PID: 1028COMMON

Windows Analysis Report
lustsorelfar.exe