Loading ...

Play interactive tourEdit tour

Analysis Report PM5QK5bxd7

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:151570
Start date:12.07.2019
Start time:10:56:20
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:PM5QK5bxd7 (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.spre.evad.winEXE@8/13@1/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.6% (good quality ratio 82.7%)
  • Quality average: 73.4%
  • Quality standard deviation: 39.5%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, sc.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.142.119.134, 13.68.93.109, 13.107.4.50, 8.248.127.254, 67.27.138.254, 67.27.234.126, 67.27.237.254, 67.27.225.126, 93.184.221.240
  • Excluded domains from analysis (whitelisted): sls.update.microsoft.com.akadns.net, wu.ec.azureedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, wu.azureedge.net, settingsfd-geo.trafficmanager.net, sls.emea.update.microsoft.com.akadns.net, au.au-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1Windows Remote ManagementRegistry Run Keys / Startup Folder1Process Injection1Masquerading1Input Capture1Process Discovery2Replication Through Removable Media1Input Capture1Data CompressedStandard Non-Application Layer Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingPeripheral Device Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing1Input CaptureSecurity Software Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingModify Registry1Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Information Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\deibux.exeAvira: Label: WORM/Vobfus.9985446
Source: C:\Users\user\deibux.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: PM5QK5bxd7.exeAvira: Label: WORM/Vobfus.9985446
Source: PM5QK5bxd7.exeJoe Sandbox ML: detected
Multi AV Scanner detection for domain / URLShow sources
Source: ns1.helpchecks.netvirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: PM5QK5bxd7.exevirustotal: Detection: 87%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 7.2.deibux.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 1.0.deibux.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.2.PM5QK5bxd7.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 7.0.deibux.exe.400000.0.unpackAvira: Label: WORM/Vobfus.9985446
Source: 0.0.PM5QK5bxd7.exe.400000.1.unpackAvira: Label: WORM/Vobfus.9985446
Source: 1.0.deibux.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.0.deibux.exe.400000.0.unpackAvira: Label: WORM/Vobfus.9985446
Source: 0.0.PM5QK5bxd7.exe.400000.5.unpackAvira: Label: WORM/Vobfus.9985446
Source: 1.2.deibux.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.2.deibux.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 1.0.deibux.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 1.0.deibux.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 1.0.deibux.exe.400000.4.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.0.PM5QK5bxd7.exe.400000.0.unpackAvira: Label: WORM/Vobfus.9985446
Source: 7.2.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 1.0.deibux.exe.400000.2.unpackJoe Sandbox ML: detected
Source: 0.2.PM5QK5bxd7.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.PM5QK5bxd7.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 7.0.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.0.PM5QK5bxd7.exe.400000.1.unpackJoe Sandbox ML: detected
Source: 1.0.deibux.exe.400000.1.unpackJoe Sandbox ML: detected
Source: 14.0.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.0.PM5QK5bxd7.exe.400000.5.unpackJoe Sandbox ML: detected
Source: 1.2.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 14.2.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 1.0.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 1.1.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 1.0.deibux.exe.400000.3.unpackJoe Sandbox ML: detected
Source: 1.0.deibux.exe.400000.4.unpackJoe Sandbox ML: detected
Source: 0.0.PM5QK5bxd7.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 7.1.deibux.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 14.1.deibux.exe.400000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
May infect USB drivesShow sources
Source: deibux.exe, 00000001.00000002.634675642.00000000006A0000.00000004.00000020.sdmpBinary or memory string: autorun.inf
Source: deibux.exe, 00000001.00000002.634675642.00000000006A0000.00000004.00000020.sdmpBinary or memory string: [autorun]
Source: deibux.exe, 00000001.00000002.634675642.00000000006A0000.00000004.00000020.sdmpBinary or memory string: autorun.infG
Source: deibux.exe, 00000001.00000002.634675642.00000000006A0000.00000004.00000020.sdmpBinary or memory string: [autorun]i
Source: deibux.exe, 00000001.00000002.634675642.00000000006A0000.00000004.00000020.sdmpBinary or memory string: autorun.infa

Networking:

barindex
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: ns1.helpchecks.net replaycode: Name error (3)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ns1.helpchecks.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: deibux.exe, 00000001.00000000.612223581.0000000000670000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\deibux.exeMutant created: \Sessions\1\BaseNamedObjects\C
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4300
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4996
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1352
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: PM5QK5bxd7.exe, 00000000.00000000.572625799.0000000002FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs PM5QK5bxd7.exe
Source: PM5QK5bxd7.exe, 00000000.00000003.533712937.0000000002BE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLienal.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs PM5QK5bxd7.exe
Source: PM5QK5bxd7.exe, 00000000.00000002.602601096.0000000002200000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PM5QK5bxd7.exe
Source: PM5QK5bxd7.exe, 00000000.00000000.572278054.0000000002B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs PM5QK5bxd7.exe
Source: PM5QK5bxd7.exe, 00000000.00000002.603879080.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PM5QK5bxd7.exe
Source: PM5QK5bxd7.exe, 00000000.00000002.603879080.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PM5QK5bxd7.exe
Source: PM5QK5bxd7.exeBinary or memory string: OriginalFilenameLienal.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs PM5QK5bxd7.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile read: C:\Users\user\Desktop\PM5QK5bxd7.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\deibux.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Users\user\deibux.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Users\user\deibux.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal84.spre.evad.winEXE@8/13@1/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile created: C:\Users\user\deibux.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER981F.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: PM5QK5bxd7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\deibux.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\deibux.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\deibux.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: PM5QK5bxd7.exevirustotal: Detection: 87%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\PM5QK5bxd7.exe 'C:\Users\user\Desktop\PM5QK5bxd7.exe'
Source: unknownProcess created: C:\Users\user\deibux.exe 'C:\Users\user\deibux.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1352
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 652
Source: unknownProcess created: C:\Users\user\deibux.exe 'C:\Users\user\deibux.exe' /o
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 668
Source: unknownProcess created: C:\Users\user\deibux.exe 'C:\Users\user\deibux.exe' /k
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess created: C:\Users\user\deibux.exe 'C:\Users\user\deibux.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: deibux.exe.0.drStatic PE information: real checksum: 0x21c86 should be: 0x2e584
Source: PM5QK5bxd7.exeStatic PE information: real checksum: 0x21c86 should be: 0x2d2b7
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeCode function: 0_2_00401578 push 00401212h; ret 0_2_0040158B
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeCode function: 0_2_0040153E push 00401212h; ret 0_2_00401577
Source: C:\Users\user\deibux.exeCode function: 1_2_00401578 push 00401212h; ret 1_2_0040158B
Source: C:\Users\user\deibux.exeCode function: 1_2_0040153E push 00401212h; ret 1_2_00401577
Source: C:\Users\user\deibux.exeCode function: 7_2_00401578 push 00401212h; ret 7_2_0040158B
Source: C:\Users\user\deibux.exeCode function: 7_2_0040153E push 00401212h; ret 7_2_00401577

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile created: C:\Users\user\deibux.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile created: C:\Users\user\deibux.exeJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeFile created: C:\Users\user\deibux.exeJump to dropped file
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run deibuxJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run deibuxJump to behavior
Source: C:\Users\user\deibux.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run deibuxJump to behavior
Source: C:\Users\user\deibux.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run deibuxJump to behavior
Source: C:\Users\user\deibux.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run deibuxJump to behavior
Source: C:\Users\user\deibux.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run deibuxJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\deibux.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\deibux.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_craig_holland_862bbca36a202936.cdf-ms
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_craig_holland_desktop_6e4174ecf6a92c5a.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: PM5QK5bxd7.exe, 00000000.00000000.570781359.0000000000D70000.00000002.00000001.sdmp, deibux.exe, 00000001.00000000.612427117.0000000000E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: PM5QK5bxd7.exe, 00000000.00000000.570781359.0000000000D70000.00000002.00000001.sdmp, deibux.exe, 00000001.00000000.612427117.0000000000E00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: PM5QK5bxd7.exe, 00000000.00000000.570781359.0000000000D70000.00000002.00000001.sdmp, deibux.exe, 00000001.00000000.612427117.0000000000E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: PM5QK5bxd7.exe, 00000000.00000000.570781359.0000000000D70000.00000002.00000001.sdmp, deibux.exe, 00000001.00000000.612427117.0000000000E00000.00000002.00000001.sdmpBinary or memory string: Program Manager>

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies windows update settingsShow sources
Source: C:\Users\user\Desktop\PM5QK5bxd7.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdateJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 151570 Sample: PM5QK5bxd7 Startdate: 12/07/2019 Architecture: WINDOWS Score: 84 34 Multi AV Scanner detection for domain / URL 2->34 36 Antivirus or Machine Learning detection for sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 May infect USB drives 2->40 7 PM5QK5bxd7.exe 2 4 2->7         started        12 deibux.exe 2->12         started        14 deibux.exe 2->14         started        process3 dnsIp4 30 ns1.helpchecks.net 7->30 28 C:\Users\user\deibux.exe, PE32 7->28 dropped 42 Drops PE files to the user root directory 7->42 44 Modifies windows update settings 7->44 16 deibux.exe 3 7->16         started        19 WerFault.exe 25 10 7->19         started        file5 signatures6 process7 file8 32 Antivirus or Machine Learning detection for dropped file 16->32 22 WerFault.exe 18 9 16->22         started        24 WerFault.exe 9 16->24         started        26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->26 dropped signatures9 process10

Simulations

Behavior and APIs

TimeTypeDescription
10:57:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run deibux C:\Users\user\deibux.exe /o
10:57:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run deibux C:\Users\user\deibux.exe /k
10:57:48API Interceptor2x Sleep call for process: PM5QK5bxd7.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
PM5QK5bxd7.exe88%virustotalBrowse
PM5QK5bxd7.exe100%AviraWORM/Vobfus.9985446
PM5QK5bxd7.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\deibux.exe100%AviraWORM/Vobfus.9985446
C:\Users\user\deibux.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.2.deibux.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
1.0.deibux.exe.400000.2.unpack100%AviraTR/Dropper.VB.GenDownload File
0.2.PM5QK5bxd7.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
7.0.deibux.exe.400000.0.unpack100%AviraWORM/Vobfus.9985446Download File
0.0.PM5QK5bxd7.exe.400000.1.unpack100%AviraWORM/Vobfus.9985446Download File
1.0.deibux.exe.400000.1.unpack100%AviraTR/Dropper.VB.GenDownload File
14.0.deibux.exe.400000.0.unpack100%AviraWORM/Vobfus.9985446Download File
0.0.PM5QK5bxd7.exe.400000.5.unpack100%AviraWORM/Vobfus.9985446Download File
1.2.deibux.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
14.2.deibux.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
1.0.deibux.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
1.0.deibux.exe.400000.3.unpack100%AviraTR/Dropper.VB.GenDownload File
1.0.deibux.exe.400000.4.unpack100%AviraTR/Dropper.VB.GenDownload File
0.0.PM5QK5bxd7.exe.400000.0.unpack100%AviraWORM/Vobfus.9985446Download File
7.2.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
1.0.deibux.exe.400000.2.unpack100%Joe Sandbox MLDownload File
0.2.PM5QK5bxd7.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.1.PM5QK5bxd7.exe.400000.0.unpack100%Joe Sandbox MLDownload File
7.0.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.0.PM5QK5bxd7.exe.400000.1.unpack100%Joe Sandbox MLDownload File
1.0.deibux.exe.400000.1.unpack100%Joe Sandbox MLDownload File
14.0.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.0.PM5QK5bxd7.exe.400000.5.unpack100%Joe Sandbox MLDownload File
1.2.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
14.2.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
1.0.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
1.1.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
1.0.deibux.exe.400000.3.unpack100%Joe Sandbox MLDownload File
1.0.deibux.exe.400000.4.unpack100%Joe Sandbox MLDownload File
0.0.PM5QK5bxd7.exe.400000.0.unpack100%Joe Sandbox MLDownload File
7.1.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File
14.1.deibux.exe.400000.0.unpack100%Joe Sandbox MLDownload File

Domains

SourceDetectionScannerLabelLink
ns1.helpchecks.net7%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.