Play interactive tour

Edit tour

Analysis Report Invoice-3990993.exe

Overview

General Information

Sample Name:	Invoice-3990993.exe
Analysis ID:	344833
MD5:	c240ecb4d6da455111dca9256dcd3604
SHA1:	de229f907f93f89d5fe10828fa7e8034e70cda55
SHA256:	4730211b41726d261fe9f81bbbacd224b2659f9f05909395f8492adf187d8666
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Invoice-3990993.exe (PID: 4556 cmdline: 'C:\Users\user\Desktop\Invoice-3990993.exe' MD5: C240ECB4D6DA455111DCA9256DCD3604)

Invoice-3990993.exe (PID: 6228 cmdline: C:\Users\user\Desktop\Invoice-3990993.exe MD5: C240ECB4D6DA455111DCA9256DCD3604)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "2hoa0Zb0I7ot", "URL: ": "https://K2J5CnzUCIra4sFQC.org", "To: ": "chuksanderson@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "7ynpV9cGEL", "From: ": "chuksanderson@hybridgroupco.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.230261930.0000000002421000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Invoice-3990993.exe PID: 4556	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Invoice-3990993.exe PID: 4556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Invoice-3990993.exe PID: 6228	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Invoice-3990993.exe PID: 6228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Invoice-3990993.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Invoice-3990993.exe.6228.2.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "2hoa0Zb0I7ot", "URL: ": "https://K2J5CnzUCIra4sFQC.org", "To: ": "chuksanderson@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "7ynpV9cGEL", "From: ": "chuksanderson@hybridgroupco.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: Invoice-3990993.exe	Virustotal: Detection: 52%			Perma Link
Source: Invoice-3990993.exe	ReversingLabs: Detection: 50%

Machine Learning detection for sample

Show sources

Source: Invoice-3990993.exe

Joe Sandbox ML: detected

Source: 2.2.Invoice-3990993.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: Invoice-3990993.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Invoice-3990993.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_0574AAC8

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://K2J5CnzUCIra4sFQC.org

Source: global traffic

TCP traffic: 192.168.2.7:49751 -> 66.70.204.222:587

Source: Joe Sandbox View

IP Address: 66.70.204.222 66.70.204.222

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic

TCP traffic: 192.168.2.7:49751 -> 66.70.204.222:587

Source: unknown

DNS traffic detected: queries for: mail.hybridgroupco.com

Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://NvVyeo.com
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://hybridgroupco.com
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.hybridgroupco.com
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Invoice-3990993.exe, 00000000.00000002.230261930.0000000002421000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Invoice-3990993.exe, 00000002.00000002.593714749.0000000003535000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.594174723.000000000359C000.00000004.00000001.sdmp	String found in binary or memory: https://K2J5CnzUCIra4sFQC.org
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: Invoice-3990993.exe, 00000000.00000002.230077421.0000000000878000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 2.2.Invoice-3990993.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF7313DE6u002dE794u002d450Au002dAA18u002dE32637E296B4u007d/u00369F9D8A0u002d8A99u002d4283u002dB060u002d03A8D6E65410.cs

Large array initialization: .cctor: array initializer size 12005

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Invoice-3990993.exe

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0086C2B0	0_2_0086C2B0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_00869990	0_2_00869990
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_05749060	0_2_05749060
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_05746278	0_2_05746278
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0574B2C8	0_2_0574B2C8
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0005DE22	0_2_0005DE22
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_00052050	0_2_00052050
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_000592E1	0_2_000592E1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD0040	2_2_00FD0040
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FDCC37	2_2_00FDCC37
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD3EF0	2_2_00FD3EF0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD1ED0	2_2_00FD1ED0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD6650	2_2_00FD6650
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FD6230	2_2_00FD6230
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00FDA6D0	2_2_00FDA6D0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_01795200	2_2_01795200
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_0179B518	2_2_0179B518
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_01796490	2_2_01796490
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_019146A0	2_2_019146A0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_019145B0	2_2_019145B0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_01914690	2_2_01914690
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E192E1	2_2_00E192E1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E12050	2_2_00E12050
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E1DE22	2_2_00E1DE22

Source: Invoice-3990993.exe, 00000000.00000000.225487389.00000000000E4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEncoderReplacementFallback.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000000.00000002.234376489.0000000005610000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamehvvnyXtzKrUuslrzKKgswjLcTb.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamehvvnyXtzKrUuslrzKKgswjLcTb.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.590596788.00000000015A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.588928857.00000000012F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000000.229135116.0000000000EA4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEncoderReplacementFallback.exe4 vs Invoice-3990993.exe
Source: Invoice-3990993.exe, 00000002.00000002.590726096.0000000001750000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Invoice-3990993.exe
Source: Invoice-3990993.exe	Binary or memory string: OriginalFilenameEncoderReplacementFallback.exe4 vs Invoice-3990993.exe

Source: Invoice-3990993.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Invoice-3990993.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 2.2.Invoice-3990993.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Invoice-3990993.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\Invoice-3990993.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice-3990993.exe.log

Jump to behavior

Source: Invoice-3990993.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Invoice-3990993.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Invoice-3990993.exe	Virustotal: Detection: 52%
Source: Invoice-3990993.exe	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\Invoice-3990993.exe 'C:\Users\user\Desktop\Invoice-3990993.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Invoice-3990993.exe C:\Users\user\Desktop\Invoice-3990993.exe
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process created: C:\Users\user\Desktop\Invoice-3990993.exe C:\Users\user\Desktop\Invoice-3990993.exe	Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Invoice-3990993.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoice-3990993.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0005BE9A push 28060001h; retn 0000h	0_2_0005BEA0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 0_2_0005DBEB push 28060001h; retn 0000h	0_2_0005DBF1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E1DBEB push 28060001h; retn 0000h	2_2_00E1DBF1
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_00E1BE9A push 28060001h; retn 0000h	2_2_00E1BEA0
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Code function: 2_2_0191CD51 push esp; iretd	2_2_0191CD5D

Source: initial sample

Static PE information: section name: .text entropy: 7.69028247011

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230261930.0000000002421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 4556, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Invoice-3990993.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Invoice-3990993.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Window / User API: threadDelayed 3475			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Window / User API: threadDelayed 6283			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6148	Thread sleep time: -49861s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6404	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6408	Thread sleep count: 3475 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6408	Thread sleep count: 6283 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe TID: 6404	Thread sleep count: 41 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Invoice-3990993.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Invoice-3990993.exe, 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Code function: 2_2_00FD9368 LdrInitializeThunk,

2_2_00FD9368

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Memory written: C:\Users\user\Desktop\Invoice-3990993.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Process created: C:\Users\user\Desktop\Invoice-3990993.exe C:\Users\user\Desktop\Invoice-3990993.exe

Jump to behavior

Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Invoice-3990993.exe, 00000002.00000002.590999751.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Users\user\Desktop\Invoice-3990993.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Users\user\Desktop\Invoice-3990993.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 4556, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 6228, type: MEMORY
Source: Yara match	File source: 2.2.Invoice-3990993.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Invoice-3990993.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-3990993.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 6228, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 4556, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-3990993.exe PID: 6228, type: MEMORY
Source: Yara match	File source: 2.2.Invoice-3990993.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion13	Input Capture1	Security Software Discovery211	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Credentials in Registry1	Virtualization/Sandbox Evasion13	SMB/Windows Admin Shares	Archive Collected Data11	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Invoice-3990993.exe	53%	Virustotal		Browse
Invoice-3990993.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Invoice-3990993.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.Invoice-3990993.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
hybridgroupco.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://hybridgroupco.com	0%	Avira URL Cloud	safe
http://mail.hybridgroupco.com	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://K2J5CnzUCIra4sFQC.org	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://NvVyeo.com	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hybridgroupco.com	66.70.204.222	true	true	0%, Virustotal, Browse	unknown
mail.hybridgroupco.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://K2J5CnzUCIra4sFQC.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	false		high
http://hybridgroupco.com	Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.hybridgroupco.com	Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Invoice-3990993.exe, 00000000.00000002.230261930.0000000002421000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Invoice-3990993.exe, 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, Invoice-3990993.exe, 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://NvVyeo.com	Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	Invoice-3990993.exe, 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0	Invoice-3990993.exe, 00000002.00000002.594011651.000000000356F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.70.204.222	unknown	Canada		16276	OVHFR	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344833
Start date:	27.01.2021
Start time:	08:29:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Invoice-3990993.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 76 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 13.64.90.137, 52.255.188.83, 92.122.144.200, 168.61.161.212, 51.104.139.180, 52.155.217.156, 20.54.26.129, 51.103.5.159, 67.26.81.254, 8.248.131.254, 8.241.121.254, 67.26.73.254, 67.27.159.126, 95.101.22.224, 95.101.22.216 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:30:02	API Interceptor	1057x Sleep call for process: Invoice-3990993.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.70.204.222	PARTS REQUEST SO_30005141.exe	Get hash	malicious	Browse
	Yu2iMnAJBdOGPyv.exe	Get hash	malicious	Browse
	CONTRACT AGREEMENT.exe	Get hash	malicious	Browse
	PARTS REQUEST SO_30005141.exe	Get hash	malicious	Browse
	PARTS REQUEST SO_30005141.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	SWIFT_6979034.exe	Get hash	malicious	Browse
	P-O.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse
	INV # 16809 & 16769.exe	Get hash	malicious	Browse
	S.O.A.exe	Get hash	malicious	Browse
	PROFORMAR INVOICE DETAILS.exe	Get hash	malicious	Browse
	U-8913.exe	Get hash	malicious	Browse
	ORDB2002765.exe	Get hash	malicious	Browse
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse
	Proforma Invoice with Bank Details_pdf.exe	Get hash	malicious	Browse
	Image001.exe	Get hash	malicious	Browse
	4nfg3g3nwg.exe	Get hash	malicious	Browse
	DOC04121993.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	ra8tqy1c.rar.dll	Get hash	malicious	Browse	158.69.118.130
	ARCH_25_012021.doc	Get hash	malicious	Browse	51.255.203.164
	WUHU95Apq3	Get hash	malicious	Browse	46.105.5.118
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.Generic.mg.59d4c719403b7938.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.Generic.mg.9d9c1d19818e75cc.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	158.69.118.130
	roboforex4multisetup.exe	Get hash	malicious	Browse	139.99.148.202
	xDKOaCQQTQ.dll	Get hash	malicious	Browse	158.69.118.130
	4bEUfowOcg.dll	Get hash	malicious	Browse	158.69.118.130
	P_O INV 01262021.exe	Get hash	malicious	Browse	51.195.53.221
	DHL doc.exe	Get hash	malicious	Browse	51.195.53.221
	PL5CS6pwNitND2n.exe	Get hash	malicious	Browse	51.75.130.83
	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	51.255.203.164
	PARTS REQUEST SO_30005141.exe	Get hash	malicious	Browse	66.70.204.222
	Document_PDF.exe	Get hash	malicious	Browse	51.195.53.221
	SecuriteInfo.com.Variant.Zusy.363976.21086.exe	Get hash	malicious	Browse	54.39.198.228
	ARCH 05 2_80074.doc	Get hash	malicious	Browse	144.217.190.240
	PO NO 214000070.doc	Get hash	malicious	Browse	94.23.169.237

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice-3990993.exe.log Download File
Process:	C:\Users\user\Desktop\Invoice-3990993.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.680106020831519
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Invoice-3990993.exe
File size:	595968
MD5:	c240ecb4d6da455111dca9256dcd3604
SHA1:	de229f907f93f89d5fe10828fa7e8034e70cda55
SHA256:	4730211b41726d261fe9f81bbbacd224b2659f9f05909395f8492adf187d8666
SHA512:	28ff87cdbc0d40702122818592a197e92d637947b7591c785d34c7b37175061206683dc3ff57918a50de021841bf33d1aba13275f2fc4337b6c19e4c19adaacf
SSDEEP:	12288:2VKLNoOoLnxjNmtpca8JFn/BThD/2hAcz2UPmnRST0:2VKKOonxjYpY5/2hAU2lRS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..`..............P.............N-... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x492d4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6010092D [Tue Jan 26 12:21:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x92cfc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x5f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x90d54	0x90e00	False	0.810157598145	data	7.69028247011	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x5f4	0x600	False	0.431640625	data	4.18640822203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x94090	0x364	data
RT_MANIFEST	0x94404	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	EncoderReplacementFallback.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	HaploTree
ProductVersion	1.0.0.0
FileDescription	HaploTree
OriginalFilename	EncoderReplacementFallback.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 08:31:42.935362101 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:43.074661970 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:43.076642990 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:43.383580923 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:43.385039091 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:43.521696091 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:43.522202969 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:43.661992073 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:43.707190990 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:43.745526075 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:43.892276049 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:43.892304897 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:43.892313957 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:43.892549038 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:43.901139975 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:44.040610075 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:44.082218885 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:44.309752941 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:44.447779894 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:44.450066090 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:44.586184978 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:44.587112904 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:44.744554043 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:44.745982885 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:44.881819010 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:44.882464886 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:45.018640041 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:45.019244909 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:45.155807972 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:45.161557913 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:45.161890030 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:45.162748098 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:45.162998915 CET	49751	587	192.168.2.7	66.70.204.222
Jan 27, 2021 08:31:45.297488928 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:45.297532082 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:45.298389912 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:45.298584938 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:45.300465107 CET	587	49751	66.70.204.222	192.168.2.7
Jan 27, 2021 08:31:45.347937107 CET	49751	587	192.168.2.7	66.70.204.222

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 08:29:55.805435896 CET	58739	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:29:55.861742973 CET	53	58739	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:02.127450943 CET	60338	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:02.178242922 CET	53	60338	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:03.940587997 CET	58717	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:03.991457939 CET	53	58717	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:05.149806023 CET	59762	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:05.207145929 CET	53	59762	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:06.313421011 CET	54329	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:06.363697052 CET	53	54329	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:07.549200058 CET	58052	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:07.597451925 CET	53	58052	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:09.713658094 CET	54008	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:09.769964933 CET	53	54008	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:11.100361109 CET	59451	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:11.148260117 CET	53	59451	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:12.276639938 CET	52914	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:12.324451923 CET	53	52914	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:13.598438025 CET	64569	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:13.657857895 CET	53	64569	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:14.861053944 CET	52816	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:14.922621012 CET	53	52816	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:16.125519991 CET	50781	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:17.155932903 CET	50781	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:18.170857906 CET	53	50781	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:18.180001974 CET	53	50781	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:19.237205029 CET	54230	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:19.285069942 CET	53	54230	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:20.034487009 CET	54911	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:20.085191011 CET	53	54911	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:20.710486889 CET	49958	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:20.768939972 CET	53	49958	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:20.830303907 CET	50860	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:20.878164053 CET	53	50860	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:22.113315105 CET	50452	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:22.163888931 CET	53	50452	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:22.965773106 CET	59730	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:23.024951935 CET	53	59730	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:23.763603926 CET	59310	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:23.811451912 CET	53	59310	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:26.595953941 CET	51919	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:26.646748066 CET	53	51919	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:44.151503086 CET	64296	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:44.212990046 CET	53	64296	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:44.751173019 CET	56680	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:44.807472944 CET	53	56680	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:45.356668949 CET	58820	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:45.415868044 CET	53	58820	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:45.470717907 CET	60983	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:45.541775942 CET	53	60983	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:45.546591997 CET	49247	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:45.594413996 CET	53	49247	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:45.771631956 CET	52286	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:45.819367886 CET	53	52286	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:45.852531910 CET	56064	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:45.912009001 CET	53	56064	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:45.927172899 CET	63744	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:45.979773045 CET	53	63744	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:46.404088020 CET	61457	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:46.455960035 CET	53	61457	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:47.034354925 CET	58367	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:47.083096027 CET	53	58367	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:47.717230082 CET	60599	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:47.765117884 CET	53	60599	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:49.035284996 CET	59571	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:49.083312035 CET	53	59571	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:50.325737953 CET	52689	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:50.375698090 CET	53	52689	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:51.019479036 CET	50290	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:51.067539930 CET	53	50290	8.8.8.8	192.168.2.7
Jan 27, 2021 08:30:52.373521090 CET	60427	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:30:52.431407928 CET	53	60427	8.8.8.8	192.168.2.7
Jan 27, 2021 08:31:30.405361891 CET	56209	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:31:30.456808090 CET	53	56209	8.8.8.8	192.168.2.7
Jan 27, 2021 08:31:42.674546957 CET	59582	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:31:42.744016886 CET	53	59582	8.8.8.8	192.168.2.7
Jan 27, 2021 08:31:42.764156103 CET	60949	53	192.168.2.7	8.8.8.8
Jan 27, 2021 08:31:42.820476055 CET	53	60949	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 08:31:42.674546957 CET	192.168.2.7	8.8.8.8	0x9fdd	Standard query (0)	mail.hybridgroupco.com	A (IP address)	IN (0x0001)
Jan 27, 2021 08:31:42.764156103 CET	192.168.2.7	8.8.8.8	0x98fc	Standard query (0)	mail.hybridgroupco.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 08:31:42.744016886 CET	8.8.8.8	192.168.2.7	0x9fdd	No error (0)	mail.hybridgroupco.com	hybridgroupco.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 08:31:42.744016886 CET	8.8.8.8	192.168.2.7	0x9fdd	No error (0)	hybridgroupco.com		66.70.204.222	A (IP address)	IN (0x0001)
Jan 27, 2021 08:31:42.820476055 CET	8.8.8.8	192.168.2.7	0x98fc	No error (0)	mail.hybridgroupco.com	hybridgroupco.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 08:31:42.820476055 CET	8.8.8.8	192.168.2.7	0x98fc	No error (0)	hybridgroupco.com		66.70.204.222	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2021 08:31:43.383580923 CET	587	49751	66.70.204.222	192.168.2.7	220-server.wlcserver.com ESMTP Exim 4.93 #2 Wed, 27 Jan 2021 11:31:43 +0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 27, 2021 08:31:43.385039091 CET	49751	587	192.168.2.7	66.70.204.222	EHLO 128757
Jan 27, 2021 08:31:43.521696091 CET	587	49751	66.70.204.222	192.168.2.7	250-server.wlcserver.com Hello 128757 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 27, 2021 08:31:43.522202969 CET	49751	587	192.168.2.7	66.70.204.222	STARTTLS
Jan 27, 2021 08:31:43.661992073 CET	587	49751	66.70.204.222	192.168.2.7	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Invoice-3990993.exe PID: 4556 Parent PID: 5724

General

Start time:	08:30:00
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\Invoice-3990993.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Invoice-3990993.exe'
Imagebase:	0x50000
File size:	595968 bytes
MD5 hash:	C240ECB4D6DA455111DCA9256DCD3604
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.230286237.0000000002452000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.230847336.0000000003429000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.230261930.0000000002421000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Invoice-3990993.exe PID: 6228 Parent PID: 4556

General

Start time:	08:30:02
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\Invoice-3990993.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Invoice-3990993.exe
Imagebase:	0xe10000
File size:	595968 bytes
MD5 hash:	C240ECB4D6DA455111DCA9256DCD3604
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.588090737.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.591701413.00000000032C1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Invoice-3990993.exe PID: 4556 Parent PID: 5724 Invoice-3990993.exeCOMMON

Executed Functions

Function 05749060, Relevance: 5.2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

Strings

', xrefs: 057492D9
(, xrefs: 0574932E
#, xrefs: 0574947D
$, xrefs: 057494AA

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID:
String ID: #$$$'$(
API String ID: 0-491393995
Opcode ID: db6f08f73c51d8d08ecce404dcc36412e61481e8843feadb6a36d7a464d43436
Instruction ID: d13014b2fe5d0ad3374a85d5fd96ef3279df71dc1f227fef6f2de00ef6f325ba
Opcode Fuzzy Hash: db6f08f73c51d8d08ecce404dcc36412e61481e8843feadb6a36d7a464d43436
Instruction Fuzzy Hash: C9A103B4D04229CFDB24DF69C848BEAB7B2FB99304F1085EAD209A7240DB745AC5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0574B2C8, Relevance: 1.9, Strings: 1, Instructions: 612COMMON

Download Yara Rule

Strings

$%(l, xrefs: 0574B800

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID:
String ID: $%(l
API String ID: 0-701227175
Opcode ID: 7888cb333a7fe9c5548986e0dbadd367e3cd2f44105dab0da9041493a0df0de3
Instruction ID: ca2d02597cb320d41254bb218c5f3b7c75f9eaeea51b7f3bc490fb9b5ef7560c
Opcode Fuzzy Hash: 7888cb333a7fe9c5548986e0dbadd367e3cd2f44105dab0da9041493a0df0de3
Instruction Fuzzy Hash: 0A329B70B012048FEB25DB69C454BAEB7FAEF88704F158469E14ADB3A1CB35ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05746278, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccf5ccec1bfdf0434e335e4f1b4e76e1a4e60228624339f2bd99ad88c519924
Instruction ID: 9945fbd555353231681c315bb79b52856f7bdb77772000f8f933717bcc606ee9
Opcode Fuzzy Hash: 1ccf5ccec1bfdf0434e335e4f1b4e76e1a4e60228624339f2bd99ad88c519924
Instruction Fuzzy Hash: 3AA1F5B4E042588BDF04CFA9C544AADFBF2EF8A314F208169D419AB345E7359A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0574AAC8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d52066303d136be27c38d175159da441f938f1cb7fbc389182c0d6a10553ef
Instruction ID: a83ac9bc57882a10e295375d8ba560a2c6613df1c344d3baf628d041a9f38001
Opcode Fuzzy Hash: e6d52066303d136be27c38d175159da441f938f1cb7fbc389182c0d6a10553ef
Instruction Fuzzy Hash: DF113C70D442588FDB14CFA5C418BEEBBF2BB4E315F14916AD405B3290CB788984DF68

Uniqueness

Uniqueness Score: -1.00%

Function 057482C8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057484FE

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a37c6058ef0f1839215c61fe1f882506e0f70edacda6704273d71fbd337d3a04
Instruction ID: 56436789d86227d8dcb779c3591018fc5303e7b0ffbe7b3b9e95ea6db07cf330
Opcode Fuzzy Hash: a37c6058ef0f1839215c61fe1f882506e0f70edacda6704273d71fbd337d3a04
Instruction Fuzzy Hash: 5E917D71D0025DDFDB20DF69C890BEEBBB2BF48304F148569E819A7280DB749985DF92

Uniqueness

Uniqueness Score: -1.00%

Function 0086DB23, Relevance: 1.7, APIs: 1, Instructions: 235COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0086DD8A

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 32f98ff596ae7a0828635737ab599ef74903aec994d077591a64352d3f19f3df
Instruction ID: 7edf8092ce537208102d005cb854a103f1242f00714e40e853fe7cde7595b802
Opcode Fuzzy Hash: 32f98ff596ae7a0828635737ab599ef74903aec994d077591a64352d3f19f3df
Instruction Fuzzy Hash: DA917B72C09388DFCB12CFA5C8509DDBFB1FF0A304F1A849AE554AB262D7349949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0086BBC8, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b8c54e730f9d716768925f6015712e024097fa33929ac6566426b18a70868a96
Instruction ID: 061f19cfdb192531ccdeec2ba5434931a02273bd1bf3aa3418952f27e6d68278
Opcode Fuzzy Hash: b8c54e730f9d716768925f6015712e024097fa33929ac6566426b18a70868a96
Instruction Fuzzy Hash: 86711270A00B058FD724DF6AD44175ABBF1FF88308F018A2DE59ADBA40DB75E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0086B20B, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0086DD8A

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 79336383c5969fc88452e57585ae9bddcaabef6d77fa3763e1493b61376a1b98
Instruction ID: 81449b720c1d2a1369137cefba0d34021af0348d6f9ab6266094cbb8b6d48f2b
Opcode Fuzzy Hash: 79336383c5969fc88452e57585ae9bddcaabef6d77fa3763e1493b61376a1b98
Instruction Fuzzy Hash: 9E51E2B1D00349DFDB15CF99C884ADEBBB5FF48314F25812AE419AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0086B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0086DD8A

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1222e090f90d0c5f0f91d99708c4fce2436c64ebcb44f1ce490aaf067d6b9eb2
Instruction ID: a9c215851e1f9b6bcc940b60a335aca746b482fcc544c4078b423d2f93c3851b
Opcode Fuzzy Hash: 1222e090f90d0c5f0f91d99708c4fce2436c64ebcb44f1ce490aaf067d6b9eb2
Instruction Fuzzy Hash: E351D0B1D0030D9FDB14CF9AC884ADEBBB5FF48314F25822AE819AB210D7749885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0086DC6D, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0086DD8A

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d697e0c1f9b251b9d0c334be190102e974eb49bd181051aee36497e10fa9a7ed
Instruction ID: f50059ebb36b091b233f29426823a1455c0316670e9208ea3a0f7e0ef939038c
Opcode Fuzzy Hash: d697e0c1f9b251b9d0c334be190102e974eb49bd181051aee36497e10fa9a7ed
Instruction Fuzzy Hash: D151D0B1D00349DFDB14CF9AC884ADEBBB1FF48310F25826AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00866D41, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00866D7E,?,?,?,?,?), ref: 00866E3F

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a758ea326df551d48bc1e9959e547d457e66fd1cdbc6088c351e4c3eafaf510
Instruction ID: e9ec20d9329de8cdb468a35d50c87fedb584014aaa6f13912758e625bfae4393
Opcode Fuzzy Hash: 2a758ea326df551d48bc1e9959e547d457e66fd1cdbc6088c351e4c3eafaf510
Instruction Fuzzy Hash: D041477A9002489FCB01CF99D440AEEBBF5FF48310F15846AEA54E7250D7359954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086DE81, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0086DEA8,?,?,?,?), ref: 0086DF1D

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f10562ffb89e59846a512511858946dfda1215afb19e8ec8dfce482587d03169
Instruction ID: d5d4a6a66f385a588e9da5ea51ac365c86ce20d45cea73a9fd88e995ecf01a8f
Opcode Fuzzy Hash: f10562ffb89e59846a512511858946dfda1215afb19e8ec8dfce482587d03169
Instruction Fuzzy Hash: B42144B6900249DFCB11CFA5D444A9EBBF4FF88324F09855AE558AB211C334A948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05747C40, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05747CD0

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 527e365daa551fb1d9c2590add472da8a79ffc6daa60b74f1b7cc0d43c9aa5fe
Instruction ID: 21c7923d5c3d825c291c441b87d2c0ccfbd50b275565fc7b6b4685dcb97ddf93
Opcode Fuzzy Hash: 527e365daa551fb1d9c2590add472da8a79ffc6daa60b74f1b7cc0d43c9aa5fe
Instruction Fuzzy Hash: E021F5B19043499FCB10CFAAC884BDEBBF5FF48314F108429E959A7240D7789955DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00866924, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00866D7E,?,?,?,?,?), ref: 00866E3F

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fd74bdaa0ae97c34f64deb04541a5459322b30cd04b17fd8b30d46444c69055e
Instruction ID: 917c948b92545a2a4f17c20aa360f6d44156d2bbf1ba2231d7dfd4d5899583f9
Opcode Fuzzy Hash: fd74bdaa0ae97c34f64deb04541a5459322b30cd04b17fd8b30d46444c69055e
Instruction Fuzzy Hash: 4821E5B59003499FDB10CF99D884ADEBBF4FB48314F14845AE914A7310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05747D30, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05747DB0

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ff35254652ab3c3f05deb56b2cb1ef0717c22c91d8f9a839d7bd08293fbc2052
Instruction ID: 1ca43db6ee128cf2fab93898bab1352d271ea9bfcee82469eba8c66baef0c1d4
Opcode Fuzzy Hash: ff35254652ab3c3f05deb56b2cb1ef0717c22c91d8f9a839d7bd08293fbc2052
Instruction Fuzzy Hash: A62116B19003599FCF10CFAAC884BEEBBB5FF48314F108429E559A7240C7389945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05747AA8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05747B26

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4a310b1821815a60ec0c36e1341582df51b9b03e82faaca312f0c7206c4af3c1
Instruction ID: 3ebf6544c76689da9a4e7f9289e3b39f845a2ab6bed41b49b896e1f6b1eef01b
Opcode Fuzzy Hash: 4a310b1821815a60ec0c36e1341582df51b9b03e82faaca312f0c7206c4af3c1
Instruction Fuzzy Hash: 4D212771D043498FCB10DFAAC4847EEBBF4EF48224F14842AD559A7641DB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00866DB0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00866D7E,?,?,?,?,?), ref: 00866E3F

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f8887c61707138b664ec43ec365bd7bb12ee08c2541a1addb19492a06ce15ca9
Instruction ID: c49858b2d4cb1e67101c60fc4def623ecd01abc8f5e5c6decebe87a248cc60e5
Opcode Fuzzy Hash: f8887c61707138b664ec43ec365bd7bb12ee08c2541a1addb19492a06ce15ca9
Instruction Fuzzy Hash: 092100B59003489FCB10CFA9D884AEEBBF5FF48320F14805AE914A3310D379A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0086BE89,00000800,00000000,00000000), ref: 0086C09A

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9f5be732d63a3928f01b4bfdb176a6a8e8ba7a1054965e03808dd97150a275ae
Instruction ID: 08d7fbce9d6d447d72e8ae480eddc6b9290d22d9df2a63115a0e505a94fd784e
Opcode Fuzzy Hash: 9f5be732d63a3928f01b4bfdb176a6a8e8ba7a1054965e03808dd97150a275ae
Instruction Fuzzy Hash: 321103B6904749CFDB20CF9AC444BAEFBF4FB48314F11852AE559A7200C375A945CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 05747B80, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05747BEE

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9acb1165fda6c35cf976982742a4c49c01b3c9749e535da9cccad1f8c3c28005
Instruction ID: 925e02a828f3c945e30199a4e4f1da4cb8d501b198eb7b20107fdfa56bc470cf
Opcode Fuzzy Hash: 9acb1165fda6c35cf976982742a4c49c01b3c9749e535da9cccad1f8c3c28005
Instruction Fuzzy Hash: F21153729003488BCF10CFAAC844BDFBBF5EF88324F108829E529A7250C735A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0574B230, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0574BA89,?,?), ref: 0574BC30

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d11b4bfd1339d1c7f28756c1eb242a3e25a169c4ce827b3cabb4c4bb5136f7e3
Instruction ID: 95127a7128eff92bea85bae8b46126e38ed96ec06bc8b1d2af897cc57fee7742
Opcode Fuzzy Hash: d11b4bfd1339d1c7f28756c1eb242a3e25a169c4ce827b3cabb4c4bb5136f7e3
Instruction Fuzzy Hash: C51136B58403498FCB20DF99C484BDEBBF4EB48324F108469E569A7340D738A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086C028, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0086BE89,00000800,00000000,00000000), ref: 0086C09A

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4fa3a4938c1782232a313b9b6877c24a6bd429eb61eb478f30c8b510c8ef6148
Instruction ID: 9680b0c0f87bb01a718d82b67e17020e42c47e4f2255761ea99f32bd2c1eb07b
Opcode Fuzzy Hash: 4fa3a4938c1782232a313b9b6877c24a6bd429eb61eb478f30c8b510c8ef6148
Instruction Fuzzy Hash: E81100B6900209CFCB10CFAAC484BDEFBF5BB48314F11856AD569A7200C379A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086B080, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0086BBDB), ref: 0086BE0E

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 31f55f79b94bfc6f0124eb04eae38beb87f12dbdaed0ef2eb8bb6d755ff0d6bb
Instruction ID: a58c0e0e0dc94a752be0553d997537028bea62ffec58329997ea940f62eadd37
Opcode Fuzzy Hash: 31f55f79b94bfc6f0124eb04eae38beb87f12dbdaed0ef2eb8bb6d755ff0d6bb
Instruction Fuzzy Hash: 1111F0B59006498FDB10CF9AC444BDEFBF4EF88328F11856AD929A7200D375A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057479F8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05747A5A

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 17de4794f66eb61ec253c90cc18523ecc5725cd5b66bb33bbefc9117f66d6cc5
Instruction ID: 60e0d4e004ecbb91c8e59c60c250a99930e54dc3f367f5ad70628299f7d28a21
Opcode Fuzzy Hash: 17de4794f66eb61ec253c90cc18523ecc5725cd5b66bb33bbefc9117f66d6cc5
Instruction Fuzzy Hash: 5C1136B19043498BCB20DFAAC8447EFFBF4EF88224F148429D569A7640C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05747ED0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0574A50D

Memory Dump Source

Source File: 00000000.00000002.234509282.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: be1205d5df5a9c39dac25f0111711be90285f324f6df10e593e74410b5e6b41b
Instruction ID: 9d2905ffce7669702806f90a2d5e9575320d06bb853bbb303c545826a035dd93
Opcode Fuzzy Hash: be1205d5df5a9c39dac25f0111711be90285f324f6df10e593e74410b5e6b41b
Instruction Fuzzy Hash: 6E1103B58003489FDB10CF9AC488BEEFBF8FB48324F108859E915A7200D374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086B24C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0086DEA8,?,?,?,?), ref: 0086DF1D

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ffac9fe3964332c312e339889edc8e027036968f2180bdbc0bbaa1f1beec3e2c
Instruction ID: 1f24f8a753284983342b0bc8d083c97c0b8213d876aeee69ebc0c3379479f88e
Opcode Fuzzy Hash: ffac9fe3964332c312e339889edc8e027036968f2180bdbc0bbaa1f1beec3e2c
Instruction Fuzzy Hash: 2511F2B59003489FDB10CF9AD488BDEBBF8FB48324F11855AE925A7340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0069D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.229993182.000000000069D000.00000040.00000001.sdmp, Offset: 0069D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5daa3f45fac3c6c9c7d47038aef9fa1bde6e795a2431197e34f3fef5fadd482
Instruction ID: 9a078e542f3f0d6dfadf1441ffeb5ffdb23d8c264f0fc9bcdfad4407db8dd52f
Opcode Fuzzy Hash: c5daa3f45fac3c6c9c7d47038aef9fa1bde6e795a2431197e34f3fef5fadd482
Instruction Fuzzy Hash: 2D21D0B1508244DFDF14CF24D8C4B26BBAAFB88324F24C579E94A4B746C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0069D006, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.229993182.000000000069D000.00000040.00000001.sdmp, Offset: 0069D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277118dc7f34e7e8213a94a2aab749ddb189ac51c2ad5a61a1339f4b97da957c
Instruction ID: 3e931c01dd4a76c2cdbe05963f7051eb2589af0ad2340df2cc705e024987a5b9
Opcode Fuzzy Hash: 277118dc7f34e7e8213a94a2aab749ddb189ac51c2ad5a61a1339f4b97da957c
Instruction Fuzzy Hash: 4D219F75408380DFCB02CF14D994B15BFB5EB46314F28C5EAD8498B6A6C33AD846CB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0086C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1cc020d9d827c14538abf158ba364609c11838c0d3546891372838fecb3a3b
Instruction ID: aaf5bba6519f5db499102e453049e17787f5b0545e92c01b993938d59ea19f6f
Opcode Fuzzy Hash: ac1cc020d9d827c14538abf158ba364609c11838c0d3546891372838fecb3a3b
Instruction Fuzzy Hash: 2B526BB1502726EFDB10CF16E8D81997BB1FB54318F914A08D161ABAD0D7BC798ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 00869990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.230055404.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e28a98b37516a896ca0d15e130914f09659252ba848f46bf44566321e9b963
Instruction ID: f164471c30e7da98b1abff0d20d65149f39d0d24318610dacee5c2cb275bd9d1
Opcode Fuzzy Hash: 84e28a98b37516a896ca0d15e130914f09659252ba848f46bf44566321e9b963
Instruction Fuzzy Hash: FAA15C32E006198FCF05DFA9C8445DEBBB6FF85304B16856AE906FB261EB35E945CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Invoice-3990993.exe PID: 6228 Parent PID: 4556 Invoice-3990993.exeCOMMON

Executed Functions

Function 00FDCC37, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 596COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32(00000001,00000000,00000000,00000000,?,00000000), ref: 00FDD1CC

Strings

8^,l, xrefs: 00FDCC6E

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: LongWindow
String ID: 8^,l
API String ID: 1378638983-265046581
Opcode ID: 303a73e7c9b9544dc8790d78ece0ddf2f01f012f6ed32baede1e7fd82accb212
Instruction ID: 2b0ef9f2bb6a0d666ce45179ae0c667a549ae8defd2a47e91a6031be758b3329
Opcode Fuzzy Hash: 303a73e7c9b9544dc8790d78ece0ddf2f01f012f6ed32baede1e7fd82accb212
Instruction Fuzzy Hash: 7D329F70E002488FEB24EBA8C5947ADB7A3EF95314F18C16AD409AF386DB74DC85DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FD1ED0, Relevance: 3.7, APIs: 2, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1317e96ae2741b11f3568d0fdc5646dba1b1a865f459874a062aaeb9eea88cd8
Instruction ID: 153361fd592474b9060636e46f532b879a8046f13e1e5e25e04223aba2c1eb0a
Opcode Fuzzy Hash: 1317e96ae2741b11f3568d0fdc5646dba1b1a865f459874a062aaeb9eea88cd8
Instruction Fuzzy Hash: EC42DF30B042458FDB54EBB8D8587AE7BF3AF95314F19846AE405DB395EB34DC068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3EF0, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FD4678

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a030b12b929d1875f5e38204fb55a10253e9cf9590433dbc5b2a954a519170e
Instruction ID: 254e525b2e05628a4cb9b9ec15773ba6d8a4b46d0549c4bf7a076933b5e87887
Opcode Fuzzy Hash: 8a030b12b929d1875f5e38204fb55a10253e9cf9590433dbc5b2a954a519170e
Instruction Fuzzy Hash: FC62F831E007198FCB24EF78C95469DB7B2AF99304F1485AAD54AAB354EF30AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00FD9368, Relevance: 2.2, APIs: 1, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb17584846913a2ec7d1598940d83df2c51e88d0964c0db3790c8289f14d28c
Instruction ID: 4f901792340d617617301eebd9ed6dcec8de1f0332bcd43efd32a5861200e3c9
Opcode Fuzzy Hash: adb17584846913a2ec7d1598940d83df2c51e88d0964c0db3790c8289f14d28c
Instruction Fuzzy Hash: 3042DD30B082458FDB14EBB8D4547AE7BF2AF82304F1984AAD406DB392DB79DC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FD0040, Relevance: 1.9, APIs: 1, Instructions: 391COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD0079

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 35f2bc8eff51b207df98e1ad3869e2a911f7efe506ec447555c229623bf0743a
Instruction ID: 2c17d6d0c4815eb7d7d4948c6c7fe3bfccb637e69c91af146587f9ad94668ef4
Opcode Fuzzy Hash: 35f2bc8eff51b207df98e1ad3869e2a911f7efe506ec447555c229623bf0743a
Instruction Fuzzy Hash: A2D1A071F002195BDB28FB78D85876EB6E3AFD4B14F188439D50AAB384DF349C428B95

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2FB0, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3360
OpenFileMappingA.KERNEL32 ref: 00FD339E

Strings

\, xrefs: 00FD31B3
\, xrefs: 00FD31EE
\, xrefs: 00FD30F9
\, xrefs: 00FD3029

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID: \$\$\$\
API String ID: 1680863896-3238275731
Opcode ID: 26c4f3295ceeac11f98906c4c50b23d28af3aef23a169bd02858ea286d661ff7
Instruction ID: 67f8c4fe3f169f83b11ae4723ddabdc6e5b5f0f54b47f76d0746d55514341ee1
Opcode Fuzzy Hash: 26c4f3295ceeac11f98906c4c50b23d28af3aef23a169bd02858ea286d661ff7
Instruction Fuzzy Hash: 01A1C231F002158FCB14DB78D8547AEB7E2AB88324F28852AD619D7780EF34DD4697E2

Uniqueness

Uniqueness Score: -1.00%

Function 0191691F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 019169A0
GetCurrentThread.KERNEL32 ref: 019169DD
GetCurrentProcess.KERNEL32 ref: 01916A1A
GetCurrentThreadId.KERNEL32 ref: 01916A73

Strings

l, xrefs: 01916922

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: l
API String ID: 2063062207-2517025534
Opcode ID: c1fe431952fc0052b2bc3e407929b17282ce47a45843c4ffda690164a1287cc2
Instruction ID: d9ac1aa44d58909cbe8a6d468490075c73df216a4dd205c33466f7af2aa1e12d
Opcode Fuzzy Hash: c1fe431952fc0052b2bc3e407929b17282ce47a45843c4ffda690164a1287cc2
Instruction Fuzzy Hash: AF5175B09057488FDB14CFAAD988BDEBBF1EF88304F248059E559A7250D7745A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01916940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 019169A0
GetCurrentThread.KERNEL32 ref: 019169DD
GetCurrentProcess.KERNEL32 ref: 01916A1A
GetCurrentThreadId.KERNEL32 ref: 01916A73

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4a900a72b6bde1aec45a9f13c873931a49548f0ab6bc7c2a0772d82e2a2a118a
Instruction ID: cd396b73d9b24f90515296892a16ffe32ebf0f125bb5c35af30b38805792cabd
Opcode Fuzzy Hash: 4a900a72b6bde1aec45a9f13c873931a49548f0ab6bc7c2a0772d82e2a2a118a
Instruction Fuzzy Hash: 0B5140B09007498FDB14CFAAD588BDEBBF1AF88314F208469E519A7250D774A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD4A88, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

Strings

Xc,l, xrefs: 00FD4E4B
Xc,l, xrefs: 00FD4E55

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID:
String ID: Xc,l$Xc,l
API String ID: 0-194007420
Opcode ID: c872ed66317ede64a5923353beec2e12552cb77ce902699683863c0748e9677d
Instruction ID: 69be2cd3679b8ebbccbc478de592a1046919e4ccc67a5d9406f512788772b255
Opcode Fuzzy Hash: c872ed66317ede64a5923353beec2e12552cb77ce902699683863c0748e9677d
Instruction Fuzzy Hash: 2D12DF30B002059FCB15EB78C854BAE7BB3AF88315F19806AE506DB395DB35EC42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB5B8, Relevance: 3.3, APIs: 2, Instructions: 302COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00FDB8E8
OpenFileMappingA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00FDB926

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a2c463735d0794c102e8fa8bd811b87d7f0e6f48945cad9572fb6a65fc3eb1aa
Instruction ID: e6d3fb0511eb37166462116ef30acd829606c4a03617e569b9dd352b8a164a4b
Opcode Fuzzy Hash: a2c463735d0794c102e8fa8bd811b87d7f0e6f48945cad9572fb6a65fc3eb1aa
Instruction Fuzzy Hash: 7DA1AF34F042058FEB25DF78C4547AEB7A3EB89314F2A846AD409DB395DB34DC069B51

Uniqueness

Uniqueness Score: -1.00%

Function 00FD5A98, Relevance: 3.2, APIs: 2, Instructions: 237COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD5D48
OpenFileMappingA.KERNEL32 ref: 00FD5D86

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3528de2b4a9ababd62cdf6d3f058488b9ac41c7921df314d029e93cc0d9fe352
Instruction ID: d54fa4121c494721833abbd5f0b553fda812ac210d3a6e3e93f3396a26f8927f
Opcode Fuzzy Hash: 3528de2b4a9ababd62cdf6d3f058488b9ac41c7921df314d029e93cc0d9fe352
Instruction Fuzzy Hash: B691C130B043058FCB04EBB8D45869EBBF2AF89714F19C5AAD409EB795DB34DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3C50, Relevance: 3.1, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3CE8
OpenFileMappingA.KERNEL32 ref: 00FD3D26

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 064518620ad9165cb11154a575bc0cb708a968ea4e30ecb772f7e1406cf05933
Instruction ID: 2662f1cfa92ea797669843e58960440408848fde5eb57479dabb51da465ffd4e
Opcode Fuzzy Hash: 064518620ad9165cb11154a575bc0cb708a968ea4e30ecb772f7e1406cf05933
Instruction Fuzzy Hash: 7721F831F083558FCB01EBBCD854ADD7BF2AF89210B1684A6D509E7755EA38DC068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3D70, Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3E08
OpenFileMappingA.KERNEL32 ref: 00FD3E46

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: f43e2f8c784bcdc0b570b6162705bd2128ffd293c3e2b723d2574aaa2b318324
Instruction ID: 58ce0171c42b5b6a41417709f162cb28e538581d4133ce13957782479a09722e
Opcode Fuzzy Hash: f43e2f8c784bcdc0b570b6162705bd2128ffd293c3e2b723d2574aaa2b318324
Instruction Fuzzy Hash: E721F630F042458FCB45EB7CD854ADE7BF2EF89210B1584BAD509E7395EB389C0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 00FDBAEA, Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FDBB28
OpenFileMappingA.KERNEL32 ref: 00FDBB66

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: e9bf72dcea95477f7d3fda90b14db691ef4a2afbfa2ba17adc75adffc84880d0
Instruction ID: ef85356e6e55536fc936b1a5d398da48c937991c01057346284e9466d86ab9ee
Opcode Fuzzy Hash: e9bf72dcea95477f7d3fda90b14db691ef4a2afbfa2ba17adc75adffc84880d0
Instruction Fuzzy Hash: 47117C31F002158FCB40EFBCE884A9EB7F2EF8C210721846AD509E7354EB34AD068B94

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB9D0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FDBA08
OpenFileMappingA.KERNEL32 ref: 00FDBA46

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 951546cec5e4da5525af51e431312049bf2ab21814981a15684e9cd2f0437730
Instruction ID: 8ee7c871eb4d607ffadb89cf0dd1a970ebf730d9f42b9c8ba6aab7912a4889e2
Opcode Fuzzy Hash: 951546cec5e4da5525af51e431312049bf2ab21814981a15684e9cd2f0437730
Instruction Fuzzy Hash: 95116135F002158FCB84EFBCD844A9EB7F6FB8C614B508429D909E7354EB34AD068BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB9CA, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FDBA08
OpenFileMappingA.KERNEL32 ref: 00FDBA46

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a4593e86f6625208b32d2049feb5ad2db5ca033ee25d0de35720c70c36634c11
Instruction ID: b8511dd8c2002e4c65957eeeeaf52a367336d3ed8755ae10eb7736013bc160fc
Opcode Fuzzy Hash: a4593e86f6625208b32d2049feb5ad2db5ca033ee25d0de35720c70c36634c11
Instruction Fuzzy Hash: 7C117031F002158FCB84EF7CD844A9EB7F2FB8C214B118469D549E7354EB34AD068B94

Uniqueness

Uniqueness Score: -1.00%

Function 00FDBAF0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FDBB28
OpenFileMappingA.KERNEL32 ref: 00FDBB66

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: f1bcb2a3f5a76a15195525552457b54b51bb527f8bf57a705b6be3170b6a7b64
Instruction ID: 499f617d9b5a772ec56a25ef65223a60f18b948bcd67b30c028c82bc7eae6f7b
Opcode Fuzzy Hash: f1bcb2a3f5a76a15195525552457b54b51bb527f8bf57a705b6be3170b6a7b64
Instruction Fuzzy Hash: 23113C31F002198FCB44EFBCE844A9EB7F6EF8C654B508429D509E7354EB34AD068B94

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3328, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3360
OpenFileMappingA.KERNEL32 ref: 00FD339E

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: d18dc4fb644b3f27edb56109ace07e74dfebf6ffaf4cd642adc35801343cf599
Instruction ID: f30bbbc927381e888a14d0cc6b0997de3683955816f2177e08affb320cb59a7b
Opcode Fuzzy Hash: d18dc4fb644b3f27edb56109ace07e74dfebf6ffaf4cd642adc35801343cf599
Instruction Fuzzy Hash: 71113C71F002158FCB44EBBCE844A9EB7F6FB88624B508429D509E7354EB34AD068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3CB0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3CE8
OpenFileMappingA.KERNEL32 ref: 00FD3D26

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: c91417cbd22b6faa85c18861c821a0ede4d4e1b0252b02b0eff362182c91459f
Instruction ID: 0ab9d327eeb749919a7a6c8b42f6fa483bd9febe29413b9a788df6fea71ecf04
Opcode Fuzzy Hash: c91417cbd22b6faa85c18861c821a0ede4d4e1b0252b02b0eff362182c91459f
Instruction Fuzzy Hash: A3115E35F002198FCB44EFBCE844ADEB7F6FB88614B508429D509E7354EB34AD068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3DD0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3E08
OpenFileMappingA.KERNEL32 ref: 00FD3E46

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 50985ddbdb87f3fb644af8b39ed3fe9faa56a27544facc3bce66b0e9e8c0c30b
Instruction ID: b01621f5ce3470caa6ba8ab8e419a29e13b29da900ddbfbca843632145cd3d78
Opcode Fuzzy Hash: 50985ddbdb87f3fb644af8b39ed3fe9faa56a27544facc3bce66b0e9e8c0c30b
Instruction Fuzzy Hash: 48116D31F002158FCB44EBBCE844A9EB7F6FBCC614B608529D509E7394EB34AD068B95

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2740, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD2778
OpenFileMappingA.KERNEL32 ref: 00FD27B6

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a97b5d4e41105e114428694c234e1dfa37b1c3797a883980cfde203a909bed79
Instruction ID: 4d2eab86187d049ebb9cdc5a0042b2f07551892bf16f4a12482c3554212b8547
Opcode Fuzzy Hash: a97b5d4e41105e114428694c234e1dfa37b1c3797a883980cfde203a909bed79
Instruction Fuzzy Hash: D711A135F002258FCB84EBBCD844AAEB7F6FB8C2107108469D509E3354EF34AD028B94

Uniqueness

Uniqueness Score: -1.00%

Function 01915084, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019151A2

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 850bdebf5fed88a559700a93144947789b3b02890b656b68264782b99564f874
Instruction ID: b37a2d5fd1cb72d9b0fcf639c8f237c30fcf7b5bd646e7d54af62fe5d88a6dd1
Opcode Fuzzy Hash: 850bdebf5fed88a559700a93144947789b3b02890b656b68264782b99564f874
Instruction Fuzzy Hash: F451E2B1D003489FDF15CFA9C884ADEBBB5BF88314F25852AE418AB214D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FDBEC0, Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00FDBFD4

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4c1c997048f4e5a5edef3746e671e22460a71112e44c87668d04b0d91a1997b5
Instruction ID: f4b513a6c939e21db57cdc866223ecdd9e7c5eb588a43654e3061669602fa009
Opcode Fuzzy Hash: 4c1c997048f4e5a5edef3746e671e22460a71112e44c87668d04b0d91a1997b5
Instruction Fuzzy Hash: E24148B1D04349DFDB10CFA9C588A9EFBF5AF48314F29C16AE408AB351C7759845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01915090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019151A2

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c94c685e49fe80bd225cc0334079d81d38e5bd9e30a76b9c0d8b81ef63fab6ad
Instruction ID: 5357218dd9d58f004979e755edb4b13aebf9b4372212b4e0107017873fe30f82
Opcode Fuzzy Hash: c94c685e49fe80bd225cc0334079d81d38e5bd9e30a76b9c0d8b81ef63fab6ad
Instruction Fuzzy Hash: 7A41D0B1D0034C9FEF15CF99C884ADEBBB5BF88314F25852AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0191779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01917F01

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4a576cb646c8977fd9c5881e400d5a184a4de9459cbdf499c0a571e69946ebd5
Instruction ID: 77bc0231016b6aacca130387acc13222600395f6939f8016528350f0d0b1bd37
Opcode Fuzzy Hash: 4a576cb646c8977fd9c5881e400d5a184a4de9459cbdf499c0a571e69946ebd5
Instruction Fuzzy Hash: 94411BB590030ACFDB14CF99C488A9ABBF5FF88314F148499E519AB325D774A981CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD5F14, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00FDC241

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 508ed5d22a772a868b306c53c6e1fe200d36e3730dd98ab725659c4f23652654
Instruction ID: 2520221205cbaf8048b387c8d7c4156c8fbb2a7e504f8eea76c20f4fb8392405
Opcode Fuzzy Hash: 508ed5d22a772a868b306c53c6e1fe200d36e3730dd98ab725659c4f23652654
Instruction Fuzzy Hash: 8B31D1B1D00259DFCB20CFDAC884A9EBBF5BF48314F19816AE819AB350D7709945DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC17D, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00FDC241

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 662344397c9b6ae5867bbdda19f0957a6b743c9995657195471d44c0389c1ef3
Instruction ID: 1b06c83d367505181b25a2ac66902982242d5e69e6b206f40d201908e026376c
Opcode Fuzzy Hash: 662344397c9b6ae5867bbdda19f0957a6b743c9995657195471d44c0389c1ef3
Instruction Fuzzy Hash: 3E31E2B1D002599FCB20CFD9C984A8EBBF6BF48314F19856AE819AB350D7709905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD5F08, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00FDBFD4

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b05ef0496f94e94cf6a8f6fc3c1f583e942888053ec85e61a224a6f555e5bbe6
Instruction ID: 6938e5c46f1b05bdc11b6cce9f744029dac9658909fd04c818e2b4d0f1c6d075
Opcode Fuzzy Hash: b05ef0496f94e94cf6a8f6fc3c1f583e942888053ec85e61a224a6f555e5bbe6
Instruction Fuzzy Hash: 4731E0B1D04249DFCB10CF99C588A8EFBF5AF48314F29816AE409AB341C7B59985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD0006, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD0079

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 666a169c3ebf236e715bb2d3953f59083df06c4d1ca6f42f6bae56705544b189
Instruction ID: 9997a326c76216d8a4f1c6dd5211b948d65603fae6d37a2172c585eea27916c8
Opcode Fuzzy Hash: 666a169c3ebf236e715bb2d3953f59083df06c4d1ca6f42f6bae56705544b189
Instruction Fuzzy Hash: A6119371A0E3804FDB03DB78996525A7FF1DF97100B1940EBC449DB7A2E6345C06C792

Uniqueness

Uniqueness Score: -1.00%

Function 01916B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01916BEF

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cf4f2ed8543d46215222e18fcb98014556f0491e13ac93142f788b9c903b1c78
Instruction ID: ebb6299114b9799d04d7388e84cd1b877f236aa8a64b9f34257c6b5344e90b00
Opcode Fuzzy Hash: cf4f2ed8543d46215222e18fcb98014556f0491e13ac93142f788b9c903b1c78
Instruction Fuzzy Hash: 3721E4B5D002499FDB10CFA9D984AEEBBF4FF48314F14846AE918A7310D374AA54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01916B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01916BEF

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c31b65eebda5de6fd328a46a848e788d35913d10ef88e4e7ab19f7fab19f563f
Instruction ID: 27d82b46b6299dfd9f412a5fe7631696f8088315eced36602bf031db68926aaf
Opcode Fuzzy Hash: c31b65eebda5de6fd328a46a848e788d35913d10ef88e4e7ab19f7fab19f563f
Instruction Fuzzy Hash: E021B3B5D002499FDB10CF99D984ADEBBF8FB48324F14846AE918A7250D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017965F4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,01797819,00000800), ref: 017978AA

Memory Dump Source

Source File: 00000002.00000002.590850367.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b1ed2aa248c0aea0b49df28c313def80794bad8003443c967788be7e2f9c4760
Instruction ID: 331421538f9f09d68417a53bf438a72cd06e6b51703f18ba86ddc071036af653
Opcode Fuzzy Hash: b1ed2aa248c0aea0b49df28c313def80794bad8003443c967788be7e2f9c4760
Instruction Fuzzy Hash: 2C1117B2D143099FDB14CF9AD844BDEFBF4EB48314F14846AE515AB200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01797839, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,01797819,00000800), ref: 017978AA

Memory Dump Source

Source File: 00000002.00000002.590850367.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b2d0f99ed482b23020fa39f9231d7fb241306b269f3ec05c59ea92bce3aae5e4
Instruction ID: cd6da2817237a5a0e936c0846faf97317bd12aaaec7de9bdc8c5ccec8f7523ed
Opcode Fuzzy Hash: b2d0f99ed482b23020fa39f9231d7fb241306b269f3ec05c59ea92bce3aae5e4
Instruction Fuzzy Hash: FF1147B6C003499FDB14CFAAD844BDEFBF4AF88314F14846AD515AB200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0191C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0191C212

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bba82edc6c502ce89e58bac4298fe228f784cef93bca60983565ff4dce0d6039
Instruction ID: bdca779008b40705ee57a1454d7386d1371d7bed98ac976a3d064f190aa93136
Opcode Fuzzy Hash: bba82edc6c502ce89e58bac4298fe228f784cef93bca60983565ff4dce0d6039
Instruction Fuzzy Hash: C21167719403088FDB20DFA9D54879EBBF8FB48354F208829D409E7604D778AA84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD9A48, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FD9A89

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8768127d3c77f6e742844f9cf6d72a4e7b73a3e69f51246fa716dfce3ff7298c
Instruction ID: 742752995f5f9d97b92a61064b08544443f3879e54e34c2c46aa9b9a578f3b44
Opcode Fuzzy Hash: 8768127d3c77f6e742844f9cf6d72a4e7b73a3e69f51246fa716dfce3ff7298c
Instruction Fuzzy Hash: B1111970A14219DFCB14EFA9D588BADBBB2FF84314F148529D401AB354DB76A886CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01913300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01914116

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 173b9c6ce16a418d6db7383858f8be4b43ffc572710a71739fcdf025d85821bd
Instruction ID: 1285b640d5cb49b77f30ee29800471f6e357e782658831fcf02003b02534b86a
Opcode Fuzzy Hash: 173b9c6ce16a418d6db7383858f8be4b43ffc572710a71739fcdf025d85821bd
Instruction Fuzzy Hash: DB11F3B59007498BDB20DF9AC444BDEFBF4EB49314F10846AD929B7200D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019140AC, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01914116

Memory Dump Source

Source File: 00000002.00000002.590923267.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a49954d3fd60b38552c66daf8e7b75f0ca4136205de6314faa45e5090c5f3087
Instruction ID: 2073f961eec287b86d5f739072603996e5b51112ffb7cae8334044a825c301bf
Opcode Fuzzy Hash: a49954d3fd60b38552c66daf8e7b75f0ca4136205de6314faa45e5090c5f3087
Instruction Fuzzy Hash: 6F11D2B6D006498FDB10CF9AD544BDEFBF4AF88314F15856AD429B7600C378A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0179A3E8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0179B355

Memory Dump Source

Source File: 00000002.00000002.590850367.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7381c93da240ca5dd8235238a59d319e180933c866d0abd56ac92a80d0acdd42
Instruction ID: 67f8bd32f5d96829f268f74568156ab25c69ab5c0b36b2cea101d391028f3625
Opcode Fuzzy Hash: 7381c93da240ca5dd8235238a59d319e180933c866d0abd56ac92a80d0acdd42
Instruction Fuzzy Hash: 661103B19047498FCB20DF99E489B9EFBF4EB48224F248469D519A7200D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0179B2F8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0179B355

Memory Dump Source

Source File: 00000002.00000002.590850367.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a9fa3971c1d0aab80decb70e703c482259dc5b3d7adf96cc51f39f1c5b96f209
Instruction ID: 117e7175df5441377a8b9c62d88457cc58870c78b525c834adb5a8cf7b88bfdc
Opcode Fuzzy Hash: a9fa3971c1d0aab80decb70e703c482259dc5b3d7adf96cc51f39f1c5b96f209
Instruction Fuzzy Hash: EF1115B1904749DFCB20DF9AD489BCEFBF4EB48324F248469E519A7200C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB90F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00FDB926

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 603905f23f86c6cfd4fe8f9073c7a9f3213943a8b9ad628a7436536418590548
Instruction ID: a43b00f013fd7969e6298e5f38a7d69b64d53698d9dfc03d78d7384892926aaf
Opcode Fuzzy Hash: 603905f23f86c6cfd4fe8f9073c7a9f3213943a8b9ad628a7436536418590548
Instruction Fuzzy Hash: BEE06D35B001198BCF04EBBCE8548DCB3F2FBD8225B108060D90AE3358DE249C058B66

Uniqueness

Uniqueness Score: -1.00%

Function 00FDBA2F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FDBA46

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 46d72ee6e6e007275af9b5ec09496b28880f4dd864967da35e8104a971b44b5e
Instruction ID: e7eab8c5b5c4ab28381dc365271d9f5a5e53329360cc9eb507f08cefd2364f39
Opcode Fuzzy Hash: 46d72ee6e6e007275af9b5ec09496b28880f4dd864967da35e8104a971b44b5e
Instruction Fuzzy Hash: 43E06D35B001198B8F44EBBCE8548DCB3E2FBC8229B108060D909E3358DE249C058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3387, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD339E

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 0b22d25dcdf72ef53fc0b4bfe968f4743e45f1337b0f92bc8b5dc49e04de511e
Instruction ID: 85cd16abba1daccffae3ff74e6340b8bbd56326dc55b6e315a8036da16ab225a
Opcode Fuzzy Hash: 0b22d25dcdf72ef53fc0b4bfe968f4743e45f1337b0f92bc8b5dc49e04de511e
Instruction Fuzzy Hash: 6CE06D36B001198B8F44EBBCE4548DCB3F2FBC8225B108060D909E3358DE34AD058B62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDBB4F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FDBB66

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 152d364308a94ee5c78433267cd6ce0f352ed10763534867e6503034e73ec055
Instruction ID: 0c6d17056e5ebbc56619206a925bc468d4819f31734c0e4066cdacfe7e99de26
Opcode Fuzzy Hash: 152d364308a94ee5c78433267cd6ce0f352ed10763534867e6503034e73ec055
Instruction Fuzzy Hash: BFE06536B001198B8F04FBBCE8549DDB3E2FFCC229B108061D90AE3358DE24AC058B62

Uniqueness

Uniqueness Score: -1.00%

Function 00FD5D6F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD5D86

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: fab173739888c5bcb4dcb9c8b9ead07287de22cfa7ef020a6f2f12dbf7019e30
Instruction ID: ebcb311796a5329f49613baed7a336ac33740d3a21501990ecea481cc0565ff6
Opcode Fuzzy Hash: fab173739888c5bcb4dcb9c8b9ead07287de22cfa7ef020a6f2f12dbf7019e30
Instruction Fuzzy Hash: 7AE06D35B001198B8F04F7BCE4549DCB3E2BBC8229B148060D909E7358DE349C058B65

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3D0F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3D26

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: e8c2bb1f8363569790711b4e87ed9dbf2606d49665f94a31be15be21a20df18c
Instruction ID: 84b22866a2db17e650dac612386dd0e089159421309926ec30d2c742fa5fc2c0
Opcode Fuzzy Hash: e8c2bb1f8363569790711b4e87ed9dbf2606d49665f94a31be15be21a20df18c
Instruction Fuzzy Hash: 95E06D35B101198B8F04EBBCE8549DCB3E2FBC8225B108061D909E3358DE349C058B66

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3E2F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD3E46

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 653f7a1291c35a78c25e3881ced234796f5541bae57fbb2798b66a7cc77173ef
Instruction ID: 42bd390b7970d541fa117405eb6a242e7dc13776acbe09035cdcbb79d836cee5
Opcode Fuzzy Hash: 653f7a1291c35a78c25e3881ced234796f5541bae57fbb2798b66a7cc77173ef
Instruction Fuzzy Hash: E9E06D35F001198B8F04E7BCE8548DCB3E2FBC8219B108064D909E3398DE249D058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FD279F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00FD27B6

Memory Dump Source

Source File: 00000002.00000002.588822582.0000000000FD0000.00000040.00000001.sdmp, Offset: 00FD0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: e90e56ea9640bb822f90de6789be5d43fc27293b5e00f834d110dc27740ca57f
Instruction ID: 37ef986d47093d088bd64d1752edd176165b58f036f2ee19f986a58aadec1a11
Opcode Fuzzy Hash: e90e56ea9640bb822f90de6789be5d43fc27293b5e00f834d110dc27740ca57f
Instruction Fuzzy Hash: FBE0ED35B001298B8F44E7BCE4549DDB3E2FBDC225B148065D909E7358DE249D058B61

Uniqueness

Uniqueness Score: -1.00%

Function 0149D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.589952611.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0795cd3b48ece1b5dd95685a8a4ff7953dff023e3a33c68425948a3d2dcba896
Instruction ID: 8e347403c1ba86c98b2cba609848412e90dca35edfcc6c723abc511995bb646d
Opcode Fuzzy Hash: 0795cd3b48ece1b5dd95685a8a4ff7953dff023e3a33c68425948a3d2dcba896
Instruction Fuzzy Hash: DF2100B1908240DFDF15CF64D8C4B26BFA1FB88258F24C56AE90A4B356C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0149D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.589952611.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dc604801af40c9a4441f49ba0953567c84a007a2987e2c80407104282520de
Instruction ID: 97ff2b0fb0dbe017d093c69a46ab7d64fa058e1f4013ab3ff9886d630a1cf55c
Opcode Fuzzy Hash: d1dc604801af40c9a4441f49ba0953567c84a007a2987e2c80407104282520de
Instruction Fuzzy Hash: BA2192755093C08FDB03CF24D994B16BF71EB46214F28C5DBD8498B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Invoice-3990993.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre