Loading... Additional Content is being loaded
Analysis Report v8iFmF7XPp
Overview
General Information
| Sample Name: | v8iFmF7XPp (renamed file extension from none to dll) |
| Analysis ID: | 386403 |
| MD5: | 57c45087c4228b685f2ba1739033aa52 |
| SHA1: | 0dfcdc6a288fe0792363b55cfa0009343239f7e7 |
| SHA256: | 0ef921657a9c7d429c65e2a5b74a235b75b3f14d1a0781bc5b174472913c2902 |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Emotet
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
AV Detection: |
  |
|---|
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Multi AV Scanner detection for dropped file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Metadefender: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Multi AV Scanner detection for submitted file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Metadefender: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Machine Learning detection for sample |
| Source: |
Joe Sandbox ML: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
21_2_70332180 | |
| Source: |
Code function: |
21_2_70335700 | |
Compliance: |
|
|---|
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Source: |
Code function: |
21_2_70348C1D | |
Networking: |
|
|---|
| C2 URLs / IPs found in malware configuration |
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Connects to several IPs in different countries |
| Source: |
Network traffic detected: |
||
| IP address seen in connection with other malware |
| Source: |
IP Address: |
||
| Source: |
IP Address: |
||
| Internet Provider seen in connection with other malware |
| Source: |
ASN Name: |
||
| Source: |
ASN Name: |
||
| Source: |
ASN Name: |
||
| Uses a known web browser user agent for HTTP communication |
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
E-Banking Fraud: |
|
|---|
| Yara detected Emotet |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
System Summary: |
|
|---|
| Contains functionality to delete services |
| Source: |
Code function: |
21_2_70335CE0 | |
| Creates files inside the system directory |
| Source: |
File created: |
Jump to behavior | ||
| Deletes files inside the Windows folder |
| Source: |
File deleted: |
Jump to behavior | ||
| Detected potential crypto function |
| Source: |
Code function: |
3_2_100180F1 | |
| Source: |
Code function: |
3_2_10016156 | |
| Source: |
Code function: |
3_2_100129C7 | |
| Source: |
Code function: |
3_2_10013270 | |
| Source: |
Code function: |
3_2_10013A9C | |
| Source: |
Code function: |
3_2_100172D6 | |
| Source: |
Code function: |
3_2_10016BDE | |
| Source: |
Code function: |
3_2_1000D3FF | |
| Source: |
Code function: |
3_2_1001367C | |
| Source: |
Code function: |
3_2_1001669A | |
| Source: |
Code function: |
3_2_10012E9C | |
| Source: |
Code function: |
3_2_04416C05 | |
| Source: |
Code function: |
3_2_04428978 | |
| Source: |
Code function: |
3_2_04414121 | |
| Source: |
Code function: |
3_2_0442C19B | |
| Source: |
Code function: |
3_2_04424DAD | |
| Source: |
Code function: |
3_2_04416E8A | |
| Source: |
Code function: |
3_2_0441E360 | |
| Source: |
Code function: |
3_2_0441FB04 | |
| Source: |
Code function: |
3_2_04419716 | |
| Source: |
Code function: |
3_2_0442533C | |
| Source: |
Code function: |
3_2_0442A7E4 | |
| Source: |
Code function: |
3_2_044183F0 | |
| Source: |
Code function: |
3_2_0441D04B | |
| Source: |
Code function: |
3_2_0441884A | |
| Source: |
Code function: |
3_2_04425060 | |
| Source: |
Code function: |
3_2_04420C65 | |
| Source: |
Code function: |
3_2_0441F471 | |
| Source: |
Code function: |
3_2_04421C79 | |
| Source: |
Code function: |
3_2_04414828 | |
| Source: |
Code function: |
3_2_044268CB | |
| Source: |
Code function: |
3_2_0441B0E1 | |
| Source: |
Code function: |
3_2_0442D08F | |
| Source: |
Code function: |
3_2_0442A094 | |
| Source: |
Code function: |
3_2_0441F099 | |
| Source: |
Code function: |
3_2_0441C8A5 | |
| Source: |
Code function: |
3_2_0442C95E | |
| Source: |
Code function: |
3_2_04414D5F | |
| Source: |
Code function: |
3_2_04415D0E | |
| Source: |
Code function: |
3_2_04422513 | |
| Source: |
Code function: |
3_2_0441E924 | |
| Source: |
Code function: |
3_2_0441792C | |
| Source: |
Code function: |
3_2_04425D36 | |
| Source: |
Code function: |
3_2_044239E1 | |
| Source: |
Code function: |
3_2_04418994 | |
| Source: |
Code function: |
3_2_0442B19F | |
| Source: |
Code function: |
3_2_044181A0 | |
| Source: |
Code function: |
3_2_044159B8 | |
| Source: |
Code function: |
3_2_04427A50 | |
| Source: |
Code function: |
3_2_0441D668 | |
| Source: |
Code function: |
3_2_0441766F | |
| Source: |
Code function: |
3_2_0441427A | |
| Source: |
Code function: |
3_2_04428E79 | |
| Source: |
Code function: |
3_2_04422A7D | |
| Source: |
Code function: |
3_2_04411600 | |
| Source: |
Code function: |
3_2_04423600 | |
| Source: |
Code function: |
3_2_04413618 | |
| Source: |
Code function: |
3_2_0441DEC9 | |
| Source: |
Code function: |
3_2_0441D2CE | |
| Source: |
Code function: |
3_2_044212D1 | |
| Source: |
Code function: |
3_2_044276D5 | |
| Source: |
Code function: |
3_2_04429AE2 | |
| Source: |
Code function: |
3_2_04417AE4 | |
| Source: |
Code function: |
3_2_0442A2EA | |
| Source: |
Code function: |
3_2_04420EA0 | |
| Source: |
Code function: |
3_2_044272AE | |
| Source: |
Code function: |
3_2_044112B6 | |
| Source: |
Code function: |
3_2_04416ABA | |
| Source: |
Code function: |
3_2_04416342 | |
| Source: |
Code function: |
3_2_04412746 | |
| Source: |
Code function: |
3_2_04423745 | |
| Source: |
Code function: |
3_2_04425748 | |
| Source: |
Code function: |
3_2_04418F55 | |
| Source: |
Code function: |
3_2_0441DB5B | |
| Source: |
Code function: |
3_2_04425B60 | |
| Source: |
Code function: |
3_2_04420705 | |
| Source: |
Code function: |
3_2_04428313 | |
| Source: |
Code function: |
3_2_0441BB28 | |
| Source: |
Code function: |
3_2_0441C3C2 | |
| Source: |
Code function: |
3_2_044133F4 | |
| Source: |
Code function: |
3_2_0441B7F8 | |
| Source: |
Code function: |
3_2_0441EF80 | |
| Source: |
Code function: |
3_2_04413B97 | |
| Source: |
Code function: |
3_2_0441B3A2 | |
| Source: |
Code function: |
3_2_04413FAB | |
| Source: |
Code function: |
3_2_044167AC | |
| Source: |
Code function: |
3_2_0442CBB0 | |
| Source: |
Code function: |
3_2_0441FFB5 | |
| Source: |
Code function: |
21_2_050F457F | |
| Source: |
Code function: |
21_2_050EED71 | |
| Source: |
Code function: |
21_2_050F53C0 | |
| Source: |
Code function: |
21_2_050ECDD8 | |
| Source: |
Code function: |
21_2_050E542D | |
| Source: |
Code function: |
21_2_050F9C76 | |
| Source: |
Code function: |
21_2_050F8684 | |
| Source: |
Code function: |
21_2_050EE2BE | |
| Source: |
Code function: |
21_2_050E80E3 | |
| Source: |
Code function: |
21_2_050F030B | |
| Source: |
Code function: |
21_2_050E7D07 | |
| Source: |
Code function: |
21_2_050EF100 | |
| Source: |
Code function: |
21_2_050E8F1B | |
| Source: |
Code function: |
21_2_050E2B2B | |
| Source: |
Code function: |
21_2_050E1D2B | |
| Source: |
Code function: |
21_2_050EAB26 | |
| Source: |
Code function: |
21_2_050E773B | |
| Source: |
Code function: |
21_2_050F2938 | |
| Source: |
Code function: |
21_2_050E4F4C | |
| Source: |
Code function: |
21_2_050E7547 | |
| Source: |
Code function: |
21_2_050F9B59 | |
| Source: |
Code function: |
21_2_050EBD6C | |
| Source: |
Code function: |
21_2_050EF96A | |
| Source: |
Code function: |
21_2_050ED77E | |
| Source: |
Code function: |
21_2_050E918D | |
| Source: |
Code function: |
21_2_050EDB9E | |
| Source: |
Code function: |
21_2_050EB394 | |
| Source: |
Code function: |
21_2_050FABAE | |
| Source: |
Code function: |
21_2_050E2FA7 | |
| Source: |
Code function: |
21_2_050E43BC | |
| Source: |
Code function: |
21_2_050EF3B2 | |
| Source: |
Code function: |
21_2_050ECBB1 | |
| Source: |
Code function: |
21_2_050E83CE | |
| Source: |
Code function: |
21_2_050F19CB | |
| Source: |
Code function: |
21_2_050F83C9 | |
| Source: |
Code function: |
21_2_050F9DC4 | |
| Source: |
Code function: |
21_2_050E5FD2 | |
| Source: |
Code function: |
21_2_050F49EF | |
| Source: |
Code function: |
21_2_050F8FE8 | |
| Source: |
Code function: |
21_2_050E69FD | |
| Source: |
Code function: |
21_2_050E13FB | |
| Source: |
Code function: |
21_2_050E17FB | |
| Source: |
Code function: |
21_2_050EBFF4 | |
| Source: |
Code function: |
21_2_050EA7F1 | |
| Source: |
Code function: |
21_2_050F300F | |
| Source: |
Code function: |
21_2_050E7E0C | |
| Source: |
Code function: |
21_2_050ED405 | |
| Source: |
Code function: |
21_2_050E3A00 | |
| Source: |
Code function: |
21_2_050F961A | |
| Source: |
Code function: |
21_2_050F2422 | |
| Source: |
Code function: |
21_2_050F0820 | |
| Source: |
Code function: |
21_2_050EC232 | |
| Source: |
Code function: |
21_2_050F0E49 | |
| Source: |
Code function: |
21_2_050E6248 | |
| Source: |
Code function: |
21_2_050EA05D | |
| Source: |
Code function: |
21_2_050F4C55 | |
| Source: |
Code function: |
21_2_050F346E | |
| Source: |
Code function: |
21_2_050F066A | |
| Source: |
Code function: |
21_2_050EEA68 | |
| Source: |
Code function: |
21_2_050E5A60 | |
| Source: |
Code function: |
21_2_050E3C7E | |
| Source: |
Code function: |
21_2_050F9A7E | |
| Source: |
Code function: |
21_2_050FB07B | |
| Source: |
Code function: |
21_2_050F3689 | |
| Source: |
Code function: |
21_2_050E7A87 | |
| Source: |
Code function: |
21_2_050E4685 | |
| Source: |
Code function: |
21_2_050F7083 | |
| Source: |
Code function: |
21_2_050F229F | |
| Source: |
Code function: |
21_2_050F2C97 | |
| Source: |
Code function: |
21_2_050E2290 | |
| Source: |
Code function: |
21_2_050E40AB | |
| Source: |
Code function: |
21_2_050F12A3 | |
| Source: |
Code function: |
21_2_050FA6B2 | |
| Source: |
Code function: |
21_2_050EFEC2 | |
| Source: |
Code function: |
21_2_050E64D8 | |
| Source: |
Code function: |
21_2_050F38D2 | |
| Source: |
Code function: |
21_2_050EF6E3 | |
| Source: |
Code function: |
21_2_70331CE0 | |
| Source: |
Code function: |
21_2_7033A00B | |
| Source: |
Code function: |
21_2_70336987 | |
| Source: |
Code function: |
21_2_70339A89 | |
| Source: |
Code function: |
21_2_70347329 | |
| Source: |
Code function: |
21_2_70346B72 | |
| Source: |
Code function: |
21_2_7033A392 | |
| Source: |
Code function: |
21_2_703393C0 | |
| Source: |
Code function: |
21_2_7033946D | |
| Source: |
Code function: |
21_2_70339D50 | |
| Source: |
Code function: |
21_2_703397DF | |
| Source: |
Code function: |
24_2_04559C76 | |
| Source: |
Code function: |
24_2_0454542D | |
| Source: |
Code function: |
24_2_045480E3 | |
| Source: |
Code function: |
24_2_04558684 | |
| Source: |
Code function: |
24_2_0454E2BE | |
| Source: |
Code function: |
24_2_0454ED71 | |
| Source: |
Code function: |
24_2_0454D77E | |
| Source: |
Code function: |
24_2_0455457F | |
| Source: |
Code function: |
24_2_04547D07 | |
| Source: |
Code function: |
24_2_04542B2B | |
| Source: |
Code function: |
24_2_0454CDD8 | |
| Source: |
Code function: |
24_2_045553C0 | |
| Source: |
Code function: |
24_2_045483CE | |
| Source: |
Code function: |
24_2_04554C55 | |
| Source: |
Code function: |
24_2_0454A05D | |
| Source: |
Code function: |
24_2_04550E49 | |
| Source: |
Code function: |
24_2_04546248 | |
| Source: |
Code function: |
24_2_04543C7E | |
| Source: |
Code function: |
24_2_04559A7E | |
| Source: |
Code function: |
24_2_0455B07B | |
| Source: |
Code function: |
24_2_04545A60 | |
| Source: |
Code function: |
24_2_0455346E | |
| Source: |
Code function: |
24_2_0454EA68 | |
| Source: |
Code function: |
24_2_0455066A | |
| Source: |
Code function: |
24_2_0455961A | |
| Source: |
Code function: |
24_2_0454D405 | |
| Source: |
Code function: |
24_2_04543A00 | |
| Source: |
Code function: |
24_2_04547E0C | |
| Source: |
Code function: |
24_2_0455300F | |
| Source: |
Code function: |
24_2_0454C232 | |
| Source: |
Code function: |
24_2_04550820 | |
| Source: |
Code function: |
24_2_04552422 | |
| Source: |
Code function: |
24_2_045538D2 | |
| Source: |
Code function: |
24_2_045464D8 | |
| Source: |
Code function: |
24_2_0454FEC2 | |
| Source: |
Code function: |
24_2_0454F6E3 | |
| Source: |
Code function: |
24_2_04552C97 | |
| Source: |
Code function: |
24_2_04542290 | |
| Source: |
Code function: |
24_2_0455229F | |
| Source: |
Code function: |
24_2_04544685 | |
| Source: |
Code function: |
24_2_04547A87 | |
| Source: |
Code function: |
24_2_04557083 | |
| Source: |
Code function: |
24_2_04553689 | |
| Source: |
Code function: |
24_2_0455A6B2 | |
| Source: |
Code function: |
24_2_045512A3 | |
| Source: |
Code function: |
24_2_045440AB | |
| Source: |
Code function: |
24_2_04559B59 | |
| Source: |
Code function: |
24_2_04547547 | |
| Source: |
Code function: |
24_2_04544F4C | |
| Source: |
Code function: |
24_2_0454BD6C | |
| Source: |
Code function: |
24_2_0454F96A | |
| Source: |
Code function: |
24_2_04548F1B | |
| Source: |
Code function: |
24_2_0454F100 | |
| Source: |
Code function: |
24_2_0455030B | |
| Source: |
Code function: |
24_2_04552938 | |
| Source: |
Code function: |
24_2_0454773B | |
| Source: |
Code function: |
24_2_0454AB26 | |
| Source: |
Code function: |
24_2_04541D2B | |
| Source: |
Code function: |
24_2_04545FD2 | |
| Source: |
Code function: |
24_2_04559DC4 | |
| Source: |
Code function: |
24_2_045583C9 | |
| Source: |
Code function: |
24_2_045519CB | |
| Source: |
Code function: |
24_2_0454BFF4 | |
| Source: |
Code function: |
24_2_0454A7F1 | |
| Source: |
Code function: |
24_2_045469FD | |
| Source: |
Code function: |
24_2_045413FB | |
| Source: |
Code function: |
24_2_045417FB | |
| Source: |
Code function: |
24_2_045549EF | |
| Source: |
Code function: |
24_2_04558FE8 | |
| Source: |
Code function: |
24_2_0454B394 | |
| Source: |
Code function: |
24_2_0454DB9E | |
| Source: |
Code function: |
24_2_0454918D | |
| Source: |
Code function: |
24_2_0454CBB1 | |
| Source: |
Code function: |
24_2_0454F3B2 | |
| Source: |
Code function: |
24_2_045443BC | |
| Source: |
Code function: |
24_2_04542FA7 | |
| Source: |
Code function: |
24_2_0455ABAE | |
| Source: |
Code function: |
24_2_0453405A | |
| Source: |
Code function: |
24_2_0452945C | |
| Source: |
Code function: |
24_2_0453024E | |
| Source: |
Code function: |
24_2_0452564C | |
| Source: |
Code function: |
24_2_0452564D | |
| Source: |
Code function: |
24_2_04532873 | |
| Source: |
Code function: |
24_2_0453907B | |
| Source: |
Code function: |
24_2_04524E65 | |
| Source: |
Code function: |
24_2_0452FA6F | |
| Source: |
Code function: |
24_2_0452DE6D | |
| Source: |
Code function: |
24_2_04527211 | |
| Source: |
Code function: |
24_2_04532414 | |
| Source: |
Code function: |
24_2_04538A1F | |
| Source: |
Code function: |
24_2_04525E02 | |
| Source: |
Code function: |
24_2_04520C00 | |
| Source: |
Code function: |
24_2_04522E05 | |
| Source: |
Code function: |
24_2_0452C80A | |
| Source: |
Code function: |
24_2_04524832 | |
| Source: |
Code function: |
24_2_0452B637 | |
| Source: |
Code function: |
24_2_04531827 | |
| Source: |
Code function: |
24_2_0452FC25 | |
| Source: |
Code function: |
24_2_04532CD7 | |
| Source: |
Code function: |
24_2_045258D6 | |
| Source: |
Code function: |
24_2_045258DD | |
| Source: |
Code function: |
24_2_0452D6C3 | |
| Source: |
Code function: |
24_2_0452F2C7 | |
| Source: |
Code function: |
24_2_045274E8 | |
| Source: |
Code function: |
24_2_0452EAE8 | |
| Source: |
Code function: |
24_2_04521695 | |
| Source: |
Code function: |
24_2_0453209C | |
| Source: |
Code function: |
24_2_04538E83 | |
| Source: |
Code function: |
24_2_04523083 | |
| Source: |
Code function: |
24_2_0453A480 | |
| Source: |
Code function: |
24_2_04523A8A | |
| Source: |
Code function: |
24_2_04537A89 | |
| Source: |
Code function: |
24_2_04536488 | |
| Source: |
Code function: |
24_2_04532A8E | |
| Source: |
Code function: |
24_2_04526E8C | |
| Source: |
Code function: |
24_2_045234B0 | |
| Source: |
Code function: |
24_2_04539AB7 | |
| Source: |
Code function: |
24_2_045316A4 | |
| Source: |
Code function: |
24_2_045306A8 | |
| Source: |
Code function: |
24_2_04524351 | |
| Source: |
Code function: |
24_2_04538F5E | |
| Source: |
Code function: |
24_2_04526B40 | |
| Source: |
Code function: |
24_2_0452694C | |
| Source: |
Code function: |
24_2_0452B171 | |
| Source: |
Code function: |
24_2_0452E176 | |
| Source: |
Code function: |
24_2_0452F710 | |
| Source: |
Code function: |
24_2_0452E505 | |
| Source: |
Code function: |
24_2_0452710C | |
| Source: |
Code function: |
24_2_04521130 | |
| Source: |
Code function: |
24_2_04521F30 | |
| Source: |
Code function: |
24_2_04531D3D | |
| Source: |
Code function: |
24_2_04528320 | |
| Source: |
Code function: |
24_2_045277D3 | |
| Source: |
Code function: |
24_2_045253D7 | |
| Source: |
Code function: |
24_2_045237C1 | |
| Source: |
Code function: |
24_2_045391C9 | |
| Source: |
Code function: |
24_2_045377CE | |
| Source: |
Code function: |
24_2_04529BF6 | |
| Source: |
Code function: |
24_2_04533DF4 | |
| Source: |
Code function: |
24_2_0452B3F9 | |
| Source: |
Code function: |
24_2_045383ED | |
| Source: |
Code function: |
24_2_0452A799 | |
| Source: |
Code function: |
24_2_0452CB83 | |
| Source: |
Code function: |
24_2_04533984 | |
| Source: |
Code function: |
24_2_04539FB3 | |
| Source: |
Code function: |
24_2_0452BFB6 | |
| Source: |
Code function: |
24_2_0452E7B7 | |
| Source: |
Code function: |
24_2_0452CFA3 | |
| Source: |
Code function: |
24_2_045223AC | |
| Source: |
Code function: |
25_2_045A9C76 | |
| Source: |
Code function: |
25_2_0459542D | |
| Source: |
Code function: |
25_2_045980E3 | |
| Source: |
Code function: |
25_2_0459E2BE | |
| Source: |
Code function: |
25_2_045A457F | |
| Source: |
Code function: |
25_2_0459D77E | |
| Source: |
Code function: |
25_2_0459ED71 | |
| Source: |
Code function: |
25_2_04597D07 | |
| Source: |
Code function: |
25_2_04592B2B | |
| Source: |
Code function: |
25_2_0459CDD8 | |
| Source: |
Code function: |
25_2_045983CE | |
| Source: |
Code function: |
25_2_045A53C0 | |
| Source: |
Code function: |
25_2_0459A05D | |
| Source: |
Code function: |
25_2_045A4C55 | |
| Source: |
Code function: |
25_2_04596248 | |
| Source: |
Code function: |
25_2_045A0E49 | |
| Source: |
Code function: |
25_2_045AB07B | |
| Source: |
Code function: |
25_2_045A9A7E | |
| Source: |
Code function: |
25_2_04593C7E | |
| Source: |
Code function: |
25_2_045A066A | |
| Source: |
Code function: |
25_2_0459EA68 | |
| Source: |
Code function: |
25_2_045A346E | |
| Source: |
Code function: |
25_2_04595A60 | |
| Source: |
Code function: |
25_2_045A961A | |
| Source: |
Code function: |
25_2_045A300F | |
| Source: |
Code function: |
25_2_04597E0C | |
| Source: |
Code function: |
25_2_04593A00 | |
| Source: |
Code function: |
25_2_0459D405 | |
| Source: |
Code function: |
25_2_0459C232 | |
| Source: |
Code function: |
25_2_045A2422 | |
| Source: |
Code function: |
25_2_045A0820 | |
| Source: |
Code function: |
25_2_045964D8 | |
| Source: |
Code function: |
25_2_045A38D2 | |
| Source: |
Code function: |
25_2_0459FEC2 | |
| Source: |
Code function: |
25_2_0459F6E3 | |
| Source: |
Code function: |
25_2_045A229F | |
| Source: |
Code function: |
25_2_04592290 | |
| Source: |
Code function: |
25_2_045A2C97 | |
| Source: |
Code function: |
25_2_045A3689 | |
| Source: |
Code function: |
25_2_045A7083 | |
| Source: |
Code function: |
25_2_04594685 | |
| Source: |
Code function: |
25_2_04597A87 | |
| Source: |
Code function: |
25_2_045A8684 | |
| Source: |
Code function: |
25_2_045AA6B2 | |
| Source: |
Code function: |
25_2_045940AB | |
| Source: |
Code function: |
25_2_045A12A3 | |
| Source: |
Code function: |
25_2_045A9B59 | |
| Source: |
Code function: |
25_2_04594F4C | |
| Source: |
Code function: |
25_2_04597547 | |
| Source: |
Code function: |
25_2_0459F96A | |
| Source: |
Code function: |
25_2_0459BD6C | |
| Source: |
Code function: |
25_2_04598F1B | |
| Source: |
Code function: |
25_2_045A030B | |
| Source: |
Code function: |
25_2_0459F100 | |
| Source: |
Code function: |
25_2_0459773B | |
| Source: |
Code function: |
25_2_045A2938 | |
| Source: |
Code function: |
25_2_04591D2B | |
| Source: |
Code function: |
25_2_0459AB26 | |
| Source: |
Code function: |
25_2_04595FD2 | |
| Source: |
Code function: |
25_2_045A19CB | |
| Source: |
Code function: |
25_2_045A83C9 | |
| Source: |
Code function: |
25_2_045A9DC4 | |
| Source: |
Code function: |
25_2_045913FB | |
| Source: |
Code function: |
25_2_045917FB | |
| Source: |
Code function: |
25_2_045969FD | |
| Source: |
Code function: |
25_2_0459A7F1 | |
| Source: |
Code function: |
25_2_0459BFF4 | |
| Source: |
Code function: |
25_2_045A8FE8 | |
| Source: |
Code function: |
25_2_045A49EF | |
| Source: |
Code function: |
25_2_0459DB9E | |
| Source: |
Code function: |
25_2_0459B394 | |
| Source: |
Code function: |
25_2_0459918D | |
| Source: |
Code function: |
25_2_045943BC | |
| Source: |
Code function: |
25_2_0459CBB1 | |
| Source: |
Code function: |
25_2_0459F3B2 | |
| Source: |
Code function: |
25_2_045AABAE | |
| Source: |
Code function: |
25_2_04592FA7 | |
| Source: |
Code function: |
25_2_0458405A | |
| Source: |
Code function: |
25_2_0457945C | |
| Source: |
Code function: |
25_2_0458024E | |
| Source: |
Code function: |
25_2_0457564D | |
| Source: |
Code function: |
25_2_0457564C | |
| Source: |
Code function: |
25_2_0458907B | |
| Source: |
Code function: |
25_2_04582873 | |
| Source: |
Code function: |
25_2_04574E65 | |
| Source: |
Code function: |
25_2_0457FA6F | |
| Source: |
Code function: |
25_2_0457DE6D | |
| Source: |
Code function: |
25_2_04577211 | |
| Source: |
Code function: |
25_2_04588A1F | |
| Source: |
Code function: |
25_2_04582414 | |
| Source: |
Code function: |
25_2_04572E05 | |
| Source: |
Code function: |
25_2_04575E02 | |
| Source: |
Code function: |
25_2_04570C00 | |
| Source: |
Code function: |
25_2_0457C80A | |
| Source: |
Code function: |
25_2_0457B637 | |
| Source: |
Code function: |
25_2_04574832 | |
| Source: |
Code function: |
25_2_0457FC25 | |
| Source: |
Code function: |
25_2_04581827 | |
| Source: |
Code function: |
25_2_045758D6 | |
| Source: |
Code function: |
25_2_045758DD | |
| Source: |
Code function: |
25_2_04582CD7 | |
| Source: |
Code function: |
25_2_0457F2C7 | |
| Source: |
Code function: |
25_2_0457D6C3 | |
| Source: |
Code function: |
25_2_045774E8 | |
| Source: |
Code function: |
25_2_0457EAE8 | |
| Source: |
Code function: |
25_2_04571695 | |
| Source: |
Code function: |
25_2_0458209C | |
| Source: |
Code function: |
25_2_04586488 | |
| Source: |
Code function: |
25_2_04587A89 | |
| Source: |
Code function: |
25_2_04573083 | |
| Source: |
Code function: |
25_2_04582A8E | |
| Source: |
Code function: |
25_2_0458A480 | |
| Source: |
Code function: |
25_2_04576E8C | |
| Source: |
Code function: |
25_2_04588E83 | |
| Source: |
Code function: |
25_2_04573A8A | |
| Source: |
Code function: |
25_2_045734B0 | |
| Source: |
Code function: |
25_2_04589AB7 | |
| Source: |
Code function: |
25_2_045806A8 | |
| Source: |
Code function: |
25_2_045816A4 | |
| Source: |
Code function: |
25_2_04588F5E | |
| Source: |
Code function: |
25_2_04574351 | |
| Source: |
Code function: |
25_2_04576B40 | |
| Source: |
Code function: |
25_2_0457694C | |
| Source: |
Code function: |
25_2_0457E176 | |
| Source: |
Code function: |
25_2_0457B171 | |
| Source: |
Code function: |
25_2_0457F710 | |
| Source: |
Code function: |
25_2_0457E505 | |
| Source: |
Code function: |
25_2_0457710C | |
| Source: |
Code function: |
25_2_04581D3D | |
| Source: |
Code function: |
25_2_04571130 | |
| Source: |
Code function: |
25_2_04571F30 | |
| Source: |
Code function: |
25_2_04578320 | |
| Source: |
Code function: |
25_2_045753D7 | |
| Source: |
Code function: |
25_2_045777D3 | |
| Source: |
Code function: |
25_2_045891C9 | |
| Source: |
Code function: |
25_2_045877CE | |
| Source: |
Code function: |
25_2_045737C1 | |
| Source: |
Code function: |
25_2_04579BF6 | |
| Source: |
Code function: |
25_2_04583DF4 | |
| Source: |
Code function: |
25_2_0457B3F9 | |
| Source: |
Code function: |
25_2_045883ED | |
| Source: |
Code function: |
25_2_0457A799 | |
| Source: |
Code function: |
25_2_0457CB83 | |
| Source: |
Code function: |
25_2_04583984 | |
| Source: |
Code function: |
25_2_0457E7B7 | |
| Source: |
Code function: |
25_2_0457BFB6 | |
| Source: |
Code function: |
25_2_04589FB3 | |
| Source: |
Code function: |
25_2_0457CFA3 | |
| Source: |
Code function: |
25_2_045723AC | |
| Source: |
Code function: |
26_2_04A3E2BE | |
| Source: |
Code function: |
26_2_04A380E3 | |
| Source: |
Code function: |
26_2_04A3542D | |
| Source: |
Code function: |
26_2_04A49C76 | |
| Source: |
Code function: |
26_2_04A453C0 | |
| Source: |
Code function: |
26_2_04A383CE | |
| Source: |
Code function: |
26_2_04A3CDD8 | |
| Source: |
Code function: |
26_2_04A32B2B | |
| Source: |
Code function: |
26_2_04A37D07 | |
| Source: |
Code function: |
26_2_04A3ED71 | |
| Source: |
Code function: |
26_2_04A4457F | |
| Source: |
Code function: |
26_2_04A3D77E | |
| Source: |
Code function: |
26_2_04A412A3 | |
| Source: |
Code function: |
26_2_04A340AB | |
| Source: |
Code function: |
26_2_04A4A6B2 | |
| Source: |
Code function: |
26_2_04A48684 | |
| Source: |
Code function: |
26_2_04A37A87 | |
| Source: |
Code function: |
26_2_04A34685 | |
| Source: |
Code function: |
26_2_04A47083 | |
| Source: |
Code function: |
26_2_04A43689 | |
| Source: |
Code function: |
26_2_04A42C97 | |
| Source: |
Code function: |
26_2_04A32290 | |
| Source: |
Code function: |
26_2_04A4229F | |
| Source: |
Code function: |
26_2_04A3F6E3 | |
| Source: |
Code function: |
26_2_04A3FEC2 | |
| Source: |
Code function: |
26_2_04A438D2 | |
| Dropped file seen in connection with other malware |
| Source: |
Dropped File: |
||
| Found potential string decryption / allocating functions |
| Source: |
Code function: |
||
| Source: |
Code function: |
||
| PE file contains strange resources |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Tries to load missing DLLs |
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Classification label: |
||
| Source: |
Code function: |
3_2_04414121 | |
| Source: |
Code function: |
21_2_70332180 | |
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Static PE information: |
||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Process created: |
||
| Source: |
Virustotal: |
||
| Source: |
Metadefender: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
Data Obfuscation: |
|
|---|
| Contains functionality to dynamically determine API calls |
| Source: |
Code function: |
3_2_10014D45 | |
| PE file contains an invalid checksum |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Uses code obfuscation techniques (call, push, ret) |
| Source: |
Code function: |
3_2_1000BC80 | |
| Source: |
Code function: |
3_2_1000777D | |
| Source: |
Code function: |
21_2_703378E9 | |
| Source: |
Code function: |
21_2_70337F59 | |
| Source: |
Code function: |
24_2_0452F1F8 | |
| Source: |
Code function: |
25_2_0457F1F8 | |
| Source: |
Code function: |
26_2_04A1F1F8 | |
Persistence and Installation Behavior: |
|
|---|
| Drops PE files |
| Source: |
File created: |
Jump to dropped file | ||
| Drops PE files to the windows directory (C:\Windows) |
| Source: |
File created: |
Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection: |
|
|---|
| Hides that the sample has been downloaded from the Internet (zone.identifier) |
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Source: |
File opened: |
|||
| Extensive use of GetProcAddress (often used to hide API calls) |
| Source: |
Code function: |
21_2_70336987 | |
| Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
| Source: |
Registry key monitored for changes: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
| Source: |
Process information set: |
|||
Malware Analysis System Evasion: |
|
|---|
| Contains capabilities to detect virtual machines |
| Source: |
File opened / queried: |
||
| Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems) |
| Source: |
Code function: |
21_2_70332180 | |
| Found evasive API chain (may stop execution after checking a module file name) |
| Source: |
Evasive API call chain: |
||
| Source: |
Evasive API call chain: |
||
| May sleep (evasive loops) to hinder dynamic analysis |
| Source: |
Thread sleep time: |
Jump to behavior | ||
| Queries disk information (often used to detect virtual machines) |
| Source: |
File opened: |
Jump to behavior | ||
| Sample execution stops while process was sleeping (likely an evasion) |
| Source: |
Last function: |
||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
File Volume queried: |
|||
| Source: |
Code function: |
21_2_70348C1D | |
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
Jump to behavior | ||
| Source: |
Thread delayed: |
|||
| Source: |
Thread delayed: |
|||
| Source: |
Thread delayed: |
|||
| Source: |
Thread delayed: |
|||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
API call chain: |
||
| Source: |
API call chain: |
||
Anti Debugging: |
|
|---|
| Checks if the current process is being debugged |
| Source: |
Process queried: |
Jump to behavior | ||
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
| Source: |
Code function: | |