Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Malware.AI.4228845530.13946.10796

Overview

General Information

Sample Name:	SecuriteInfo.com.Malware.AI.4228845530.13946.10796 (renamed file extension from 10796 to exe)
Analysis ID:	412370
MD5:	248b7d11fab05df72c28b150af6f2dd8
SHA1:	230f7982e0bcf4a0e1e164316d736101bc5b8d5e
SHA256:	778487cdb0077cbe811443b5247a8121c5fc7c7e23472c068eee1e41a1476745
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

SecuriteInfo.com.Malware.AI.4228845530.13946.exe (PID: 4012 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe' MD5: 248B7D11FAB05DF72C28B150AF6F2DD8)

SecuriteInfo.com.Malware.AI.4228845530.13946.exe (PID: 488 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe MD5: 248B7D11FAB05DF72C28B150AF6F2DD8)

SecuriteInfo.com.Malware.AI.4228845530.13946.exe (PID: 5596 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe MD5: 248B7D11FAB05DF72C28B150AF6F2DD8)

SecuriteInfo.com.Malware.AI.4228845530.13946.exe (PID: 5756 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe MD5: 248B7D11FAB05DF72C28B150AF6F2DD8)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sergio.arroyo@kaeiser.comQIErWCn3smtp.kaeiser.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 4012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 4012	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5756	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sergio.arroyo@kaeiser.comQIErWCn3smtp.kaeiser.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Virustotal: Detection: 31%			Perma Link
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	ReversingLabs: Detection: 36%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Joe Sandbox ML: detected

Source: 6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h		1_2_013116D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h		1_2_013115D7

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49733 -> 208.91.199.224:587

Source: global traffic

TCP traffic: 192.168.2.5:49733 -> 208.91.199.224:587

Source: Joe Sandbox View

IP Address: 208.91.199.224 208.91.199.224

Source: global traffic

TCP traffic: 192.168.2.5:49733 -> 208.91.199.224:587

Source: unknown

DNS traffic detected: queries for: smtp.kaeiser.com

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	String found in binary or memory: http://qdovFN.com
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258242489.0000000002F31000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/1
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505677643.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.kaeiser.com
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505677643.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505339832.00000000033DF000.00000004.00000001.sdmp, SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000003.462075964.0000000001184000.00000004.00000001.sdmp, SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505810185.0000000003440000.00000004.00000001.sdmp	String found in binary or memory: https://6JeA1hPBvojxA7lSjrqA.org
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	String found in binary or memory: https://6JeA1hPBvojxA7lSjrqA.org4
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.257816149.000000000132B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

PE file contains section with special chars

Show sources

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: section name: sBa<03`

PE file has nameless sections

Show sources

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01312D3B	1_2_01312D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01316D10	1_2_01316D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013145E8	1_2_013145E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013124B8	1_2_013124B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013118F0	1_2_013118F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013104E9	1_2_013104E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01313738	1_2_01313738
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_0131B2F0	1_2_0131B2F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_0131AD00	1_2_0131AD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01314500	1_2_01314500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_0131455D	1_2_0131455D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013131B9	1_2_013131B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013115D7	1_2_013115D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01312464	1_2_01312464
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013154A0	1_2_013154A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_013168A8	1_2_013168A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01315490	1_2_01315490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01316898	1_2_01316898
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01316B08	1_2_01316B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01316670	1_2_01316670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01316660	1_2_01316660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01316AF8	1_2_01316AF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C99080	1_2_05C99080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C96525	1_2_05C96525
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C927D8	1_2_05C927D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C90FDD	1_2_05C90FDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C95F88	1_2_05C95F88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C90F9A	1_2_05C90F9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C927B9	1_2_05C927B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C95F78	1_2_05C95F78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C91E5B	1_2_05C91E5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C91E68	1_2_05C91E68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C909C8	1_2_05C909C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C90958	1_2_05C90958
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C91958	1_2_05C91958
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C9215B	1_2_05C9215B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C91968	1_2_05C91968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C92168	1_2_05C92168
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C91018	1_2_05C91018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C96348	1_2_05C96348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C9633B	1_2_05C9633B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_01460D77	6_2_01460D77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_01468C58	6_2_01468C58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_01469F48	6_2_01469F48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_0146B7B0	6_2_0146B7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_01464A98	6_2_01464A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_014651D8	6_2_014651D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_01467DE0	6_2_01467DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_014652D8	6_2_014652D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_014F5520	6_2_014F5520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_014FB838	6_2_014FB838
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_014F67C0	6_2_014F67C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_018146A0	6_2_018146A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_01814690	6_2_01814690

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: Section: sBa<03` ZLIB complexity 1.00031861323

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Malware.AI.4228845530.13946.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Virustotal: Detection: 31%
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Unpacked PE file: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.a90000.0.unpack sBa<03`:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Static PE information: section name: sBa<03`
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_00B3D2F8 push ds; retf	1_2_00B3D32A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_00B3BF64 push ebp; iretd	1_2_00B3BF71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_01310A9D push esi; iretd	1_2_01310AA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C957BE push cs; ret	1_2_05C957BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 1_2_05C957B4 push cs; ret	1_2_05C957B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00303622 push cs; retf	4_2_00303632
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00302E27 pushad ; retf	4_2_00302E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00303670 push cs; retf	4_2_003036B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00303658 push cs; retf	4_2_0030366E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00303A5A push ss; retf	4_2_00303A5E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00303BB6 push ds; retf	4_2_00303BBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00303BA4 push ds; retf	4_2_00303BB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_003033A6 push cs; retf	4_2_00303632
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_00303B92 push ds; retf	4_2_00303B96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 4_2_003003D2 push esi; iretd	4_2_003003F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D2E27 pushad ; retf	5_2_003D2E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D3622 push cs; retf	5_2_003D3632
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D3670 push cs; retf	5_2_003D36B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D3658 push cs; retf	5_2_003D366E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D3A5A push ss; retf	5_2_003D3A5E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D3BB6 push ds; retf	5_2_003D3BBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D3BA4 push ds; retf	5_2_003D3BB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D33A6 push cs; retf	5_2_003D3632
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D3B92 push ds; retf	5_2_003D3B96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 5_2_003D03D2 push esi; iretd	5_2_003D03F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_00D403D2 push esi; iretd	6_2_00D403F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_00D43B92 push ds; retf	6_2_00D43B96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_00D43BB6 push ds; retf	6_2_00D43BBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_00D43BA4 push ds; retf	6_2_00D43BB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_00D433A6 push cs; retf	6_2_00D43632
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Code function: 6_2_00D43658 push cs; retf	6_2_00D4366E

Source: initial sample

Static PE information: section name: sBa<03` entropy: 7.9997886445

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 4012, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Code function: 1_2_013115D7 rdtsc

1_2_013115D7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Window / User API: threadDelayed 2879			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Window / User API: threadDelayed 6926			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe TID: 3440	Thread sleep time: -99464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe TID: 3328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe TID: 4196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe TID: 6508	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe TID: 6536	Thread sleep count: 2879 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe TID: 6536	Thread sleep count: 6926 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe TID: 6508	Thread sleep count: 40 > 30	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Thread delayed: delay time: 99464	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.508185877.0000000006680000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Code function: 1_2_013116D0 CheckRemoteDebuggerPresent,

1_2_013116D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Code function: 1_2_013115D7 rdtsc

1_2_013115D7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Code function: 6_2_0146D198 LdrInitializeThunk,

6_2_0146D198

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Jump to behavior

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502411458.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502411458.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502411458.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502411458.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502411458.0000000001C10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 4012, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5756, type: MEMORY
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5756, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 4012, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5756, type: MEMORY
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.4030b70.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Input Capture1	Security Software Discovery331	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion141	Credentials in Registry1	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion141	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing13	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Malware.AI.4228845530.13946.exe	32%	Virustotal		Browse
SecuriteInfo.com.Malware.AI.4228845530.13946.exe	36%	ReversingLabs	Win32.Trojan.Wacatac
SecuriteInfo.com.Malware.AI.4228845530.13946.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.a90000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
6.2.SecuriteInfo.com.Malware.AI.4228845530.13946.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
smtp.kaeiser.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Virustotal		Browse
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://6JeA1hPBvojxA7lSjrqA.org4	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://6JeA1hPBvojxA7lSjrqA.org	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.html	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.htmlc	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/report/reporter_index.php?name=	0%	Avira URL Cloud	safe
http://qdovFN.com	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/1	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://smtp.kaeiser.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://servermanager.miixit.org/downloads/	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/hits/hit_index.php?k=	0%	Avira URL Cloud	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false		high
smtp.kaeiser.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org/	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://us2.smtp.mailhostbox.com	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505677643.0000000003431000.00000004.00000001.sdmp	false		high
https://6JeA1hPBvojxA7lSjrqA.org4	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://6JeA1hPBvojxA7lSjrqA.org	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505339832.00000000033DF000.00000004.00000001.sdmp, SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000003.462075964.0000000001184000.00000004.00000001.sdmp, SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505810185.0000000003440000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/index_ru.html	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/index_ru.htmlc	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/report/reporter_index.php?name=	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://qdovFN.com	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/1	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%GETMozilla/5.0	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://smtp.kaeiser.com	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.505677643.0000000003431000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258242489.0000000002F31000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp	false		high
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/downloads/	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/hits/hit_index.php?k=	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248737778.000000000381A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%$	SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.224	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412370
Start date:	12.05.2021
Start time:	16:46:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Malware.AI.4228845530.13946.10796 (renamed file extension from 10796 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/1@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.7% (good quality ratio 2%) Quality average: 36.3% Quality standard deviation: 38.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 74 Number of non-executed functions: 28
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Excluded IPs from analysis (whitelisted): 93.184.220.29, 104.42.151.234, 92.122.145.220, 104.43.193.48, 168.61.161.212, 184.30.20.56, 20.82.210.154, 92.122.213.247, 92.122.213.194, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, fs.microsoft.com, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:47:34	API Interceptor	669x Sleep call for process: SecuriteInfo.com.Malware.AI.4228845530.13946.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.224	PDF.9066721066.exe	Get hash	malicious	Browse
	Payment Advice Note from 10.05.2021 to 608760.exe	Get hash	malicious	Browse
	Quotation..exe	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	QUOTATION ORDER.exe	Get hash	malicious	Browse
	Request Sample products.exe	Get hash	malicious	Browse
	Quotation RFQ8116300.exe	Get hash	malicious	Browse
	New Enquiry 200567.exe	Get hash	malicious	Browse
	7UKtv01ZdPSbdAD.exe	Get hash	malicious	Browse
	Order Confirmation.exe	Get hash	malicious	Browse
	Swift Copy.xlsx	Get hash	malicious	Browse
	LM Approved Invoices 06052021.doc	Get hash	malicious	Browse
	ADVICE84857584489393.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	1STyZQU31dWqcMq.exe	Get hash	malicious	Browse
	1g1NLI6i33.exe	Get hash	malicious	Browse
	PO.xlsx	Get hash	malicious	Browse
	Purchase Orde.pdf.exe	Get hash	malicious	Browse
	LM Approved Invoice-03-05-2021.doc	Get hash	malicious	Browse
	REQUEST FOR PRICE QUOTE - URGENT.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	presupuesto.xlsx	Get hash	malicious	Browse	208.91.199.225
	shipping docs and BL_pdf.exe	Get hash	malicious	Browse	208.91.198.143
	PDF.9066721066.exe	Get hash	malicious	Browse	208.91.199.224
	Payment Advice Note from 10.05.2021 to 608760.exe	Get hash	malicious	Browse	208.91.199.224
	RFQ-20283H.exe	Get hash	malicious	Browse	208.91.198.143
	BTC-2021.exe	Get hash	malicious	Browse	208.91.199.225
	Copia de pago.exe	Get hash	malicious	Browse	208.91.199.225
	NEW PI#001890576.exe	Get hash	malicious	Browse	208.91.199.223
	PO 4500379537.exe	Get hash	malicious	Browse	208.91.199.225
	B5Cg5YZIzp.exe	Get hash	malicious	Browse	208.91.199.223
	PO 2345566 hisob-faktura.exe	Get hash	malicious	Browse	208.91.198.143
	Quotation..exe	Get hash	malicious	Browse	208.91.199.223
	RFQ-Quotation..exe	Get hash	malicious	Browse	208.91.198.143
	Quotation.exe	Get hash	malicious	Browse	208.91.199.224
	QUOTATION ORDER.exe	Get hash	malicious	Browse	208.91.199.224
	purchase order.exe	Get hash	malicious	Browse	208.91.199.223
	RFQ_SGCCUP_24 590 34 532 -11052021.exe	Get hash	malicious	Browse	208.91.198.143
	Request Sample products.exe	Get hash	malicious	Browse	208.91.198.143
	QTY-3322.exe	Get hash	malicious	Browse	208.91.198.143
	Request Sample products.exe	Get hash	malicious	Browse	208.91.199.224

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	Letter of Demand.doc	Get hash	malicious	Browse	103.21.59.173
	7b4NmGxyY2.exe	Get hash	malicious	Browse	162.215.241.145
	catalog-1908475637.xls	Get hash	malicious	Browse	199.79.62.12
	catalog-1908475637.xls	Get hash	malicious	Browse	199.79.62.12
	INV74321.exe	Get hash	malicious	Browse	119.18.54.126
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	116.206.104.92
	#10052021.exe	Get hash	malicious	Browse	116.206.104.66
	shipping docs and BL_pdf.exe	Get hash	malicious	Browse	208.91.198.143
	PDF.9066721066.exe	Get hash	malicious	Browse	208.91.199.224
	Payment Advice Note from 10.05.2021 to 608760.exe	Get hash	malicious	Browse	208.91.199.224
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	162.222.225.153
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	162.222.225.153
	export of document 555091.xlsm	Get hash	malicious	Browse	103.21.58.29
	RFQ-20283H.exe	Get hash	malicious	Browse	208.91.198.143
	BTC-2021.exe	Get hash	malicious	Browse	208.91.199.225
	invoice 85046.xlsm	Get hash	malicious	Browse	103.21.58.29
	copy of invoice 4347.xlsm	Get hash	malicious	Browse	103.21.58.29
	Copia de pago.exe	Get hash	malicious	Browse	208.91.199.225
	NEW PI#001890576.exe	Get hash	malicious	Browse	208.91.199.223
	bill 04050.xlsm	Get hash	malicious	Browse	103.21.59.208

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Malware.AI.4228845530.13946.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR
MD5:	8198C64CE0786EABD4C792E7E6FC30E5
SHA1:	71E1676126F4616B18C751A0A775B2D64944A15A
SHA-256:	C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4
SHA-512:	EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.76610281911688
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Malware.AI.4228845530.13946.exe
File size:	934400
MD5:	248b7d11fab05df72c28b150af6f2dd8
SHA1:	230f7982e0bcf4a0e1e164316d736101bc5b8d5e
SHA256:	778487cdb0077cbe811443b5247a8121c5fc7c7e23472c068eee1e41a1476745
SHA512:	52aade22e310127a1e4e809b2902b59cbd88de5b298cb17caa3c78ba39fa09bcc25187a63b8ed4d33d8d0060869a1f89c44d9e25cc51338a0b976083a5a900c5
SSDEEP:	24576:0bnpWiHvIlK3sJecpFQDu4hV342SqtkFWhoTa9mmZ7:0bnUzQ+aDHV3aFWy6mmZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..`..............P......\|............... ....@.. ....................................@................................

File Icon


Icon Hash:	8a8ccae6e0fcc4aa

Static PE Info

General
Entrypoint:	0x4ea00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609B842C [Wed May 12 07:30:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004EA000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc08dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x1b130	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xea000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0xc0000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
sBa<03`	0x2000	0xbc6b8	0xbc800	False	1.00031861323	data	7.9997886445	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0xc0000	0xbec0	0xc000	False	0.443725585938	data	5.98422695135	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x1b130	0x1b200	False	0.123334893433	data	3.48672876978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe8000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xea000	0x10	0x200	False	0.044921875	dBase III DBT, version number 0, next free block index 788752	0.142635768149	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xcc250	0x1b5f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xcddb0	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xde5d8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xe2800	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xe4da8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xe5e50	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xe62b8	0x5a	data
RT_GROUP_ICON	0xe6314	0x14	data
RT_VERSION	0xe6328	0x39c	data
RT_MANIFEST	0xe66c4	0xa65	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	3.0.0.0
InternalName	IsolatedStorageSecurityOptions.exe
FileVersion	3.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ServerManager_Core
ProductVersion	3.0.0.0
FileDescription	ServerManager_Core
OriginalFilename	IsolatedStorageSecurityOptions.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-16:49:21.211208	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49733	587	192.168.2.5	208.91.199.224

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 16:49:19.438030958 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:19.602700949 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:19.602816105 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:20.182816982 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:20.183258057 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:20.346558094 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:20.346596956 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:20.349409103 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:20.513592005 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:20.514242887 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:20.679681063 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:20.680565119 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:20.844995022 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:20.845446110 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:21.041570902 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:21.042124033 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:21.205835104 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:21.211208105 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:21.211504936 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:21.211669922 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:21.211858034 CEST	49733	587	192.168.2.5	208.91.199.224
May 12, 2021 16:49:21.374861002 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:21.375021935 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:21.473221064 CEST	587	49733	208.91.199.224	192.168.2.5
May 12, 2021 16:49:21.525196075 CEST	49733	587	192.168.2.5	208.91.199.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 16:47:17.762149096 CEST	53	62060	8.8.8.8	192.168.2.5
May 12, 2021 16:47:17.777302027 CEST	61805	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:17.826127052 CEST	53	61805	8.8.8.8	192.168.2.5
May 12, 2021 16:47:18.402791023 CEST	54795	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:18.452846050 CEST	53	54795	8.8.8.8	192.168.2.5
May 12, 2021 16:47:18.595149040 CEST	49557	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:18.662967920 CEST	53	49557	8.8.8.8	192.168.2.5
May 12, 2021 16:47:19.546247959 CEST	61733	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:19.595191956 CEST	53	61733	8.8.8.8	192.168.2.5
May 12, 2021 16:47:20.512152910 CEST	65447	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:20.560919046 CEST	53	65447	8.8.8.8	192.168.2.5
May 12, 2021 16:47:21.739219904 CEST	52441	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:21.787822962 CEST	53	52441	8.8.8.8	192.168.2.5
May 12, 2021 16:47:23.225873947 CEST	62176	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:23.274524927 CEST	53	62176	8.8.8.8	192.168.2.5
May 12, 2021 16:47:25.415198088 CEST	59596	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:25.463933945 CEST	53	59596	8.8.8.8	192.168.2.5
May 12, 2021 16:47:26.651551008 CEST	65296	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:26.703161955 CEST	53	65296	8.8.8.8	192.168.2.5
May 12, 2021 16:47:30.238341093 CEST	63183	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:30.287147045 CEST	53	63183	8.8.8.8	192.168.2.5
May 12, 2021 16:47:31.211246967 CEST	60151	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:31.274061918 CEST	53	60151	8.8.8.8	192.168.2.5
May 12, 2021 16:47:32.141752005 CEST	56969	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:32.190381050 CEST	53	56969	8.8.8.8	192.168.2.5
May 12, 2021 16:47:42.827264071 CEST	55161	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:42.890696049 CEST	53	55161	8.8.8.8	192.168.2.5
May 12, 2021 16:47:49.601633072 CEST	54757	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:49.661398888 CEST	53	54757	8.8.8.8	192.168.2.5
May 12, 2021 16:47:56.964221954 CEST	49992	53	192.168.2.5	8.8.8.8
May 12, 2021 16:47:57.026830912 CEST	53	49992	8.8.8.8	192.168.2.5
May 12, 2021 16:48:28.179665089 CEST	60075	53	192.168.2.5	8.8.8.8
May 12, 2021 16:48:28.254879951 CEST	53	60075	8.8.8.8	192.168.2.5
May 12, 2021 16:48:31.128184080 CEST	55016	53	192.168.2.5	8.8.8.8
May 12, 2021 16:48:31.186876059 CEST	53	55016	8.8.8.8	192.168.2.5
May 12, 2021 16:48:39.086479902 CEST	64345	53	192.168.2.5	8.8.8.8
May 12, 2021 16:48:39.148816109 CEST	53	64345	8.8.8.8	192.168.2.5
May 12, 2021 16:48:52.079786062 CEST	57128	53	192.168.2.5	8.8.8.8
May 12, 2021 16:48:52.147031069 CEST	53	57128	8.8.8.8	192.168.2.5
May 12, 2021 16:49:11.718720913 CEST	54791	53	192.168.2.5	8.8.8.8
May 12, 2021 16:49:11.776118040 CEST	53	54791	8.8.8.8	192.168.2.5
May 12, 2021 16:49:14.520978928 CEST	50463	53	192.168.2.5	8.8.8.8
May 12, 2021 16:49:14.589231014 CEST	53	50463	8.8.8.8	192.168.2.5
May 12, 2021 16:49:19.059950113 CEST	50394	53	192.168.2.5	8.8.8.8
May 12, 2021 16:49:19.249295950 CEST	53	50394	8.8.8.8	192.168.2.5
May 12, 2021 16:49:19.282136917 CEST	58530	53	192.168.2.5	8.8.8.8
May 12, 2021 16:49:19.339981079 CEST	53	58530	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 16:49:19.059950113 CEST	192.168.2.5	8.8.8.8	0x2bab	Standard query (0)	smtp.kaeiser.com	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.282136917 CEST	192.168.2.5	8.8.8.8	0x85a3	Standard query (0)	smtp.kaeiser.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 16:49:19.249295950 CEST	8.8.8.8	192.168.2.5	0x2bab	No error (0)	smtp.kaeiser.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 16:49:19.249295950 CEST	8.8.8.8	192.168.2.5	0x2bab	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.249295950 CEST	8.8.8.8	192.168.2.5	0x2bab	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.249295950 CEST	8.8.8.8	192.168.2.5	0x2bab	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.249295950 CEST	8.8.8.8	192.168.2.5	0x2bab	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.339981079 CEST	8.8.8.8	192.168.2.5	0x85a3	No error (0)	smtp.kaeiser.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 16:49:19.339981079 CEST	8.8.8.8	192.168.2.5	0x85a3	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.339981079 CEST	8.8.8.8	192.168.2.5	0x85a3	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.339981079 CEST	8.8.8.8	192.168.2.5	0x85a3	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
May 12, 2021 16:49:19.339981079 CEST	8.8.8.8	192.168.2.5	0x85a3	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 12, 2021 16:49:20.182816982 CEST	587	49733	208.91.199.224	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
May 12, 2021 16:49:20.183258057 CEST	49733	587	192.168.2.5	208.91.199.224	EHLO 124406
May 12, 2021 16:49:20.346596956 CEST	587	49733	208.91.199.224	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
May 12, 2021 16:49:20.349409103 CEST	49733	587	192.168.2.5	208.91.199.224	AUTH login c2VyZ2lvLmFycm95b0BrYWVpc2VyLmNvbQ==
May 12, 2021 16:49:20.513592005 CEST	587	49733	208.91.199.224	192.168.2.5	334 UGFzc3dvcmQ6
May 12, 2021 16:49:20.679681063 CEST	587	49733	208.91.199.224	192.168.2.5	235 2.7.0 Authentication successful
May 12, 2021 16:49:20.680565119 CEST	49733	587	192.168.2.5	208.91.199.224	MAIL FROM:<sergio.arroyo@kaeiser.com>
May 12, 2021 16:49:20.844995022 CEST	587	49733	208.91.199.224	192.168.2.5	250 2.1.0 Ok
May 12, 2021 16:49:20.845446110 CEST	49733	587	192.168.2.5	208.91.199.224	RCPT TO:<sergio.arroyo@kaeiser.com>
May 12, 2021 16:49:21.041570902 CEST	587	49733	208.91.199.224	192.168.2.5	250 2.1.5 Ok
May 12, 2021 16:49:21.042124033 CEST	49733	587	192.168.2.5	208.91.199.224	DATA
May 12, 2021 16:49:21.205835104 CEST	587	49733	208.91.199.224	192.168.2.5	354 End data with <CR><LF>.<CR><LF>
May 12, 2021 16:49:21.211858034 CEST	49733	587	192.168.2.5	208.91.199.224	.
May 12, 2021 16:49:21.473221064 CEST	587	49733	208.91.199.224	192.168.2.5	250 2.0.0 Ok: queued as EE2481C20C4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 4012 Parent PID: 5796

General

Start time:	16:47:26
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe'
Imagebase:	0xa90000
File size:	934400 bytes
MD5 hash:	248B7D11FAB05DF72C28B150AF6F2DD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.258294495.0000000002F83000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.260145188.0000000003F85000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 488 Parent PID: 4012

General

Start time:	16:47:36
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Imagebase:	0x240000
File size:	934400 bytes
MD5 hash:	248B7D11FAB05DF72C28B150AF6F2DD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5596 Parent PID: 4012

General

Start time:	16:47:36
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Imagebase:	0x310000
File size:	934400 bytes
MD5 hash:	248B7D11FAB05DF72C28B150AF6F2DD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5756 Parent PID: 4012

General

Start time:	16:47:37
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Imagebase:	0xc80000
File size:	934400 bytes
MD5 hash:	248B7D11FAB05DF72C28B150AF6F2DD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.502628732.0000000003181000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 4012 Parent PID: 5796 SecuriteInfo.com.Malware.AI.4228845530.13946.exeCOMMON

Executed Functions

Function 0131455D, Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

*/E, xrefs: 0131488B
[5fj, xrefs: 013148C1
*/E, xrefs: 013148A9
*/E, xrefs: 01314892

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: */E$*/E$*/E$[5fj
API String ID: 0-3438299391
Opcode ID: 95c498fac597988d08f7236dedb6360ab280963c72ca04ce7c494201c4aa39c0
Instruction ID: 68df6f2e67d9ba9f4dc8b2a87d05df15ec8d02bb04c4b2a7d46004595b5198bb
Opcode Fuzzy Hash: 95c498fac597988d08f7236dedb6360ab280963c72ca04ce7c494201c4aa39c0
Instruction Fuzzy Hash: 5BE16170D0521ADFCB08CFB5D4814AEFBB2FF89318B248569D516EB258D7359A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01314500, Relevance: 5.3, Strings: 4, Instructions: 342COMMON

Download Yara Rule

Strings

*/E, xrefs: 0131488B
[5fj, xrefs: 013148C1
*/E, xrefs: 013148A9
*/E, xrefs: 01314892

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: */E$*/E$*/E$[5fj
API String ID: 0-3438299391
Opcode ID: 48de9b2c29df8a5d053ba943256235f9325d6b0a1334827d89b0f2e3a524d60c
Instruction ID: 7aa8bb34b7aa54f6871d9051130569ce57e728f737230e81d348fb01375c9eb8
Opcode Fuzzy Hash: 48de9b2c29df8a5d053ba943256235f9325d6b0a1334827d89b0f2e3a524d60c
Instruction Fuzzy Hash: F0E17F70D0521ADFCB08CFA5D4818AEFBB2FF89318B25C569D516EB258D7349A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013145E8, Relevance: 5.3, Strings: 4, Instructions: 296COMMON

Download Yara Rule

Strings

*/E, xrefs: 0131488B
[5fj, xrefs: 013148C1
*/E, xrefs: 013148A9
*/E, xrefs: 01314892

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: */E$*/E$*/E$[5fj
API String ID: 0-3438299391
Opcode ID: 97d8544e31872e399991c1b94b1e03857b9a129fc02cc6acd95a54e1aea3d051
Instruction ID: 2d69c1e3912564efb5dabc4dc0a0c626f7f687da8d95f6fdfbdcab7436033638
Opcode Fuzzy Hash: 97d8544e31872e399991c1b94b1e03857b9a129fc02cc6acd95a54e1aea3d051
Instruction Fuzzy Hash: E4D18EB0D0421ADFCB08CFA5D5808AEFBB6FF89314F15C469D516AB258D7349A82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013115D7, Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0131176C

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ff3fa4404bfdad3fb07a1ef48ac09096e60c57eb207fa6e99330d3c0c0a7022a
Instruction ID: ccad1d0b25e8b98ddc268619538b2914121caa9229570aa35133acfaacd3a901
Opcode Fuzzy Hash: ff3fa4404bfdad3fb07a1ef48ac09096e60c57eb207fa6e99330d3c0c0a7022a
Instruction Fuzzy Hash: DE810275906358CFCB4ACFB4C48269ABBB1FF0A318F2484AED441EB221E3765946DF50

Uniqueness

Uniqueness Score: -1.00%

Function 013116D0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0131176C

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 5b3db4591e95a562f5a18fbb280e8b8c42f3cd5a8a5e692dded02b669766900a
Instruction ID: c8c07d7124b8d1033d0de2de78e20e011f181fa0a7e612af1a4d8009ac7687a3
Opcode Fuzzy Hash: 5b3db4591e95a562f5a18fbb280e8b8c42f3cd5a8a5e692dded02b669766900a
Instruction Fuzzy Hash: 7341BBB9D05258DFCB00CFA9D484AEEFBF4AB09314F14906AE415B7354D738AA89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01312464, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

/P8O, xrefs: 01312587

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: /P8O
API String ID: 0-1146465854
Opcode ID: 7ed9b9613519c95be2061c2fcbde3d15213810c89e14e22f04d61208eccb9519
Instruction ID: 7bd8124a229a5370a313d5fbb1912db74280b16c0964c415766d8ece35e0a16e
Opcode Fuzzy Hash: 7ed9b9613519c95be2061c2fcbde3d15213810c89e14e22f04d61208eccb9519
Instruction Fuzzy Hash: 16A10674E11218CFCB08CFA9C8906DEFBB2FF89304F24812AD415AB264E7359906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 013124B8, Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

/P8O, xrefs: 01312587

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: /P8O
API String ID: 0-1146465854
Opcode ID: 607e6a0aead1f75a9d1688475cd2746e665692f30a616134eb441b71bbc01798
Instruction ID: d3030071952b4a9b9ca748eae62521bc54a53f753793acd513c73b1299985013
Opcode Fuzzy Hash: 607e6a0aead1f75a9d1688475cd2746e665692f30a616134eb441b71bbc01798
Instruction Fuzzy Hash: 6E91C470E10219CFCB08CFAAC99469EFBB2FF89314F20842AD519BB258D7349941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 013104E9, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

<, xrefs: 01310601

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 44cfcb00ae845bb8bd83c8ea69fa65f1ab180d811778de4c7320b1cf57afb811
Instruction ID: c9ef1a8ecebb914075cbdeece529fe46f6996757358cba1e2a5c97e8053246a3
Opcode Fuzzy Hash: 44cfcb00ae845bb8bd83c8ea69fa65f1ab180d811778de4c7320b1cf57afb811
Instruction Fuzzy Hash: C7518571E04618DFDB58CFAAD9506DDBBF2BF89304F14C0AAD519AB264EB305A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05C99080, Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e57d596f4c3453cbdedffe2da4b505f57355303edaa879958898c471d6d107
Instruction ID: 6da972a2de78fbeb6b55a3b58551808816c3c8735abdcf54671ce670e5bb61fd
Opcode Fuzzy Hash: f2e57d596f4c3453cbdedffe2da4b505f57355303edaa879958898c471d6d107
Instruction Fuzzy Hash: 36C1BC717006048FDF2EDB76C468BAEB7FAAF89B44F14486DD1469B290DB34EA01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0131B2F0, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e83c9d13ed3125d7711a68450cf676c0bf1b02bbbd9a0294697526883a33d2
Instruction ID: ea70f8a2206ec5f82eb6707c613b4e4808c33ce17b9b012bd365842438f81244
Opcode Fuzzy Hash: 68e83c9d13ed3125d7711a68450cf676c0bf1b02bbbd9a0294697526883a33d2
Instruction Fuzzy Hash: B5B12570D1521CCFDB18CFA5C9406EDFBB6BB89308F10986AC41ABB658DB358945CF24

Uniqueness

Uniqueness Score: -1.00%

Function 01312D3B, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b318e7119a5e786daf249b4b3986211514ce75ebb81358465f91260000133e
Instruction ID: f88f1143f18bbe7556a837d67966b12d9af14d7f03d55cce1828b2d36db22687
Opcode Fuzzy Hash: e4b318e7119a5e786daf249b4b3986211514ce75ebb81358465f91260000133e
Instruction Fuzzy Hash: C85117B0E042198FCB08CFAAD9405AEFBF2FF89301F24D16AD419B7258D7349A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01313738, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b985d79e101b4e90170540e8401d8579f2dcee539cfe06cb0a0b390bbe678fb2
Instruction ID: 876916fb44f058b3240ab8db06e6ef4eae8a6f9e698640517d10f8da2b8b820c
Opcode Fuzzy Hash: b985d79e101b4e90170540e8401d8579f2dcee539cfe06cb0a0b390bbe678fb2
Instruction Fuzzy Hash: 8331E871E006188BDB18CFAAD8406DEFBF7AFC9310F14C17AD419A6258DB741A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013118F0, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d7ccc51576f2eb69f9dbd7ea1a22d1038ea66e6487ecdab5b9eeba80088ab4
Instruction ID: 381d7b577a4be9ea0632ea02981a709410032db2bb4764416ece5edbd4a8631b
Opcode Fuzzy Hash: f5d7ccc51576f2eb69f9dbd7ea1a22d1038ea66e6487ecdab5b9eeba80088ab4
Instruction Fuzzy Hash: 5431CA71E056189FEB18CFABD84069EFBF3AFC9300F14C0BAD918A6268DB3419458F51

Uniqueness

Uniqueness Score: -1.00%

Function 01316D10, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fac2a5d3722d98c426a07882bd1ddd92d8cb6a036513fcb3de3a1cf0c42201
Instruction ID: c516fccd824bc36bd3c1e6a170172c912b07c2894d97a3841ce49ac79e36579f
Opcode Fuzzy Hash: 55fac2a5d3722d98c426a07882bd1ddd92d8cb6a036513fcb3de3a1cf0c42201
Instruction Fuzzy Hash: 69210C71E046198BEB58CFABDC4069EFBF7EFC9204F14C1BAC508A6228EB3419458F51

Uniqueness

Uniqueness Score: -1.00%

Function 05C94BCC, Relevance: 1.8, APIs: 1, Instructions: 328processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C94E9F

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2fb8eb513bd525d9896840413f1162fa883fb716b702d90b779b690f9dc734d5
Instruction ID: c7874c8b2fc9271c43a805df9d445fcbfdf9b4bd638d38a350ef80078d1c20bd
Opcode Fuzzy Hash: 2fb8eb513bd525d9896840413f1162fa883fb716b702d90b779b690f9dc734d5
Instruction Fuzzy Hash: C9C11471D0426D8FCF28CFA4C885BEDBBB1BB49304F0095A9D559B7240DB749A86CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05C94BD8, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C94E9F

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b77d60fadad5867c12fb5a220d92b1b903806250cfb5546df29531277c8fcf5e
Instruction ID: 50d8b80fc92a789c2f5a492780a9b8dac9d361d5c0ac35c6c9dc068335e28517
Opcode Fuzzy Hash: b77d60fadad5867c12fb5a220d92b1b903806250cfb5546df29531277c8fcf5e
Instruction Fuzzy Hash: 86C10475D0426D8FCF28CFA4C885BEDBBB1BB49304F0095A9E549B7240DB749A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013103B0, Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0131B8D2

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: b661f2fc5b8d2c1c19c7814d81ed7c5932c2f7456fdd922729d84855b7136731
Instruction ID: eaf4e96c230fe236596a6fec80a798bbb2a0c116ca0a4d572b907a22d8ce5069
Opcode Fuzzy Hash: b661f2fc5b8d2c1c19c7814d81ed7c5932c2f7456fdd922729d84855b7136731
Instruction Fuzzy Hash: 3351CAB4D052589FCB14CFAAD984ADEFBF4EF49318F14806AE818B7214D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C946D7, Relevance: 1.6, APIs: 1, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C947DA

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f579b6a104de0b39868052f6b7512b235a1f70327b3776bd8da18ffa7fbd1e7d
Instruction ID: 1894720fc6ecb2d84d936634fbae3885134d0d3880df254297597a66e0d38cc1
Opcode Fuzzy Hash: f579b6a104de0b39868052f6b7512b235a1f70327b3776bd8da18ffa7fbd1e7d
Instruction Fuzzy Hash: 294114B9D042989FCF08CFA5D885A9EBBF1FB49314F14981AE815B7310D734A906CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05C9484B, Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C94923

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0dc71cd462f95331a874e45f4512343e87cc160bba6c7e4ed6252d250eb8e8e0
Instruction ID: ec50af75d3c1296dca1605b9cb778b9979a5857c3d2e8cb0928a1d625242861d
Opcode Fuzzy Hash: 0dc71cd462f95331a874e45f4512343e87cc160bba6c7e4ed6252d250eb8e8e0
Instruction Fuzzy Hash: 7341C8B5D012589FCF04CFA9D984AEEFBF1BB49314F14902AE818B7210D734AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C94850, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C94923

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 447be2651a5a5275043b1e69b3ef893a111c0a3c6fcdd82e0c16a999d1845e07
Instruction ID: 039c571c888dc49694a59b544f8945f80cfa412807fa6bb21260f34d53cdbc22
Opcode Fuzzy Hash: 447be2651a5a5275043b1e69b3ef893a111c0a3c6fcdd82e0c16a999d1845e07
Instruction Fuzzy Hash: D941B8B4D052589FCF04CFA9D984AEEFBF1BB49314F14942AE819B7210D734AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C949A0, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C94A5A

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: edac2dac825ed680ef3ab72a3a63817b54cb721d325d45bbf7bef1f7ff9b7934
Instruction ID: bb97e9bebf88b03e62f4b30b1765f1d4eb820df73f958e542b557c2b414f6ae4
Opcode Fuzzy Hash: edac2dac825ed680ef3ab72a3a63817b54cb721d325d45bbf7bef1f7ff9b7934
Instruction Fuzzy Hash: 1741BAB5D042989FCF04CFA9D884AEEFBB1BF09310F14942AE815B7200D735AA45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 05C949A8, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C94A5A

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8174fc3e18d6af6aeeed1b3a851ea8877cc4d57636a0da04bfbf4e526e7b4889
Instruction ID: 05841dd25e7aa30104ab12d33fd299ab03851ba14e87be70eb85f6d8730f7958
Opcode Fuzzy Hash: 8174fc3e18d6af6aeeed1b3a851ea8877cc4d57636a0da04bfbf4e526e7b4889
Instruction Fuzzy Hash: D941A8B4D04258DFCF04CFAAD984AEEFBB1BB49310F14942AE815B7200D734A945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 05C94730, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C947DA

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 56eb2995eb533c0b061881841b5e68bc694098248823e1dd333ccea7fa80634a
Instruction ID: 4373e4ce35a244b3327defedf0ee8ab26a53eddd246e95555c55aa9958b86050
Opcode Fuzzy Hash: 56eb2995eb533c0b061881841b5e68bc694098248823e1dd333ccea7fa80634a
Instruction Fuzzy Hash: B231A8B8D042989FCF04CFA9D984ADEFBB1BB49310F10942AE815B7310D734A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05C93F90, Relevance: 1.6, APIs: 1, Instructions: 98threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05C94047

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a7168cae6cd7f55ca13475a05730cda8c605a40ae0fa396d2e14c7a7d69a0f13
Instruction ID: 15fe0333f2644dfe93c4316fc5ba48b6a86a413ab338c6711213289be4f4c93d
Opcode Fuzzy Hash: a7168cae6cd7f55ca13475a05730cda8c605a40ae0fa396d2e14c7a7d69a0f13
Instruction Fuzzy Hash: 1841DEB4D042589FCF14CFAAD884AEEBBF1BF49314F14942AE405B7204D738A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 013117E8, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01311897

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f257915faa17532cad9dd7397cff9d8ec467a600f3f4807b697681261332dde
Instruction ID: 4dcd2151d87554f774e0b01b3c1549b3ae40f017f903abca22396e4b7c8325de
Opcode Fuzzy Hash: 7f257915faa17532cad9dd7397cff9d8ec467a600f3f4807b697681261332dde
Instruction Fuzzy Hash: 983198B9D00258DFCF14CFA9E484AEEFBB0BB59314F14902AE814B7210D734A949DF64

Uniqueness

Uniqueness Score: -1.00%

Function 01319F38, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01319FDF

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 648997706cce89872d8cc8290f9efca841eccab341e92473b50a217475e6ae45
Instruction ID: 9a2b626cd4328341976666c9a1de6a9f707fe18e46c5787d407e6d7975e1ecbc
Opcode Fuzzy Hash: 648997706cce89872d8cc8290f9efca841eccab341e92473b50a217475e6ae45
Instruction Fuzzy Hash: 293198B9D042589FCF14CFA9E884ADEFBB1BB09314F14902AE815B7310D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 013117F0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01311897

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 06b27721c733b7106817892771a5c585e6c345e563ee51ce0a15e0d6bfee78fa
Instruction ID: 55831008ac17dbc5034c300330ce86372a3d58363176f9bea476fa9a49740cac
Opcode Fuzzy Hash: 06b27721c733b7106817892771a5c585e6c345e563ee51ce0a15e0d6bfee78fa
Instruction Fuzzy Hash: FC3196B9D042589FCF14CFAAE884AEEFBB4BB49314F14902AE814B7310D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05C93F98, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05C94047

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 676fad361e4d0156a968687b60f081ccd21ebefd9c02ddaec71b593927460161
Instruction ID: 71dc44ccd530b32b6fcc9c92925a4502802ad30889b8310328770ff137fcea40
Opcode Fuzzy Hash: 676fad361e4d0156a968687b60f081ccd21ebefd9c02ddaec71b593927460161
Instruction Fuzzy Hash: E631BBB4D012589FCF14CFAAD884AEEBBF1BF49314F14942AE415B7240D738A989CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05C97DF0, Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05C97E93

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 54f8862165c1c46492d54c619edae8c9cdfad96ab1ea407d93c4c26d6962c9c4
Instruction ID: 17d2caa54bb9b68ffd3d956eef44803187dff0446767cb00b746345598c8c017
Opcode Fuzzy Hash: 54f8862165c1c46492d54c619edae8c9cdfad96ab1ea407d93c4c26d6962c9c4
Instruction Fuzzy Hash: B43195B9D01258AFCF14CFA9D884A9EFBF5EB09310F14942AE814BB310D735A9458F65

Uniqueness

Uniqueness Score: -1.00%

Function 05C97DF8, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05C97E93

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 61f91a0292025f6487ddbe062655ad093b9d9ce0deedc94ff54de55bdd0c9724
Instruction ID: a0acb4c595c8a075d36114cdf924a1add2ab3ed9c5f6ca0a61aac7247d598551
Opcode Fuzzy Hash: 61f91a0292025f6487ddbe062655ad093b9d9ce0deedc94ff54de55bdd0c9724
Instruction Fuzzy Hash: DF3185B9D01258AFCF14CFA9E884A9EFBF5EB49310F14942AE814BB310D734A9458F64

Uniqueness

Uniqueness Score: -1.00%

Function 013103C8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0131B8D2

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 84e8b032474b0028ee9c29bd80d791a4b009d59718ca2aead3fd25cea4cf665b
Instruction ID: a3923a333e4d34b01534e17e73222ef9d809c795efc3bebfa9f8a32799ee2b5b
Opcode Fuzzy Hash: 84e8b032474b0028ee9c29bd80d791a4b009d59718ca2aead3fd25cea4cf665b
Instruction Fuzzy Hash: FA31BAB4D002489FCB14CFA9D584ADEFBF5AB49314F14802AE818B7324D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C93EA3, Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05C93F26

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d04101d56e09546f050f2da2b4c6f229fc598695ca25978df42cfe22ac6bbaaa
Instruction ID: fdc41f1b920f50d4e38209e126284fddbcf603c4a09eae6b0771ff8b381798c1
Opcode Fuzzy Hash: d04101d56e09546f050f2da2b4c6f229fc598695ca25978df42cfe22ac6bbaaa
Instruction Fuzzy Hash: FF31CCB4D052989FCF14CFAAD984AEEFBB5AF49314F14942AE815B7300D734A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05C93EA8, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05C93F26

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f1d811d789bb61a22c7fc3d698cb22862d024fe8cf2e8c4d35718cbb3f457f62
Instruction ID: d7037a2b62a730a847871d9b15998ca8ca51e1d45a20cae8938f35a181dcd8d9
Opcode Fuzzy Hash: f1d811d789bb61a22c7fc3d698cb22862d024fe8cf2e8c4d35718cbb3f457f62
Instruction Fuzzy Hash: 5F31CCB4D052989FCF14CFAAD984ADEFBB5AF49314F14942AE815B7300D734A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0113D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257653299.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6267589065028f16d9b2ba07f4bbfa576911852a3831c21d2953a8292a3e1c74
Instruction ID: df747cbea70d361b412df4a2a37a8cdc44f2cd2973926ef3494ce4c9fd05d990
Opcode Fuzzy Hash: 6267589065028f16d9b2ba07f4bbfa576911852a3831c21d2953a8292a3e1c74
Instruction Fuzzy Hash: A22125B1504244DFDF19CF54E4C0B1AFB65FBC4754F64C669E9494B24AC336D806CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0113D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257653299.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb50696049bfbf46bfce139e802a75b4458fe5cb66155834eab993fffddb6e1
Instruction ID: 9f9e1a1dcbd985167676c8dd98da3b781473095dbfd51683b568f3c8d9c04a7b
Opcode Fuzzy Hash: feb50696049bfbf46bfce139e802a75b4458fe5cb66155834eab993fffddb6e1
Instruction Fuzzy Hash: 842180755083809FCB06CF64D994B15BF71EF86214F28C5DAD8498F2A7C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112D7FD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257632965.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b655242fb8daaa4ec2cb6a0e3763f19a837415b93025de1441f81567fd1e58ad
Instruction ID: fd69d4cd579b9c7fa82e98e16a02c989812789c4888968cf109afb0383943c01
Opcode Fuzzy Hash: b655242fb8daaa4ec2cb6a0e3763f19a837415b93025de1441f81567fd1e58ad
Instruction Fuzzy Hash: 5C0120714083A49EEF144A56EC84766BFD8EF41634F09C05AEE095B147D7B49844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0112D7FC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257632965.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf89d4d7cec793d7ac12f25988e93a36ea2d180161ea9f89e6f93ec45234f74a
Instruction ID: 5a9cb89d488f609cf10d338d1cd795345a2058036ccc76fe8b2eac5366531a2e
Opcode Fuzzy Hash: bf89d4d7cec793d7ac12f25988e93a36ea2d180161ea9f89e6f93ec45234f74a
Instruction Fuzzy Hash: 8AF096714043949EEB158A1ADCC4B66FFA8EF41634F18C45AED085B28BC3B8A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0131AD00, Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

z!~, xrefs: 0131AE36

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: z!~
API String ID: 0-38446429
Opcode ID: 28ec0b3aee1fa1ccb728ad195610e57b8624f73f5c1927ee7e708a4739ce7423
Instruction ID: 7f5446c5cb58f4b167466d4d7d2b9e6d2f9ffb8520a913af4b1e586087a3e9f0
Opcode Fuzzy Hash: 28ec0b3aee1fa1ccb728ad195610e57b8624f73f5c1927ee7e708a4739ce7423
Instruction Fuzzy Hash: 38D13A74E15219CFCB18CFA9C980AAEFBB2BF89305F24816AD509AB359D7309D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 013154A0, Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

]G++, xrefs: 01315681

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: ]G++
API String ID: 0-3074070287
Opcode ID: 1c24254d3085f238a0f5ae86c5df69a23e8ca0438e69a0715afd652db202458b
Instruction ID: c539bcb00451a7fa6e798bd5b9398f2d0ff8384dbc3249f22140ef50afafd9e7
Opcode Fuzzy Hash: 1c24254d3085f238a0f5ae86c5df69a23e8ca0438e69a0715afd652db202458b
Instruction Fuzzy Hash: 9381F074A11219DFCB08CF99C5849AEFBF2FF89210F149569E429BB224D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01315490, Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

]G++, xrefs: 01315681

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: ]G++
API String ID: 0-3074070287
Opcode ID: 27adb98e36cd270aa0c8c27ba2c1f7f947da4c8c15facfbcdeda21c7c6677dc5
Instruction ID: d5796dfb2e21a08ec3cfb2698aee755708188fc30344d85320613d64e728f9c8
Opcode Fuzzy Hash: 27adb98e36cd270aa0c8c27ba2c1f7f947da4c8c15facfbcdeda21c7c6677dc5
Instruction Fuzzy Hash: B281F274A14219DFCB48CFA9C58499EFBF2FF89310F14956AE425EB224D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05C91E5B, Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

\4., xrefs: 05C91EEC

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID: \4.
API String ID: 0-4045837250
Opcode ID: 20697a560b78962f05365f5cfccf9da7944c552d0364d7a348c1930f21d5bb01
Instruction ID: 8ea65f320f760853a14eb7b355f08ed8aef8fdd8d4bda65efba1c31ac82e56e0
Opcode Fuzzy Hash: 20697a560b78962f05365f5cfccf9da7944c552d0364d7a348c1930f21d5bb01
Instruction Fuzzy Hash: 2A717F74E0420A9BCF08CFAAD549AAEFBF2AB89310F14D92AD515E7354D7349A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05C91E68, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

\4., xrefs: 05C91EEC

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID: \4.
API String ID: 0-4045837250
Opcode ID: 7cd057c53cfa79d8f6d68314c3836d5bd59dc1850f2df1d8ded5cc7236d84456
Instruction ID: a334412af13edf4eeb617c12eb5f178721bc548d00d18a0ed675f2c28e1da92d
Opcode Fuzzy Hash: 7cd057c53cfa79d8f6d68314c3836d5bd59dc1850f2df1d8ded5cc7236d84456
Instruction Fuzzy Hash: 34717E74E0420A9BCF08CFEAD549AAEFBF2AB89310F14D82AD515A7254D7349A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013131B9, Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

<@Pn, xrefs: 01313328

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: <@Pn
API String ID: 0-4220650702
Opcode ID: 638b7765d221a9db1079d0ada9d3a4de28940127db3f875fd9d5513649149e21
Instruction ID: 2d322743920b7991b087495a4e8114b98a47cff51a0e573bc270549282614b0e
Opcode Fuzzy Hash: 638b7765d221a9db1079d0ada9d3a4de28940127db3f875fd9d5513649149e21
Instruction Fuzzy Hash: FC611474E00209DFCB08DF99D5809EEFBB6FB88324F148529D514AB719D734AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05C96348, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

uxUE, xrefs: 05C97669

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID: uxUE
API String ID: 0-3862800980
Opcode ID: a267195a914e5174195abb52936e8be457e181d43792fd7bb5dfa75a8f952a14
Instruction ID: b7780db2a3b6bd725524cb669a5ef12c1471cca4c43b691bec0f3f1d73409376
Opcode Fuzzy Hash: a267195a914e5174195abb52936e8be457e181d43792fd7bb5dfa75a8f952a14
Instruction Fuzzy Hash: 57613B71E1565ACBDB68CF66C8487ADB7B7FBC9300F10D5EA840EB6214E7345A918F40

Uniqueness

Uniqueness Score: -1.00%

Function 05C9633B, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

uxUE, xrefs: 05C97669

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID: uxUE
API String ID: 0-3862800980
Opcode ID: 0b884c6e4d520ef26b3cbe548fcd33f96fc996bbd8d7f86900f6c5b9d1c43c73
Instruction ID: 4b417d44f60dccf7be8080eeb7e6de45e81e91faf08bdc25b9020cab90cf6168
Opcode Fuzzy Hash: 0b884c6e4d520ef26b3cbe548fcd33f96fc996bbd8d7f86900f6c5b9d1c43c73
Instruction Fuzzy Hash: 8D615971E1565ACBDB28CF66C84879EBBB3FBC9300F10D5EA9409B7214EB305A958F40

Uniqueness

Uniqueness Score: -1.00%

Function 05C96525, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

uxUE, xrefs: 05C97669

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID: uxUE
API String ID: 0-3862800980
Opcode ID: 6a70a92b21a012634fd2ea39217af31115e412971718b095a83bbe8a4d958ddc
Instruction ID: 33c549706ebf9eb28586b8cbe2a7339674e3f221d99edcb3bb8ad37c63273d48
Opcode Fuzzy Hash: 6a70a92b21a012634fd2ea39217af31115e412971718b095a83bbe8a4d958ddc
Instruction Fuzzy Hash: F0514A70D1166ACFDB64CF65C848BA9B7B2FB89300F1099E6C40AB7244E7349AD58F40

Uniqueness

Uniqueness Score: -1.00%

Function 01316AF8, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

^ Ag, xrefs: 01316C2C

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: ^ Ag
API String ID: 0-141519826
Opcode ID: d3e1c8003fff3d61cb56050269c9cece6ff35b538d51a7d5c185386d588a1918
Instruction ID: 69e341471203b000de0693c3b0e064de83bd086a03c442bd3fefa7c263473f90
Opcode Fuzzy Hash: d3e1c8003fff3d61cb56050269c9cece6ff35b538d51a7d5c185386d588a1918
Instruction Fuzzy Hash: 76510BB0E0520A9FCB48CFEAC5415AEFBF2FF89314F24D46AC518B7218D7749A418B94

Uniqueness

Uniqueness Score: -1.00%

Function 01316B08, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

^ Ag, xrefs: 01316C2C

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID: ^ Ag
API String ID: 0-141519826
Opcode ID: ad76c70d7c55d113dafd0e339acdc6698893e7b13d45f3f533329ca936b049bd
Instruction ID: 23cde561c0ce3d1d0eaa4a847352c9c2622cdc247319815bb7f30cf0a0ebb7b9
Opcode Fuzzy Hash: ad76c70d7c55d113dafd0e339acdc6698893e7b13d45f3f533329ca936b049bd
Instruction Fuzzy Hash: 2B5109B0E0520A9FCB08CFEAC5415AEFBF6BF88314F24D469C519B7618D7749A418B94

Uniqueness

Uniqueness Score: -1.00%

Function 05C91958, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411068018726092c7d55a6c285f053d8f38f7edf0694997c347c1654cd620b4e
Instruction ID: ba2046e6963f459141bfaf19ec4b98c62516bd46070a148445e64025bad22497
Opcode Fuzzy Hash: 411068018726092c7d55a6c285f053d8f38f7edf0694997c347c1654cd620b4e
Instruction Fuzzy Hash: 38B14B74E0420A8BCF08CFAAC54559EFBF2BF89310F28C96AC409F7255DB349942CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05C91968, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc396afe2dcadc74ac02d795feb9bd7b5e5a157e2c003e4eef99db64cad4e1f
Instruction ID: 0613fc7f732239a7fbed03cc1407ab4034fd562db04f0e79178c73a65b9e8cec
Opcode Fuzzy Hash: 8dc396afe2dcadc74ac02d795feb9bd7b5e5a157e2c003e4eef99db64cad4e1f
Instruction Fuzzy Hash: D9B13A74E0420A8BCF08CFAAC54559EFBF2BF89310F28C96AC409FB254DB349942CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05C95F78, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cebf92c80b4f8f3ba797f02334e78cd3d8a925b198fe8ee7fa604a31e1396f
Instruction ID: 09a62ae17558912cab8d2bc1014f131d98340e8222bf71dc21cf687bb8169f4e
Opcode Fuzzy Hash: 44cebf92c80b4f8f3ba797f02334e78cd3d8a925b198fe8ee7fa604a31e1396f
Instruction Fuzzy Hash: 3E912874E0520ACFCF09CFAAD9445AEBBF6FF89300F24942AD515AB214D7349A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C95F88, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aee0078998ae0fb57c7cd3c077cfb317377a393278f20086eea3efd8886c4e0
Instruction ID: 0b2e744432ff2de37988c137758b90a1efe95bdb8c8f9357dac74ee600c21841
Opcode Fuzzy Hash: 1aee0078998ae0fb57c7cd3c077cfb317377a393278f20086eea3efd8886c4e0
Instruction Fuzzy Hash: A591F574E0520ADFDF08CFAAD5449AEBBF6FF89300F20942AD515BB214D7349A428F95

Uniqueness

Uniqueness Score: -1.00%

Function 05C90958, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33bd337692ec2fcac75d3314fc4c0010c450d7ed97782cfd376bfa4251c8fca
Instruction ID: fc677e7b08efa2d00c5b5484e1a4dc5744592c4cca3e68394681b865539a8ccc
Opcode Fuzzy Hash: f33bd337692ec2fcac75d3314fc4c0010c450d7ed97782cfd376bfa4251c8fca
Instruction Fuzzy Hash: 5F916DB0E052598FCB18CF65C9896AEBBF2FB89304F24856AD405F7355DB309E42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05C909C8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fdbddc2bf5b71f7ffdc7f60429e3cd491e1171171fb0ecf1fce19a57cfd92d
Instruction ID: 3c4325df47d7cfe9ecb327d7d83248c5be82bb70627ce0c4a7c0fc0321f516e0
Opcode Fuzzy Hash: a9fdbddc2bf5b71f7ffdc7f60429e3cd491e1171171fb0ecf1fce19a57cfd92d
Instruction Fuzzy Hash: 9C815B74E052199FDB18DFA9C984AAEFBB3FB88304F248569D409B7315DB309A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01316898, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22178b4b00ef6e05953d0034406bc5707b14cf509d1a05dd8cb4018e8faf479
Instruction ID: b257d7f183ae56789022568e24c86d34faa771475d8b104fa098ec8487702dc2
Opcode Fuzzy Hash: f22178b4b00ef6e05953d0034406bc5707b14cf509d1a05dd8cb4018e8faf479
Instruction Fuzzy Hash: C561F3B4E05609CFCB08CFE9C5819DEFBF6FB89214F28906AD415F7268D3709A418B64

Uniqueness

Uniqueness Score: -1.00%

Function 013168A8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2fa84ef09d95816513630ceb2bb4b59e53aea2f87cd6aa243cbfd5633dfbff
Instruction ID: 0f1372538d36f80a6dd463d6faece6d81b45b465c675f60fe5e7644f0bdb94d6
Opcode Fuzzy Hash: fb2fa84ef09d95816513630ceb2bb4b59e53aea2f87cd6aa243cbfd5633dfbff
Instruction Fuzzy Hash: 4361E2B4E1560DCFCB08CFE9C9819DEFBF6FB88214F24946AD415B7218D7709A418B64

Uniqueness

Uniqueness Score: -1.00%

Function 05C927D8, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9857b6fed6bbbb70687b11afafc49ee54fe2f2ee5c1ea18b43a1fa465ee552
Instruction ID: a487219a8078da8a2b20fecca50e0d465276df9dd3af3077858358b8e81ec0cd
Opcode Fuzzy Hash: ea9857b6fed6bbbb70687b11afafc49ee54fe2f2ee5c1ea18b43a1fa465ee552
Instruction Fuzzy Hash: 1E613C74E141199BDB18DF69C980AAEFBF2FF89304F24C5A9D448A7215DB309A41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05C927B9, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855e55eb44ccfd22d4626830e57d0f4684ba2917a98537b216385c16e92c35a9
Instruction ID: 81a0305652f275228cbad7beefb093d5ee27b3f554a23118a16897482f718a05
Opcode Fuzzy Hash: 855e55eb44ccfd22d4626830e57d0f4684ba2917a98537b216385c16e92c35a9
Instruction Fuzzy Hash: E2613A74E142199FDB18CF65C980AAEFBF2FF89304F24C5A9D448A7255DB309A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C90FDD, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e661c46ccc2389a0c106551ce12dd46b77ac04a1dd5bac347e7daa5fc6097e
Instruction ID: 4e31d94b6c5e41fc442774ae4eb82e621d3d97b9d3d1e11fd0df92670f44d487
Opcode Fuzzy Hash: d5e661c46ccc2389a0c106551ce12dd46b77ac04a1dd5bac347e7daa5fc6097e
Instruction Fuzzy Hash: A1515C70E052198FDB58CF69D989B9EBBF2FF88300F1484A9D509A7355DB309A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05C91018, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0912c1d8caba248000d1b1fed5813db0563a40d7f8418dc7352d6f1329b97ced
Instruction ID: 54cb41d583abd38cf1397c3bf256c99a4035758d296a19ae238606871019ea04
Opcode Fuzzy Hash: 0912c1d8caba248000d1b1fed5813db0563a40d7f8418dc7352d6f1329b97ced
Instruction Fuzzy Hash: C651F674E042198FDB58CF6AD985B9EF7F2BF88200F1484A9D909A7354DB309A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05C90F9A, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b255d5a80d1ab1b9ce686a72d6470b30e412d301f4f77587f1227fe2e2b5d196
Instruction ID: 41c642ade251d47a01ad798aa25e45c167a259a44ab5ebb8d9a5dd412ab969d3
Opcode Fuzzy Hash: b255d5a80d1ab1b9ce686a72d6470b30e412d301f4f77587f1227fe2e2b5d196
Instruction Fuzzy Hash: E6513870E052198FDB58CF69D985BAEBBF2BF88200F1484AAD509A7315DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01316660, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf7e2500e1b3adf4f2169cc8e95497343dd4fba93e94245a470b6993304878f
Instruction ID: c2b977cee5736ef13c833ff73b5389f1b376dea315d81310c5ec931767c9fd0c
Opcode Fuzzy Hash: daf7e2500e1b3adf4f2169cc8e95497343dd4fba93e94245a470b6993304878f
Instruction Fuzzy Hash: 0F41F7B4E0420ACFCB48CFAAC5815AEFBF6FF88314F14C46AC515A7259E7749A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 01316670, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257782435.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e10cd948e549c40c8f156f7849ed0f1230994ce688c00fd7d04f6bad8fdf3cd
Instruction ID: 06d1135aa538225c0114a486395614eb8f6e14df9944de4ff363b511b3a47876
Opcode Fuzzy Hash: 6e10cd948e549c40c8f156f7849ed0f1230994ce688c00fd7d04f6bad8fdf3cd
Instruction Fuzzy Hash: 8B41E7B4E0420ACFCB48CFEAC5415AEFBF6BB88314F24C46AC515A7258E7749A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 05C92168, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84c6b214855da5900255d8d819b8a83b65ccc7a42da8f4b452f5afcc75634e9
Instruction ID: 6bf625d0071440189c194a04e4cf160018183fa6e239b54cae6d117386198d02
Opcode Fuzzy Hash: e84c6b214855da5900255d8d819b8a83b65ccc7a42da8f4b452f5afcc75634e9
Instruction Fuzzy Hash: 7711E775E116199BDB08CFABD9446EEFBF7EBC8210F24C16AD508A7214DB305A428F91

Uniqueness

Uniqueness Score: -1.00%

Function 05C9215B, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268516003.0000000005C90000.00000040.00000001.sdmp, Offset: 05C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a443660c72b0bc3fe2443b9ad1dfed5075be15f6829d6dd4ff382d4f9cf75be
Instruction ID: 69d6548c0ce6cdc4fc396fabdf787af870c2d32127297e2b636ec3b2ab84c03a
Opcode Fuzzy Hash: 5a443660c72b0bc3fe2443b9ad1dfed5075be15f6829d6dd4ff382d4f9cf75be
Instruction Fuzzy Hash: 93111C74E116199BDB08CFABD94469EFBF7AFC8300F18C03AD508A7214DB345A428F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Malware.AI.4228845530.13946.exe PID: 5756 Parent PID: 4012 SecuriteInfo.com.Malware.AI.4228845530.13946.exeCOMMON

Executed Functions

Function 0146B7B0, Relevance: 2.4, APIs: 1, Instructions: 914libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0146C0C0

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67ce3045917382bf0c497710653a2337f31870505cc66fdeadb5828f5037f278
Instruction ID: c8c6c0f836528539bf3a2d8ed6555c4066047960536843154bc5e4f30db2f155
Opcode Fuzzy Hash: 67ce3045917382bf0c497710653a2337f31870505cc66fdeadb5828f5037f278
Instruction Fuzzy Hash: AB824B30E007198FCB25EF78C8546AEB7F5AF89304F1185AAD549AB365EF309D89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014FB838, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.501538427.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48910341847e2afca7a93d41007f2f430085dc434c387b2c1c9b5c6948159439
Instruction ID: a1a4d8435de327ede105708e06daee0e65ae6bfe0d24f4dfa51f80b80e7dcd69
Opcode Fuzzy Hash: 48910341847e2afca7a93d41007f2f430085dc434c387b2c1c9b5c6948159439
Instruction Fuzzy Hash: 14F13A30A00209CFDB14DFA9C944B9EBBF1FF89304F15855EE609AB3A5DB74A946CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0146D198, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0146D1D9

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63d309f35e882747c23fef55a0a99fcc66ef4da51a6a294ce96d3f236c6b7d83
Instruction ID: d88099050de8a722d7af81a3b0a60f33fbe0e09acb3eaef7d2acf320883b5252
Opcode Fuzzy Hash: 63d309f35e882747c23fef55a0a99fcc66ef4da51a6a294ce96d3f236c6b7d83
Instruction Fuzzy Hash: AA614A30F00315DBDB14EFF9D4587AEBBB6AF84208F118829D452AB364DB749949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01816940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 018169A0
GetCurrentThread.KERNEL32 ref: 018169DD
GetCurrentProcess.KERNEL32 ref: 01816A1A
GetCurrentThreadId.KERNEL32 ref: 01816A73

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aa1d50fd96ffc885c58017f8988a9cd49f2954938d65187b19323ad5fb669d6f
Instruction ID: 0dcb907cbd69e145917f58cf1454f18cdd48a5c91ec1713efc4d49eb7ad0b954
Opcode Fuzzy Hash: aa1d50fd96ffc885c58017f8988a9cd49f2954938d65187b19323ad5fb669d6f
Instruction Fuzzy Hash: A25164B09002888FDB04CFAAC548BDEBBF5EF88314F208459E559B7364DB746984CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01467328, Relevance: 3.8, APIs: 2, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b667a4e828b4432006e8dbe024e11b9f08480364ff4630fd9da0c5d9518ef341
Instruction ID: 8c51c282506de8aa776760f59d7a9eca0a4af2b2751daaeb8cd8cee380a1088e
Opcode Fuzzy Hash: b667a4e828b4432006e8dbe024e11b9f08480364ff4630fd9da0c5d9518ef341
Instruction Fuzzy Hash: EC42CF30B043058FCB159BB8C8546AE7BF6AF85309F15856AD509DB3A5EF34DC4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 01468811, Relevance: 3.1, APIs: 2, Instructions: 110COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 014688F8
ReplacePartitionUnit.KERNEL32 ref: 01468936

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: 7ab260d00db2339d9404674fbb4b6d2acc34f53050d0700803684e75f2ba8b0f
Instruction ID: 6c5d2ef3669bc6384cc1d2666c25d7dd3a32c7f7ab796f5a8027ba59a09caca1
Opcode Fuzzy Hash: 7ab260d00db2339d9404674fbb4b6d2acc34f53050d0700803684e75f2ba8b0f
Instruction Fuzzy Hash: 0841C630B043468FC741DB78C8546AE7BF5EF8A714B1584BAD518DB3A1EB389D068B52

Uniqueness

Uniqueness Score: -1.00%

Function 0146D470, Relevance: 3.1, APIs: 2, Instructions: 90COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 0146D508
ReplacePartitionUnit.KERNEL32 ref: 0146D546

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: b80585c5ac825fb1d76e18eccb774e5b8dd8bae0c7a776dac13d40b07091ddd5
Instruction ID: f4c49134b1fc55539aca9b9ff45d4494bc2aaeae383abd45d978ccc54e39e4ec
Opcode Fuzzy Hash: b80585c5ac825fb1d76e18eccb774e5b8dd8bae0c7a776dac13d40b07091ddd5
Instruction Fuzzy Hash: 3831AE30B0425A8FC751DBBCD854AEE7BF1EF8931871180AAD149DB361EB389C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0146D97E, Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 0146DA18
ReplacePartitionUnit.KERNEL32 ref: 0146DA56

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: 8f934e21f36b3aa3485fdbdcf830d7900a0619982e1d22d7818dc357c67d74df
Instruction ID: 8ef013b56c3c7d257931592e8ae1aadaa7abac0384d34aa7876798a40aac8214
Opcode Fuzzy Hash: 8f934e21f36b3aa3485fdbdcf830d7900a0619982e1d22d7818dc357c67d74df
Instruction Fuzzy Hash: 45212970B0421A8FC741DBBCC8546AEB7F2EF89614B5580AAD04DDB765EB38DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0146D9E0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 0146DA18
ReplacePartitionUnit.KERNEL32 ref: 0146DA56

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: 275929269a85718fe40c3a2935db21d161a1b7b86b2486fefba73e285575ffde
Instruction ID: a303cd93a18c471bb45f4d57fd566741570706c3238561d05f6c3a8f7b7130a1
Opcode Fuzzy Hash: 275929269a85718fe40c3a2935db21d161a1b7b86b2486fefba73e285575ffde
Instruction Fuzzy Hash: 5711A170F0412A8F8B84EBBDC854AAEB7F1FB8C6147508429D51DE7354EB349C018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 014688C0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 014688F8
ReplacePartitionUnit.KERNEL32 ref: 01468936

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: af5da479e85773588ea204d0643916bbb80b5dc78b0236bb127e5b9a91d65f7f
Instruction ID: b93550ef9dff9f9ee0ab56f88f1c4db201c707136302f96d9d31016e941b3fb2
Opcode Fuzzy Hash: af5da479e85773588ea204d0643916bbb80b5dc78b0236bb127e5b9a91d65f7f
Instruction Fuzzy Hash: F311A130F0021A8F8B80EBBDC854AAEB7F1FB8D6147518029D519E7354EB349D068B91

Uniqueness

Uniqueness Score: -1.00%

Function 01467CC0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 01467CF8
ReplacePartitionUnit.KERNEL32 ref: 01467D36

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: 5d25dab1186503dab84a6ac87e40262bc29c3ecfa4c8fa9fc8c2857156bb039f
Instruction ID: 0da03335bf82d1734c3c41694d2efc7b2e5dcf182df8ab68d8e6e6432aabbdfb
Opcode Fuzzy Hash: 5d25dab1186503dab84a6ac87e40262bc29c3ecfa4c8fa9fc8c2857156bb039f
Instruction Fuzzy Hash: A211A131F001198F8B80EBBDC854AAEB7F2FB9C6187508429D519E7714EB349D028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0146D4D0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 0146D508
ReplacePartitionUnit.KERNEL32 ref: 0146D546

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: cb7924f2eeb5f25f42bcb7f22f404deeca57d9062174996e65b83fe81e6b61a7
Instruction ID: c592c519ee1428c1f6bc20c95a52833271c7470cdf77d0373c35ce07d2f2cc43
Opcode Fuzzy Hash: cb7924f2eeb5f25f42bcb7f22f404deeca57d9062174996e65b83fe81e6b61a7
Instruction Fuzzy Hash: D7118E30F0022A8F8B80EBBDD854AAE77F1FFDC618750846AD519E7714EB349D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 014684E1, Relevance: 1.8, APIs: 1, Instructions: 262libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0146868F

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b97d85c40025af602188e0c1fb4f730de1af6463392696e62a562b14ab65c0e8
Instruction ID: 40d3d9760db4f6f8ffc92b8f278718d922ff7d3794eac5187ee7dde48006b0ff
Opcode Fuzzy Hash: b97d85c40025af602188e0c1fb4f730de1af6463392696e62a562b14ab65c0e8
Instruction Fuzzy Hash: 6291D331A043469FC705DB78D858AAE7BF6AF85304F1584ABD405DB2A6EF34DC09C752

Uniqueness

Uniqueness Score: -1.00%

Function 01468630, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0146868F

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91a6402092b08afefcb4092d1f9b507bd90857b268544bc0f4c65db55e21138a
Instruction ID: 7abd30fc74d0e11d5cf987ec6642a76a6bef23ade367bb2813789705de8044c7
Opcode Fuzzy Hash: 91a6402092b08afefcb4092d1f9b507bd90857b268544bc0f4c65db55e21138a
Instruction Fuzzy Hash: 0A51C871A003069BCB04EFB4D954AAEB7B5BF88208B15892AD516DF394DF30DC48C791

Uniqueness

Uniqueness Score: -1.00%

Function 0146F908, Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac013d915babed5e1866e230c2e4ef54eea7b85ec112249b9251957cc802114a
Instruction ID: 6af9fb7a03dfa9aebaded286c78683509f43d7efa70cec60f9dfef3b78966746
Opcode Fuzzy Hash: ac013d915babed5e1866e230c2e4ef54eea7b85ec112249b9251957cc802114a
Instruction Fuzzy Hash: 38412272E043598FCB04CBA9D4106AEBBF4EF89224F05816BD544E7311DB749889CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01815084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018151A2

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1ada586cdbf0948a241c14dcd97700094e02f46e98d40d450b2702ea38eb0229
Instruction ID: 0fc61ab2a56fadc64de67cf705b06356b5576d9f2bbe56e1c6c669c049a318d3
Opcode Fuzzy Hash: 1ada586cdbf0948a241c14dcd97700094e02f46e98d40d450b2702ea38eb0229
Instruction Fuzzy Hash: 8051EEB1D003489FDF15CFA9C884ADEBBB5BF88314F24812AE819AB214D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01815090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018151A2

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fa1d099399b64391a1dc1d8ad0b4ef70a567d4c1c3cf2107a08e9ed4fc68bae6
Instruction ID: cbebc0cf1f2c65eb0ce7ca4ab5ffa6d0e6d26a5e8aeb19ffbba4fbbd4eb44286
Opcode Fuzzy Hash: fa1d099399b64391a1dc1d8ad0b4ef70a567d4c1c3cf2107a08e9ed4fc68bae6
Instruction Fuzzy Hash: 2641CEB1D103489FDF15CF99C884ADEBFB5BF88314F24812AE819AB214D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0181779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01817F09

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 219396529895ffc35e3e89a2ff16f436661bab22c34493f74726a38185aa4e80
Instruction ID: 1da32fd4f7aaf11f5908d1b9a203eb652868792863493f3b5641fee39098a9e2
Opcode Fuzzy Hash: 219396529895ffc35e3e89a2ff16f436661bab22c34493f74726a38185aa4e80
Instruction Fuzzy Hash: 72414CB5900349CFDB14CF59C488AAABBF9FF88314F15845DE519A7315C734AA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0146D138, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0146D1D9

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c21f555b37df50fbc463562ce2a8db3c89d653658aa093ad0f42a03fecfc8732
Instruction ID: af1b4dcf44dbef177b42010fa9e088a02124edd393ec0f452c8f40314a725043
Opcode Fuzzy Hash: c21f555b37df50fbc463562ce2a8db3c89d653658aa093ad0f42a03fecfc8732
Instruction Fuzzy Hash: CD317C30F00349DFD705CBA8C444AEEBBB6FB85314F25846AD004AB361DB79D886CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0181C189, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0181C212

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: d5a0634eae2189ecbd6229326ee735fa6102bf4f64c7fd9bed6ab1c28b1ffa87
Instruction ID: 392c0f826ba97a094ca1bacfbeb6362c997180139e46be19ce69f26d4d55af73
Opcode Fuzzy Hash: d5a0634eae2189ecbd6229326ee735fa6102bf4f64c7fd9bed6ab1c28b1ffa87
Instruction Fuzzy Hash: 4D31E1B28053848FDB10EFA9D9487DE7FF4EB49308F14805AD449E7256C7396644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01816B65, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816BEF

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a077ba38a1aeacaa83dd22a65aa045c164cc0fe8caa5f5bd2e0c7fbfc58f9f6
Instruction ID: 26fff0bb7da92fbf54beec98421cf3857fb996f75531579131d57060d02a8858
Opcode Fuzzy Hash: 6a077ba38a1aeacaa83dd22a65aa045c164cc0fe8caa5f5bd2e0c7fbfc58f9f6
Instruction Fuzzy Hash: FB21E3B5D00248AFDB10CFA9D984AEEBBF4FB48314F14851AE954A3310D374AA44DF60

Uniqueness

Uniqueness Score: -1.00%

Function 01816B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816BEF

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0e0960e5667a96b4249a9c311e3855ad8f918693c970051480109ba606ba431
Instruction ID: 356ab023910ee75fb441880c7646df5f5681c32756678c330146ca4f66a35159
Opcode Fuzzy Hash: e0e0960e5667a96b4249a9c311e3855ad8f918693c970051480109ba606ba431
Instruction Fuzzy Hash: 0521C2B5D00258AFDB10CFA9D984ADEBBF8FB48324F15845AE954A3310D374AA44DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F6918, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,014F7B39,00000800), ref: 014F7BCA

Memory Dump Source

Source File: 00000006.00000002.501538427.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5555e4aa839cdb6f0f1a263d6cd11e11cefd92b619126ac7cc77dd5343b8c66c
Instruction ID: d14e7116dab4d9763af60a90290e85f09575c894e15153fff728cdcd5a5f280d
Opcode Fuzzy Hash: 5555e4aa839cdb6f0f1a263d6cd11e11cefd92b619126ac7cc77dd5343b8c66c
Instruction Fuzzy Hash: E31103B6D002499FDB10CF9AC448B9EBBF4EB89318F14842EEA15A7710C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0146E47C, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0146F95A), ref: 0146FA47

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d4451ab73d39dc047c94b444901353cc93cb4439f91e000b58148f384a07bebe
Instruction ID: b56f16fbe060eac62eb5f36bd18b078c09e8c3419cabb9e517ef89ea74f04ee1
Opcode Fuzzy Hash: d4451ab73d39dc047c94b444901353cc93cb4439f91e000b58148f384a07bebe
Instruction Fuzzy Hash: 9B1144B1C006599BCB00CF9AD544BDEFBF4AF48228F05816AD914B7340D378A948CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 014F7B59, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,014F7B39,00000800), ref: 014F7BCA

Memory Dump Source

Source File: 00000006.00000002.501538427.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10633d234499bc2d275c830d18114c9923f271ed63ce855d2b6760ee28116685
Instruction ID: 6fc911700d91772c6eafd2113589a9b61c460e30412048cee7f45f35cfab64cd
Opcode Fuzzy Hash: 10633d234499bc2d275c830d18114c9923f271ed63ce855d2b6760ee28116685
Instruction Fuzzy Hash: 891103B29002499FDB10CF9AC448ADEBBF4AB88324F14841ED615B7710C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146F9D8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0146F95A), ref: 0146FA47

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: da20a141568597700234413304ff8ae705fd717918320b2cfab53bace3150f59
Instruction ID: 271f6cc2500839add377cb00d011c844f4794e78445469d688a769b0cba31c58
Opcode Fuzzy Hash: da20a141568597700234413304ff8ae705fd717918320b2cfab53bace3150f59
Instruction Fuzzy Hash: B01103B1C006599BCB00CF9AD544BDEBBF4BF48228F15816AD914B7240D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0181C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0181C212

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: af484e3c55651b657e3fd5fb5c99ca37552b4720f65b42421fd93d1ca6cdd49c
Instruction ID: 8963411d19921d0befc69a715fdc240248c536e1d85b7a5cc607bdea20dd4a5b
Opcode Fuzzy Hash: af484e3c55651b657e3fd5fb5c99ca37552b4720f65b42421fd93d1ca6cdd49c
Instruction Fuzzy Hash: 97117FB19003458FDB10EFE9D9487DEBBF8EB48314F14842AD449E3615D7396644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01813300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01814116

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 27ddcd8c577c03b19841ac3a104ad106a3480495718916255c2884d555ce714a
Instruction ID: 20a4c3c3ca2abb06cd56679725954ece48a5508bbd04b2661a3f326d3c001a4c
Opcode Fuzzy Hash: 27ddcd8c577c03b19841ac3a104ad106a3480495718916255c2884d555ce714a
Instruction Fuzzy Hash: 3B1134B2D006498FDB10CF9AC444BDEFBF8EB48314F11842AD929B7200D374A649CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018140AB, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01814116

Memory Dump Source

Source File: 00000006.00000002.502150624.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4accf12d4a8c7931d37448e9498ceb03d034e1bf0de17a408b378e262bd2d683
Instruction ID: 65c3cd1cdc3678e881aeb926d3c27af3a691c71042bb6f78bfbb10a81085e8c3
Opcode Fuzzy Hash: 4accf12d4a8c7931d37448e9498ceb03d034e1bf0de17a408b378e262bd2d683
Instruction Fuzzy Hash: 721112B2D006498FDB10CFAAC444BCEBBF4AB48314F15852AD819B7204D375A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014FA708, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 014FB675

Memory Dump Source

Source File: 00000006.00000002.501538427.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 302e2f10cc7fb95f987f5e05acb6a80730bf2b1c4381ebc2a05c357541ee07b4
Instruction ID: 07940f862b550fbbb7433ee920d5126fd3cd653cd7b889aa687ed08b8135e486
Opcode Fuzzy Hash: 302e2f10cc7fb95f987f5e05acb6a80730bf2b1c4381ebc2a05c357541ee07b4
Instruction Fuzzy Hash: EF1133B19006888FDB10CF99C448B9EBBF4EB48328F14845ADA18B3310C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014FB618, Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 014FB675

Memory Dump Source

Source File: 00000006.00000002.501538427.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e76cb79a15454ec86e7e78c2c2747297575b68a9812a0746cc5192abd6b4db0c
Instruction ID: 47047a5a8b53f99a1dc15478ab3fa387e5a5551c5c9b7dcf1f936166f602c383
Opcode Fuzzy Hash: e76cb79a15454ec86e7e78c2c2747297575b68a9812a0746cc5192abd6b4db0c
Instruction Fuzzy Hash: 451103B19046888FDB10CF99D448BDEBBF4EB49328F14855AD558A7710C379A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01467D1F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 01467D36

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: d5313a17fb5b2ef3e550ffe76d9b4148b44c6fc9c536ec0adbfbca6ef83aafbc
Instruction ID: 711de25706c287f7dd37f4b77d8ce3ee3eb291d0a5278b5347730f640dbed22f
Opcode Fuzzy Hash: d5313a17fb5b2ef3e550ffe76d9b4148b44c6fc9c536ec0adbfbca6ef83aafbc
Instruction Fuzzy Hash: 8CE09232F000298B8F04EBBCD4648DCB3F1BF9C2187058065D51AE7358EF349D068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0146891F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 01468936

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: 967b20a022d59ad0b586e4c04db567d545b56ee6b7fbce22ab66f219d87aef08
Instruction ID: 557af83f2476885560644da6c9f57ec91d6d8a16cc7f1a7c912e4c0eb0b33c78
Opcode Fuzzy Hash: 967b20a022d59ad0b586e4c04db567d545b56ee6b7fbce22ab66f219d87aef08
Instruction Fuzzy Hash: 9AE01236F0012A8B8F44EBB8D4548DD73F5BF9C6187058065D51BE7358EF349D068792

Uniqueness

Uniqueness Score: -1.00%

Function 0146D52F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 0146D546

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: 1d587b7856bae822b702c81747638ceec797d78a809fb4918f124aed2fbd4675
Instruction ID: ecfe3d96eebd77ea9203a10a7645b03c5afa1ee2c35f77f64e97725bedc7530a
Opcode Fuzzy Hash: 1d587b7856bae822b702c81747638ceec797d78a809fb4918f124aed2fbd4675
Instruction Fuzzy Hash: 8BE06D32F0002A8B8F04EBB8D4648DC73E1AF982187058065D50AE7358EF349D058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0146DA3F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ReplacePartitionUnit.KERNEL32 ref: 0146DA56

Memory Dump Source

Source File: 00000006.00000002.501322366.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: PartitionReplaceUnit
String ID:
API String ID: 3501261622-0
Opcode ID: a28e44d287f5479a4ebcdd6402fea6150fc316b055e94e0eb72a6d1eef866d08
Instruction ID: 37481ae005ad1d331d5c96c643c26987df4244ac84f87ad8f5318a716b56a90f
Opcode Fuzzy Hash: a28e44d287f5479a4ebcdd6402fea6150fc316b055e94e0eb72a6d1eef866d08
Instruction Fuzzy Hash: 86E06D32F0402A8B8F04EBB8D4548DCB3E1AB986187058065D50AE7358EF349C058791

Uniqueness

Uniqueness Score: -1.00%

Function 0156D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.501827915.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88bca537bc7ff2bc703cfd605a42a445d17999f05c3496de21c472347cc71a9
Instruction ID: c5cf66c68c9cf02b40c2c11a43924e81ca1d18af928b3831c971e0ad105b6d9c
Opcode Fuzzy Hash: d88bca537bc7ff2bc703cfd605a42a445d17999f05c3496de21c472347cc71a9
Instruction Fuzzy Hash: 58210675604244DFDB11CF54D4C0B2ABBB9FB84364F24CD69D9894F246D336D846C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.501827915.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ae8d59393765d7ae86190856ba0ae6316655a371efa0d8f5b6dac3849abdf3
Instruction ID: a2d0d8885362efd9fd505af32b67b122b0d0d02cb9bd4e3f3e27dfc4c6e4920a
Opcode Fuzzy Hash: 99ae8d59393765d7ae86190856ba0ae6316655a371efa0d8f5b6dac3849abdf3
Instruction Fuzzy Hash: BE2180755093808FDB02CF24D990B15BF71FF46224F28C5DAD8898F657D33A980ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.258278831.0000000002F74000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUPUUHYtnpTKoXtyRejHoSmyBkdQcDqfWz.exe4 vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.257261739.0000000000B51000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exeF vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000003.248294877.00000000034EE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.266244360.0000000005710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.257816149.000000000132B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000001.00000002.259348997.0000000003440000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000004.00000002.252488681.0000000000300000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exeF vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000005.00000000.253243433.00000000003D0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exeF vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000000.254313896.0000000000D40000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exeF vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.499004445.00000000010F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.498013758.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameUPUUHYtnpTKoXtyRejHoSmyBkdQcDqfWz.exe4 vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.501293215.0000000001450000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe, 00000006.00000002.501160686.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe
Source: SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exeF vs SecuriteInfo.com.Malware.AI.4228845530.13946.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Malware.AI.4228845530.13946.10796

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre