Play interactive tour
Edit tourAnalysis Report Ko4zQgTBHv.exe
Overview
General Information
| Sample Name: | Ko4zQgTBHv.exe |
| Analysis ID: | 412502 |
| MD5: | 02bc365a934e558eb634e19dd2d33e64 |
| SHA1: | a7fcb0381c4f68ebea3dda4508a789a23eb9f637 |
| SHA256: | bd97a138f3c0b9b078c119bcb59793ceca55120411c95635cc4d12c01406c2cd |
| Tags: | AgentTeslaexe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "SMTP Info": "jojo@glimpse-it.co@Mexico1.,mail.privateemail.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 8 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 1 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | ReversingLabs: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0B58CAD8 | |
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Installs a global keyboard hook | Show sources | ||
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Window created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00807DA2 | |
| Source: | Code function: | 0_2_0B583B18 | |
| Source: | Code function: | 0_2_0B5893A0 | |
| Source: | Code function: | 0_2_0B588660 | |
| Source: | Code function: | 0_2_0B58A218 | |
| Source: | Code function: | 0_2_0B588D08 | |
| Source: | Code function: | 0_2_0B583B09 | |
| Source: | Code function: | 0_2_0B585BD0 | |
| Source: | Code function: | 0_2_0B585BCB | |
| Source: | Code function: | 0_2_0B589390 | |
| Source: | Code function: | 0_2_0B588651 | |
| Source: | Code function: | 0_2_0B589E48 | |
| Source: | Code function: | 0_2_0B58A207 | |
| Source: | Code function: | 0_2_0B589E39 | |
| Source: | Code function: | 0_2_0B5866C8 | |
| Source: | Code function: | 0_2_0B5842F0 | |
| Source: | Code function: | 0_2_0B5842E1 | |
| Source: | Code function: | 0_2_0B5866B8 | |
| Source: | Code function: | 0_2_0B58A539 | |
| Source: | Code function: | 0_2_0B584998 | |
| Source: | Code function: | 0_2_0B584993 | |
| Source: | Code function: | 0_2_0B58A450 | |
| Source: | Code function: | 0_2_0B580040 | |
| Source: | Code function: | 0_2_0B584010 | |
| Source: | Code function: | 0_2_0B580006 | |
| Source: | Code function: | 0_2_0B584020 | |
| Source: | Code function: | 0_2_0B588CFB | |
| Source: | Code function: | 0_2_0B58A4A7 | |
| Source: | Code function: | 4_2_006C7DA2 | |
| Source: | Code function: | 4_2_029146A0 | |
| Source: | Code function: | 4_2_029145B0 | |
| Source: | Code function: | 4_2_0291DA01 | |
| Source: | Code function: | 4_2_05D07540 | |
| Source: | Code function: | 4_2_05D094F8 | |
| Source: | Code function: | 4_2_05D06C70 | |
| Source: | Code function: | 4_2_05D06928 | |
| Source: | Code function: | 4_2_06195608 | |
| Source: | Code function: | 4_2_061906D0 | |
| Source: | Dropped File: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0080764E | |
| Source: | Code function: | 0_2_00807684 | |
| Source: | Code function: | 0_2_0B5847E4 | |
| Source: | Code function: | 4_2_006C7684 | |
| Source: | Code function: | 4_2_006C764E | |
| Source: | Code function: | 4_2_05D025E2 | |
| Source: | Code function: | 4_2_05D02602 | |
| Source: | Code function: | 4_2_05D025C2 | |
| Source: | Code function: | 4_2_05D025B2 | |
| Source: | Code function: | 4_2_05D02582 | |
| Source: | Code function: | 4_2_05D0267E | |
| Source: | Code function: | 4_2_05D02622 | |
| Source: | Code function: | 4_2_05D021CA | |
| Source: | Code function: | 4_2_05D0114E | |
| Source: | Code function: | 4_2_05D050FE | |
| Source: | Code function: | 4_2_05D0105A | |
| Source: | Code function: | 4_2_05D01078 | |
| Source: | Code function: | 4_2_05D01069 | |
| Source: | Code function: | 4_2_05D0B37A | |
| Source: | Code function: | 4_2_05D052D6 | |
| Source: | Code function: | 4_2_05D01236 | |
| Source: | Code function: | 4_2_05D0BEBA | |
| Source: | Code function: | 4_2_05D0BF0A | |
| Source: | Code function: | 4_2_05D04EF6 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Uses schtasks.exe or at.exe to add and modify task schedules | Show sources | ||
| Source: | Process created: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File opened / queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 4_2_05D05A94 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | DLL Side-Loading1 | DLL Side-Loading1 | Disable or Modify Tools1 | OS Credential Dumping2 | Account Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job1 | Scheduled Task/Job1 | Process Injection112 | Obfuscated Files or Information3 | Input Capture11 | File and Directory Discovery1 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Scheduled Task/Job1 | Software Packing3 | Credentials in Registry1 | System Information Discovery114 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | DLL Side-Loading1 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture11 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Security Software Discovery321 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion141 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection112 | DCSync | Virtualization/Sandbox Evasion141 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 22% | Virustotal | Browse | ||
| 34% | ReversingLabs | ByteCode-MSIL.Trojan.Wacatac | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 34% | ReversingLabs | ByteCode-MSIL.Trojan.Wacatac |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| mail.privateemail.com | 198.54.122.60 | true | false | high |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 198.54.122.60 | mail.privateemail.com | United States | 22612 | NAMECHEAP-NETUS | false |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 412502 |
| Start date: | 12.05.2021 |
| Start time: | 18:31:17 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 55s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Ko4zQgTBHv.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 24 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/4@1/1 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 18:32:11 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 198.54.122.60 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| mail.privateemail.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| NAMECHEAP-NETUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\Ko4zQgTBHv.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 1314 |
| Entropy (8bit): | 5.350128552078965 |
| Encrypted: | false |
| SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR |
| MD5: | 1DC1A2DCC9EFAA84EABF4F6D6066565B |
| SHA1: | B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9 |
| SHA-256: | 28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF |
| SHA-512: | 95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7 |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Ko4zQgTBHv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1652 |
| Entropy (8bit): | 5.156693657693423 |
| Encrypted: | false |
| SSDEEP: | 24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3vtn:cbha7JlNQV/rydbz9I3YODOLNdq3r |
| MD5: | 9D4A23205956BC2E8DD228033AC5726E |
| SHA1: | 7565F73DAB98820902B657E8C7DE52AAB948E3C7 |
| SHA-256: | F12E060679B837A16C1F0D231F1B345125EE56C69858B4C9E44EDBBEF06EF4AD |
| SHA-512: | 88F2BBFC08C1EC83DC5FF994995542D9C3752E2201C3557D20614CFF32DF100CFD3F90B358A877F8C2ED1F9EBD55ED83B4EA8A5A565726CA1D3221336C5BEFAD |
| Malicious: | true |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Ko4zQgTBHv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 971264 |
| Entropy (8bit): | 7.869815902345992 |
| Encrypted: | false |
| SSDEEP: | 12288:PYh5qL6Evo89A05qLcAwwhFsHF5xucMfz3fwXJ3CPBAEV4e1g5qLq:PY3I6jw9IcAyHFcfz3f8itCe1+Iq |
| MD5: | 02BC365A934E558EB634E19DD2D33E64 |
| SHA1: | A7FCB0381C4F68EBEA3DDA4508A789A23EB9F637 |
| SHA-256: | BD97A138F3C0B9B078C119BCB59793CECA55120411C95635CC4D12C01406C2CD |
| SHA-512: | E261643D2BFEA93CE7A907D344F19AD995519F172DEE9E9F028DEDD8C9565CD92ACD53F571078B026C62FEF70F0561060CFA7A18800EEC2F833E4D84B057D02A |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Ko4zQgTBHv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.869815902345992 |
| TrID: |
|
| File name: | Ko4zQgTBHv.exe |
| File size: | 971264 |
| MD5: | 02bc365a934e558eb634e19dd2d33e64 |
| SHA1: | a7fcb0381c4f68ebea3dda4508a789a23eb9f637 |
| SHA256: | bd97a138f3c0b9b078c119bcb59793ceca55120411c95635cc4d12c01406c2cd |
| SHA512: | e261643d2bfea93ce7a907d344f19ad995519f172dee9e9f028dedd8c9565cd92acd53f571078b026c62fef70f0561060cfa7a18800eec2f833e4d84b057d02a |
| SSDEEP: | 12288:PYh5qL6Evo89A05qLcAwwhFsHF5xucMfz3fwXJ3CPBAEV4e1g5qLq:PY3I6jw9IcAyHFcfz3f8itCe1+Iq |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.`..............P......8......6.... ........@.. ....................... ............@................................ |
File Icon |
|---|
 | |
| Icon Hash: | f2d2e9fcc4ead362 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4eb636 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x609B63E3 [Wed May 12 05:13:07 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xeb5e4 | 0x4f | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xec000 | 0x34d4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf0000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xeb4ac | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xe963c | 0xe9800 | False | 0.909726520677 | data | 7.89033690485 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xec000 | 0x34d4 | 0x3600 | False | 0.361689814815 | data | 5.25516289643 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xf0000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xec100 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
| RT_GROUP_ICON | 0xee6b8 | 0x14 | data | ||
| RT_VERSION | 0xee6dc | 0x37c | data | ||
| RT_MANIFEST | 0xeea68 | 0xa65 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Copyright 2013 |
| Assembly Version | 3.0.0.0 |
| InternalName | ScopelessEnumAttribute.exe |
| FileVersion | 3.0.0.0 |
| CompanyName | |
| LegalTrademarks | |
| Comments | |
| ProductName | ServerManager_Core |
| ProductVersion | 3.0.0.0 |
| FileDescription | ServerManager_Core |
| OriginalFilename | ScopelessEnumAttribute.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 12, 2021 18:33:57.590287924 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:57.782218933 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:57.782362938 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:57.973872900 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:57.974586010 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:58.164808035 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.165076017 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.169214010 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:58.359529018 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.402468920 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:58.430995941 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:58.622334957 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.623831987 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.623858929 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.623883009 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.623905897 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.624061108 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:58.624207973 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:58.675378084 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:58.865664005 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.866667986 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:58.918052912 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:59.144306898 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:59.334512949 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.336196899 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.341310024 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:59.531418085 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.534073114 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.535981894 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:59.728559971 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.731681108 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.732639074 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:33:59.922954082 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.925484896 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:33:59.926291943 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:34:00.116590023 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.157192945 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.158485889 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:34:00.348891020 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.349466085 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.352077007 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:34:00.352103949 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:34:00.353277922 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:34:00.353303909 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
| May 12, 2021 18:34:00.542407036 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.542478085 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.544215918 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.632358074 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 |
| May 12, 2021 18:34:00.683339119 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 12, 2021 18:32:01.505918980 CEST | 54513 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:01.567689896 CEST | 53 | 54513 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:01.654706001 CEST | 62044 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:01.708113909 CEST | 53 | 62044 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:02.769505978 CEST | 63791 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:02.831269979 CEST | 53 | 63791 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:03.903897047 CEST | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:03.955429077 CEST | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:05.422872066 CEST | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:05.471720934 CEST | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:06.750407934 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:06.799278021 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:07.854561090 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:07.903265953 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:08.032258987 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:08.102324009 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:08.895251036 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:08.946938038 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:10.643033981 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:10.693039894 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:12.426206112 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:12.476443052 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:13.700006008 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:13.751530886 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:14.812074900 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:14.860830069 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:16.004043102 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:16.052792072 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:17.855899096 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:17.907633066 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:18.961852074 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:19.010551929 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:20.196566105 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:20.245496988 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:21.418642044 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:21.471422911 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:22.550496101 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:22.602402925 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:35.321342945 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:35.395571947 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:39.164099932 CEST | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:39.225599051 CEST | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:54.132843971 CEST | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:54.192929029 CEST | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:54.744596958 CEST | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:54.795043945 CEST | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:55.451318026 CEST | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:55.500478029 CEST | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:55.809406042 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:55.882838964 CEST | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:55.922677994 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:55.984842062 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:56.285636902 CEST | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:56.347177029 CEST | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:56.502953053 CEST | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:56.551727057 CEST | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:57.149645090 CEST | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:57.201231003 CEST | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:57.670654058 CEST | 62208 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:57.729873896 CEST | 53 | 62208 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:58.704262972 CEST | 57574 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:58.763200998 CEST | 53 | 57574 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:32:59.693232059 CEST | 51818 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:32:59.750224113 CEST | 53 | 51818 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:00.341689110 CEST | 56628 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:00.390507936 CEST | 53 | 56628 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:09.605097055 CEST | 60778 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:09.677778959 CEST | 53 | 60778 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:10.886634111 CEST | 53799 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:10.946465015 CEST | 53 | 53799 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:12.776998997 CEST | 54683 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:12.836379051 CEST | 53 | 54683 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:39.965634108 CEST | 59329 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:40.040384054 CEST | 53 | 59329 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:44.842503071 CEST | 64021 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:44.916666985 CEST | 53 | 64021 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:46.437069893 CEST | 56129 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:46.505568027 CEST | 53 | 56129 | 8.8.8.8 | 192.168.2.6 |
| May 12, 2021 18:33:57.399168015 CEST | 58177 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 12, 2021 18:33:57.461641073 CEST | 53 | 58177 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| May 12, 2021 18:33:57.399168015 CEST | 192.168.2.6 | 8.8.8.8 | 0x7f74 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| May 12, 2021 18:33:57.461641073 CEST | 8.8.8.8 | 192.168.2.6 | 0x7f74 | No error (0) | 198.54.122.60 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| May 12, 2021 18:33:57.973872900 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 | 220 PrivateEmail.com Mail Node |
| May 12, 2021 18:33:57.974586010 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 | EHLO 088753 |
| May 12, 2021 18:33:58.165076017 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 | 250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS |
| May 12, 2021 18:33:58.169214010 CEST | 49752 | 587 | 192.168.2.6 | 198.54.122.60 | STARTTLS |
| May 12, 2021 18:33:58.359529018 CEST | 587 | 49752 | 198.54.122.60 | 192.168.2.6 | 220 Ready to start TLS |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 18:32:09 |
| Start date: | 12/05/2021 |
| Path: | C:\Users\user\Desktop\Ko4zQgTBHv.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x800000 |
| File size: | 971264 bytes |
| MD5 hash: | 02BC365A934E558EB634E19DD2D33E64 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 18:32:13 |
| Start date: | 12/05/2021 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x340000 |
| File size: | 185856 bytes |
| MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 18:32:14 |
| Start date: | 12/05/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61de10000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 18:32:14 |
| Start date: | 12/05/2021 |
| Path: | C:\Users\user\Desktop\Ko4zQgTBHv.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6c0000 |
| File size: | 971264 bytes |
| MD5 hash: | 02BC365A934E558EB634E19DD2D33E64 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 0B588D08, Relevance: .3, Instructions: 340COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B588CFB, Relevance: .3, Instructions: 339COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B583B09, Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B583B18, Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B58A218, Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B58A207, Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B589390, Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B5893A0, Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B58A4A7, Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B58A450, Relevance: .2, Instructions: 176COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B58A539, Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B588651, Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B588660, Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B58CAD8, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B587104, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B587110, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586CB1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87threadinjectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586E80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73injectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586E88, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586CF0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586DC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B5827B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B5827B8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586DC8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586613, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B586618, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B58C1E8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 0B589E48, Relevance: 2.7, Strings: 2, Instructions: 228COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B589E39, Relevance: 2.7, Strings: 2, Instructions: 219COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B584010, Relevance: 1.4, Strings: 1, Instructions: 177COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B584020, Relevance: 1.4, Strings: 1, Instructions: 172COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B584998, Relevance: 1.4, Strings: 1, Instructions: 157COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B584993, Relevance: 1.4, Strings: 1, Instructions: 148COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B580006, Relevance: 1.4, Strings: 1, Instructions: 132COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B580040, Relevance: 1.4, Strings: 1, Instructions: 117COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00807DA2, Relevance: .2, Instructions: 176COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B585BD0, Relevance: .2, Instructions: 165COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B585BCB, Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B5842F0, Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B5842E1, Relevance: .1, Instructions: 124COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B5866C8, Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B5866B8, Relevance: .1, Instructions: 111COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
Function 06195608, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D05A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02916940, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D0B4E7, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D0921C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02915084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02915090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0291779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02916B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02916B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0291C1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 029140AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02913300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D0924C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D0C143, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D0C6F4, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D0CCCB, Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|