Analysis Report document-47-2637.xls

Overview

General Information

Sample Name:	document-47-2637.xls
Analysis ID:	432926
MD5:	92dcc47a1a044fc3a2328ec6eef3918b
SHA1:	6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
SHA256:	ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
Tags:	xls
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: document-47-2637.xls	Virustotal: Detection: 26%	Perma Link
Source: document-47-2637.xls	Metadefender: Detection: 22%	Perma Link
Source: document-47-2637.xls	ReversingLabs: Detection: 15%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.22:49165 version: TLS 1.2

Source:	Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.3.dr
Source:	Binary string: extexport.pdb"Oh source: nnAzot.exe, 00000005.00000000.2089060256.0000000000C81000.00000020.00020000.sdmp, nnAzot.exe.3.dr

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: webhub365.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.244.146.96:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.244.146.96:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown

DNS traffic detected: queries for: webhub365.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown

HTTPS traffic detected: 198.244.146.96:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" and then click "Enable Content". 23 24 25 26 27 28 29 30 31 32 33 34 35
Source: Screenshot number: 4	Screenshot OCR: Enable Content". 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 .I lj 38 , Id q p

Found Excel 4.0 Macro with suspicious formulas

Source: document-47-2637.xls

Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Source: document-47-2637.xls

Initial sample: Sheet size: 14533

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 022577F47FB074B7D942C8F01DAAC778B110A373DE03B3B5043E887995B09D52

Source: classification engine

Classification label: mal76.expl.evad.winXLS@5/14@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\18CE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC17A.tmp

Jump to behavior

Source: document-47-2637.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\cmd.exe

Console Write: ...................J............ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........B_.v............................6..........J......J..^..

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: document-47-2637.xls	Virustotal: Detection: 26%
Source: document-47-2637.xls	Metadefender: Detection: 22%
Source: document-47-2637.xls	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy '%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe' C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe 'C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe' C:\aZ8ThU0Y\ERdZMUem GdPT AuMr7	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: extexport.pdb source: nnAzot.exe, nnAzot.exe.3.dr
Source:	Binary string: extexport.pdb"Oh source: nnAzot.exe, 00000005.00000000.2089060256.0000000000C81000.00000020.00020000.sdmp, nnAzot.exe.3.dr

Source: document-47-2637.xls

Initial sample: OLE indicators vbamacros = False

Source: document-47-2637.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C84F09 push ecx; ret

5_2_00C84F1C

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\System32\cmd.exe

File created: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C8230E LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00C8230E

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: document-47-2637.xls

Stream path 'Workbook' entropy: 7.97723236264 (max. 8.0)

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: 5_2_00C84BBA SetUnhandledExceptionFilter,		5_2_00C84BBA
Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	Code function: 5_2_00C84F4C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_00C84F4C

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C84DF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_00C84DF8

Source: C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe

Code function: 5_2_00C847E2 GetVersionExA,

5_2_00C847E2

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.244.146.96	webhub365.com	United States		18630	RIDLEYSD-NETUS	false

Contacted Domains

Name	IP	Active
webhub365.com	198.244.146.96	true

ID:	432926
Product:	CloudBasic
Start time:	23:33:10
Start date:	10.06.2021
Sample:	document-47-2637.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	92dcc47a1a044fc3a2328ec6eef3918b
SHA1:	6f9266a6c0b702cbaa0a3583df5c8cd1357eae35
SHA256:	ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 60080 bytes, 1 file	6045BACCF49E1EBA0E674945311A06E6	379C6234849EECEDE26FAD192C2EE59E0F0221CB	65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	2E7776A8352D7B7340867AA27A128846	FD6DA9992DCEE317941DE8A460F26EBB4FEB94BD	C708CF029849616022F4F6F176AB59DF8DE3A5AB0E31DBA7B081338001474C41
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	221EE22598CAC868C8B16EE6D78B76D1	EEF00367633C5F7FAF69428C39C9107DEB332533	D0B5F4D8A653A322B01BDF32CB6573DBEFFD78527CEB7BFDA518855D69CB4F79
C:\Users\user\AppData\Local\Temp\57CE0000	data	E7F218C4D29FEBD5A30BB644B9DE75EC	B32B0BFA6E62EFC6CF9265142A0CC837E73FAE06	578A9F819A33168A169E9B01383EA68D40B526B1BEB9C16E9C711D75436B73DB
C:\Users\user\AppData\Local\Temp\CabCFBF.tmp	Microsoft Cabinet archive data, 60080 bytes, 1 file	6045BACCF49E1EBA0E674945311A06E6	379C6234849EECEDE26FAD192C2EE59E0F0221CB	65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
C:\Users\user\AppData\Local\Temp\TarCFC0.tmp	data	9BE376D85B319264740EF583F548B72A	6C6416CBC51AAC89A21A529695A8FCD3AD5E6B85	07FDF8BC502E6BB4CF6AE214694F45C54A53228FC2002B2F17C9A2EF64EB76F6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Jun 11 05:33:36 2021, atime=Fri Jun 11 05:33:36 2021, length=12288, window=hide	DDDE4AEA52639A376DDEA0363A830989	42C60E4DB7ACC6484B7F49E04B85E1F50B0939C8	1C26913AC092AFA7B73B276E5BA1C121F6BDC6C67FE1FB4E7DDA837CA5BBDA63
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-47-2637.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Fri Jun 11 05:33:36 2021, atime=Fri Jun 11 05:33:36 2021, length=92672, window=hide	F5F66094ECB1402555729E1107D3C096	38CCFCC00261AFF0B8F487E60F8DB2215979FF9A	A93527F892D71FDD7A251FEC2150DB068424F7EC190FC4416EC463E90BCE164E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	CC574425794FB97F59C2DC249939493A	8CA2DFD4C2535E0FFEB160319D2CD079758B7F8D	1D977854F9C0DDF7462B6991CA2B6026C4FFCAF52F158A2C7B81B8FBEE5E35F0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WX9VC4P4.txt	ASCII text	BD6147C9030F0D655787BE45213DB496	BEEDCBABD678F5969FA7BB2012CB25BB8FCB4CF5	5CAAF34D2E2E45E1677E131C8C64D202EF39B7D9B235C6E4165DB2EC87E7B4DB
C:\Users\user\Desktop\18CE0000	Applesoft BASIC program data, first line number 16	0A6CFFEA7C8A3F28DB32D6B10FB143FF	D1565F223B143944C30884D301B52AD4E32EE47B	FD7BDC282938F884B95DDAC7AC1EA44E18DB8664D063962A534FD61B03CC00BC
C:\Users\user\Desktop\D73F0000	Applesoft BASIC program data, first line number 16	6D8E6965F252B13FF8D880053C83D123	47B7D1032C44D1D914B378F37492E17B0D7A2E59	67D293F9AC0E32D54F1632FCCC7221DDB84E27D0278A5F403E81BB2A09CAEC0B
C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7F7F391491C315A4A72EFCAC0D34FA93	20A18C7EA14F4E1D3044091B46D6E862B6F38708	022577F47FB074B7D942C8F01DAAC778B110A373DE03B3B5043E887995B09D52

Analysis Report document-47-2637.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains