Play interactive tour
Edit tourWindows Analysis Report mormanti.exe
Overview
General Information
| Sample Name: | mormanti.exe |
| Analysis ID: | 449959 |
| MD5: | 6c94edfea6e5ee001b00122c9d01bd8a |
| SHA1: | a8d0cc5088ee86c2be77afe157695d12e951f369 |
| SHA256: | 0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Emotet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Emotet |
|---|
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security |
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_02DC2871 | |
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| C2 URLs / IPs found in malware configuration | Show sources | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
E-Banking Fraud: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 0_2_02DB23AF | |
| Source: | Code function: | 0_2_02DB253B | |
| Source: | Code function: | 0_2_02DC2BFC | |
| Source: | Code function: | 0_2_02DC2A70 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Command line argument: | 0_2_00C121FD | |
| Source: | Command line argument: | 0_2_00C121FD | |
| Source: | Command line argument: | 2_2_00C121FD | |
| Source: | Command line argument: | 2_2_00C121FD | |
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00C12D9C | |
| Source: | Code function: | 0_2_00C13134 | |
| Source: | Code function: | 2_2_00C12D9C | |
| Source: | Code function: | 2_2_00C13134 | |
Persistence and Installation Behavior: | |
|---|
| Drops executables to the windows directory (C:\Windows) and starts them | Show sources | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | PE file moved: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) | Show sources | ||
| Source: | Evasive API call chain: | graph_0-6572 | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_02DC2871 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00C1272C | |
| Source: | Code function: | 0_2_00C11FF2 | |
| Source: | Code function: | 0_2_02DB304D | |
| Source: | Code function: | 0_2_02DB0467 | |
| Source: | Code function: | 0_2_02DB277C | |
| Source: | Code function: | 0_2_02DC370E | |
| Source: | Code function: | 0_2_02DC2E3D | |
| Source: | Code function: | 2_2_00C11FF2 | |
| Source: | Code function: | 0_2_00C1272C | |
| Source: | Code function: | 2_2_00C1272C | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00C12FF8 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings: | |
|---|
| Changes security center settings (notifications, updates, antivirus, firewall) | Show sources | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation1 | DLL Side-Loading1 | Process Injection2 | Masquerading121 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Command and Scripting Interpreter2 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Disable or Modify Tools1 | LSASS Memory | Security Software Discovery41 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | Native API1 | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion2 | Security Account Manager | Virtualization/Sandbox Evasion2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol11 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection2 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Hidden Files and Directories1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information1 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | DLL Side-Loading1 | DCSync | System Information Discovery24 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | File Deletion1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 75% | Virustotal | Browse | ||
| 82% | ReversingLabs | Win32.Trojan.Emotet | ||
| 100% | Avira | TR/Kryptik.vhuzo |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1138886 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138886 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138886 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138886 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| low | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| low | ||
| false | high | |||
| false | high |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 149.62.173.247 | unknown | Spain | 50926 | INFORTELECOM-ASES | true | |
| 191.182.6.118 | unknown | Brazil | 28573 | CLAROSABR | true | |
| 104.131.103.37 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 204.225.249.100 | unknown | Canada | 22652 | FIBRENOIRE-INTERNETCA | true | |
| 94.176.234.118 | unknown | Lithuania | 62282 | RACKRAYUABRakrejusLT | true | |
| 70.32.84.74 | unknown | United States | 398110 | GO-DADDY-COM-LLCUS | true | |
| 177.73.0.98 | unknown | Brazil | 53184 | INBTelecomEIRELIBR | true | |
| 12.162.84.2 | unknown | United States | 7018 | ATT-INTERNET4US | true | |
| 116.125.120.88 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
| 58.171.153.81 | unknown | Australia | 1221 | ASN-TELSTRATelstraCorporationLtdAU | true | |
| 170.81.48.2 | unknown | Brazil | 263634 | TACNETTELECOMBR | true | |
| 219.92.13.25 | unknown | Malaysia | 4788 | TMNET-AS-APTMNetInternetServiceProviderMY | true | |
| 202.62.39.111 | unknown | Cambodia | 23673 | ONLINE-ASCogetelOnlineCambodiaISPKH | true | |
| 209.236.123.42 | unknown | United States | 393398 | ASN-DISUS | true | |
| 213.181.91.224 | unknown | Spain | 49000 | TELECABLEJUMILLA-ASES | true | |
| 5.196.35.138 | unknown | France | 16276 | OVHFR | true | |
| 187.162.248.237 | unknown | Mexico | 6503 | AxtelSABdeCVMX | true | |
| 189.2.177.210 | unknown | Brazil | 4230 | CLAROSABR | true | |
| 93.151.186.85 | unknown | Italy | 30722 | VODAFONE-IT-ASNIT | true | |
| 217.199.160.224 | unknown | United Kingdom | 20738 | GD-EMEA-DC-LD5GB | true | |
| 114.109.179.60 | unknown | Thailand | 17552 | TRUE-AS-APTrueInternetCoLtdTH | true | |
| 143.0.87.101 | unknown | Brazil | 263998 | MMTelecomBR | true | |
| 186.103.141.250 | unknown | Chile | 15311 | TelefonicaEmpresasCL | true | |
| 77.90.136.129 | unknown | Germany | 42821 | RAPIDNET-DEHaunstetterStr19DE | true | |
| 181.129.96.162 | unknown | Colombia | 13489 | EPMTelecomunicacionesSAESPCO | true | |
| 50.28.51.143 | unknown | United States | 32244 | LIQUIDWEBUS | true | |
| 68.183.190.199 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 94.206.45.18 | unknown | United Arab Emirates | 15802 | DU-AS1AE | true | |
| 190.17.195.202 | unknown | Argentina | 10318 | TelecomArgentinaSAAR | true | |
| 73.116.193.136 | unknown | United States | 7922 | COMCAST-7922US | true | |
| 82.76.111.249 | unknown | Romania | 8708 | RCS-RDS73-75DrStaicoviciRO | true | |
| 189.194.58.119 | unknown | Mexico | 13999 | MegaCableSAdeCVMX | true | |
| 80.249.176.206 | unknown | Russian Federation | 31376 | SMART-ASRU | true | |
| 145.236.8.174 | unknown | Hungary | 5483 | MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU | true | |
| 191.99.160.58 | unknown | Ecuador | 27738 | EcuadortelecomSAEC | true | |
| 217.13.106.14 | unknown | Hungary | 12301 | INVITECHHU | true | |
| 147.91.184.91 | unknown | Serbia | 13092 | UB-ASRS | true | |
| 68.183.170.114 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 81.198.69.61 | unknown | Latvia | 12578 | APOLLO-ASLatviaLV | true | |
| 177.66.190.130 | unknown | Brazil | 262502 | FLYLinkTelecomBR | true | |
| 177.72.13.80 | unknown | Brazil | 52814 | INTERNETPLAYLTDABR | true | |
| 61.92.159.208 | unknown | Hong Kong | 9269 | HKBN-AS-APHongKongBroadbandNetworkLtdHK | true | |
| 178.79.163.131 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
| 46.28.111.142 | unknown | Czech Republic | 197019 | WEDOSCZ | true | |
| 77.55.211.77 | unknown | Poland | 15967 | NAZWAPL | true | |
| 190.163.31.26 | unknown | Chile | 22047 | VTRBANDAANCHASACL | true | |
| 137.74.106.111 | unknown | France | 16276 | OVHFR | true | |
| 172.104.169.32 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
| 72.47.248.48 | unknown | United States | 31815 | MEDIATEMPLEUS | true | |
| 181.120.79.227 | unknown | Paraguay | 23201 | TelecelSAPY | true | |
| 89.32.150.160 | unknown | Romania | 43927 | HOSTERIONRO | true | |
| 104.131.41.185 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 186.250.52.226 | unknown | Brazil | 262807 | RedfoxTelecomunicacoesLtdaBR | true | |
| 87.106.46.107 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 177.144.135.2 | unknown | Brazil | 27699 | TELEFONICABRASILSABR | true | |
| 217.160.182.191 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 201.213.156.176 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
| 83.169.21.32 | unknown | Germany | 8972 | GD-EMEA-DC-SXB1DE | true | |
| 70.32.115.157 | unknown | United States | 31815 | MEDIATEMPLEUS | true | |
| 213.60.96.117 | unknown | Spain | 12334 | Galicia-SpainES | true | |
| 212.231.60.98 | unknown | Spain | 15704 | AS15704ES | true | |
| 181.36.42.205 | unknown | Dominican Republic | 28118 | ALTICEDOMINICANASADO | true | |
| 104.131.103.128 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 190.190.148.27 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
| 190.6.193.152 | unknown | Honduras | 27884 | CABLECOLORSAHN | true | |
| 51.255.165.160 | unknown | France | 16276 | OVHFR | true | |
| 212.71.237.140 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
| 185.94.252.27 | unknown | Germany | 197890 | MEGASERVERS-DE | true | |
| 2.47.112.152 | unknown | Italy | 30722 | VODAFONE-IT-ASNIT | true | |
| 104.236.161.64 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 192.241.143.52 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 192.241.146.84 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 45.161.242.102 | unknown | Brazil | 268479 | AntonioMarcosdosSantos-MEBR | true | |
| 66.228.49.173 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
| 190.147.137.153 | unknown | Colombia | 10620 | TelmexColombiaSACO | true | |
| 82.196.15.205 | unknown | Netherlands | 14061 | DIGITALOCEAN-ASNUS | true | |
| 111.67.12.221 | unknown | Australia | 55803 | DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU | true | |
| 177.74.228.34 | unknown | Brazil | 263652 | CMDNETInternetInformaticaLtdaBR | true | |
| 91.219.169.180 | unknown | Ukraine | 52191 | LOCALKA-NET-AS | true | |
| 185.94.252.12 | unknown | Germany | 197890 | MEGASERVERS-DE | true |
Private |
|---|
| IP |
|---|
| 127.0.0.1 |
General Information |
|---|
| Joe Sandbox Version: | 33.0.0 White Diamond |
| Analysis ID: | 449959 |
| Start date: | 16.07.2021 |
| Start time: | 17:05:22 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 54s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | mormanti.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 25 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@17/8@0/81 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 17:06:35 | API Interceptor | |
| 17:07:51 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 149.62.173.247 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| 104.131.103.37 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 204.225.249.100 | Get hash | malicious | Browse |
|
Domains |
|---|
| No context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| CLAROSABR | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| DIGITALOCEAN-ASNUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| INFORTELECOM-ASES | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4096 |
| Entropy (8bit): | 0.5918524708219107 |
| Encrypted: | false |
| SSDEEP: | 6:b8ek1GaD0JOCEfMuaaD0JOCEfMKQmDjjAl/gz2cE0fMbhEZolrRSQ2hyYIIT:b8NGaD0JcaaD0JwQQjjAg/0bjSQJ |
| MD5: | 9EB1288EAAF777CF31B19FC8052D9DDD |
| SHA1: | D0366555B0FF7D5F716C215B7253373231FE1F4B |
| SHA-256: | 1AB4A321F9958011E0E2AA7DF522A3567EFC956F36513C512EEA3BBA3F7E2F22 |
| SHA-512: | E916EAE79313765EBED1A5A407594EEBAD546A7963C3E6E96FBC869B431BB491C40E973D58FC69D1D9977855B8FAC8002D1C435E855378A1508DF71343C6752E |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 0.09325297057693027 |
| Encrypted: | false |
| SSDEEP: | 6:agAzwl/+z6RIE11Y8TRXuo/Xx1qKIgAzwl/+z6RIE11Y8TRXuo/Xx1qK:aX0++O4blj/h1qKIX0++O4blj/h1qK |
| MD5: | 01DC05B086437F44DADEBE72F42AE6E4 |
| SHA1: | 5ED9C40BDF29C734FDB24E80573BFAB46285828A |
| SHA-256: | 88194003F7E242AECDD75F00695B39A37441BF6C57A9812A12F9F7735BD43BA3 |
| SHA-512: | C1CFDEBA81E79AC3C92B208FD5E625E9625D853F518F0114FB6DF66EA1530A87F10A125A99E9E6FF3E6556568B0DC84B4C356173A2362B656E7B81698EDAB9B3 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8192 |
| Entropy (8bit): | 0.10801090337418041 |
| Encrypted: | false |
| SSDEEP: | 3:kE17EvGZ0i0lcSXl/bJdAtizjlD/ill:kE1iGZ0hlc8t4U1G |
| MD5: | 518B806DEB454B700E818B345A95C61C |
| SHA1: | 53C2FB38B4AB68FC2414D36920212E45895260FB |
| SHA-256: | 6F4DEAA5EDE225FB203717C88BAE62EB1EE0789B07C1548185C9338FE5A29C7A |
| SHA-512: | D17D2469510FA2AA3F080A8EF6C8D2657E0CB6AE65D5930FD08BB94A32CB5C2E0F7844FB991FDED7885E5D209269F718A76844CEA288CBBCBAC71EFA55C18F27 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.11017776630826032 |
| Encrypted: | false |
| SSDEEP: | 12:265Xm/Ey6q99954Klq3qQ10nMCldimE8eawHjcmj:26kl68wLyMCldzE9BHjc8 |
| MD5: | D8C933C4D3562115CDA8EC19E4C40BAB |
| SHA1: | B56A16C4CCB98D25D5DFE0F211C87C28F6BAE8D5 |
| SHA-256: | FAE8B7380E73264FFA75864B9F212C841A62D927153EC739D80DEDB876A482BB |
| SHA-512: | E75F13F453D4619F7722B799A8CAA47EF12184BFF7394309A12DEF148B5BA7DB20D6EA2A512B27B86B380BF6DE624F68B2AF8408D90F356517888C8524EAD3CA |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.11280925407263487 |
| Encrypted: | false |
| SSDEEP: | 12:UrXm/Ey6q999549r1z1miM3qQ10nMCldimE8eawHza1miI5Z:/l684h1tMLyMCldzE9BHza1tIn |
| MD5: | 9D91B6F5D908F8FA9457289284D99D90 |
| SHA1: | 7FA4F2CC6A51660A2767B533B9629484DD209C00 |
| SHA-256: | 348FCA3B1B0151D5A3E0AB8F2EC51DD4404ABDB779CB3319255F5C4B7C7E77CF |
| SHA-512: | 110A3DEE834FB3E03DA0152E809F2CD0A50294CFF62DB8CA2C9E96F9324729840EB44DCCC46D2815F50D14ED61A67CFBE06D5F2550A8FF48DEE6A0F43087CB09 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.11273590727037369 |
| Encrypted: | false |
| SSDEEP: | 12:U0Xm/Ey6q99954iH0z1mK2P3qQ10nMCldimE8eawHza1mKQe:Al68S1iPLyMCldzE9BHza13 |
| MD5: | 0573B48E6E823B072B981744C4EC755A |
| SHA1: | B0AC5879397474AF40AEE8E06E193A277A89D30C |
| SHA-256: | CAFED707C6D08E422CC295DD756129A2BDA528D830225142ABD5F4862CEAF3DC |
| SHA-512: | 33F8D03E6DAC4E202ECAFE1D7491E131E8496D25FB8A0DF090EF7397B45350B9DEE82D286BA184EBD0DC319D92CC817AFFCB7CA5B3D1A42340A6156DC78C4F97 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55 |
| Entropy (8bit): | 4.306461250274409 |
| Encrypted: | false |
| SSDEEP: | 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y |
| MD5: | DCA83F08D448911A14C22EBCACC5AD57 |
| SHA1: | 91270525521B7FE0D986DB19747F47D34B6318AD |
| SHA-256: | 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 |
| SHA-512: | 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 906 |
| Entropy (8bit): | 3.152601704217562 |
| Encrypted: | false |
| SSDEEP: | 12:58KRBubdpkoF1AG3rABD2iCk9+MlWlLehB4yAq7ejCpBD2iP:OaqdmuF3rg2iV+kWReH4yJ7M42iP |
| MD5: | 2CA5726DE33B7191699EBFEEC4F7210C |
| SHA1: | 0613DF20921345EFB902DFE198764AEF58BF6C9E |
| SHA-256: | 00CFCED40E9C57E6C01FE432F6C4470A9330DE3DD47676C30294BB085A9EC9D5 |
| SHA-512: | 9D63083245C34A426097B74D9EF78CE8105CAA5B4CF4586F751C02774B91A2E79873A5B71F9C9694C22325031D6F97B4C617EF223DDC16884F18488E5F5A269A |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.359134894428257 |
| TrID: |
|
| File name: | mormanti.exe |
| File size: | 102912 |
| MD5: | 6c94edfea6e5ee001b00122c9d01bd8a |
| SHA1: | a8d0cc5088ee86c2be77afe157695d12e951f369 |
| SHA256: | 0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e |
| SHA512: | 8e4f44f2680feb8fa564a26b3f283ce360d966e01b1585686e6eb23900f5e09d39e3b62b154604972091cc928f99f835ec2e042a5c06d7df29b8c225e3db447f |
| SSDEEP: | 1536:jw9fHY8jOMiep0McpHa74EuSFGMpJ7q06VSE:srOMiep0ZpeuQJmpSE |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$~..J-..J-..J-:..-..J-...-..J-...-..J-...-..J-...-..J-.61-..J-..K-..J-...-..J-...-..J-...-..J-Rich..J-....................... |
File Icon |
|---|
 | |
| Icon Hash: | 9a8a808292808000 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x402b60 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x5F325807 [Tue Aug 11 08:34:15 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | c75ae73417f3d8c7926ca2cc9989d6f5 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| call 00007FA204A14198h |
| jmp 00007FA204A13A3Ch |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 00000328h |
| mov dword ptr [004061D8h], eax |
| mov dword ptr [004061D4h], ecx |
| mov dword ptr [004061D0h], edx |
| mov dword ptr [004061CCh], ebx |
| mov dword ptr [004061C8h], esi |
| mov dword ptr [004061C4h], edi |
| mov word ptr [004061F0h], ss |
| mov word ptr [004061E4h], cs |
| mov word ptr [004061C0h], ds |
| mov word ptr [004061BCh], es |
| mov word ptr [004061B8h], fs |
| mov word ptr [004061B4h], gs |
| pushfd |
| pop dword ptr [004061E8h] |
| mov eax, dword ptr [ebp+00h] |
| mov dword ptr [004061DCh], eax |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [004061E0h], eax |
| lea eax, dword ptr [ebp+08h] |
| mov dword ptr [004061ECh], eax |
| mov eax, dword ptr [ebp-00000320h] |
| mov dword ptr [00406128h], 00010001h |
| mov eax, dword ptr [004061E0h] |
| mov dword ptr [004060DCh], eax |
| mov dword ptr [004060D0h], C0000409h |
| mov dword ptr [004060D4h], 00000001h |
| mov eax, dword ptr [00406018h] |
| mov dword ptr [ebp-00000328h], eax |
| mov eax, dword ptr [0040601Ch] |
| mov dword ptr [ebp-00000324h], eax |
| call dword ptr [00000068h] |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x48dc | 0x8c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7000 | 0x144c4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1c000 | 0x454 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x4230 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4450 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x4000 | 0x200 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x243c | 0x2600 | False | 0.655324835526 | COM executable for DOS | 6.36850956542 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x4000 | 0x1702 | 0x1800 | False | 0.40625 | data | 5.1131105028 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x6000 | 0x648 | 0x200 | False | 0.232421875 | data | 2.09168969639 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x7000 | 0x144c4 | 0x14600 | False | 0.486459930982 | data | 6.30306243713 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1c000 | 0x70c | 0x800 | False | 0.49853515625 | data | 4.44276595657 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x7550 | 0x2e8 | data | English | United States |
| RT_ICON | 0x7838 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0x7960 | 0xea8 | data | English | United States |
| RT_ICON | 0x8808 | 0x8a8 | data | English | United States |
| RT_ICON | 0x90b0 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0x9618 | 0x25a8 | dBase III DBT, version number 0, next free block index 40 | English | United States |
| RT_ICON | 0xbbc0 | 0x10a8 | data | English | United States |
| RT_ICON | 0xcc68 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0xd0d0 | 0x2e8 | data | English | United States |
| RT_ICON | 0xd3b8 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0xd4e0 | 0xea8 | data | English | United States |
| RT_ICON | 0xe388 | 0x8a8 | data | English | United States |
| RT_ICON | 0xec30 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0xf198 | 0x25a8 | dBase III DBT, version number 0, next free block index 40 | English | United States |
| RT_ICON | 0x11740 | 0x10a8 | data | English | United States |
| RT_ICON | 0x127e8 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_MENU | 0x12c50 | 0x4a | data | English | United States |
| RT_DIALOG | 0x12c9c | 0x140 | data | English | United States |
| RT_STRING | 0x12ddc | 0x4c | data | English | United States |
| RT_ACCELERATOR | 0x12e28 | 0x10 | data | English | United States |
| RT_RCDATA | 0x12e38 | 0x8344 | data | English | United States |
| RT_GROUP_ICON | 0x1b17c | 0x76 | data | English | United States |
| RT_GROUP_ICON | 0x1b1f4 | 0x76 | data | English | United States |
| RT_MANIFEST | 0x1b26c | 0x256 | ASCII text, with CRLF line terminators | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | Sleep, InterlockedCompareExchange, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, LoadLibraryExA, GetTickCount64, InterlockedExchange |
| USER32.dll | LoadIconW, LoadCursorW, RegisterClassExW, CreateWindowExW, ShowWindow, UpdateWindow, SetTimer, PostQuitMessage, DialogBoxParamW, DestroyWindow, DefWindowProcW, SetCapture, PtInRect, ReleaseCapture, BeginPaint, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, GetMessageW, LoadAcceleratorsW, LoadStringW, OffsetRect, DrawTextA, FillRect, InvalidateRect, ReleaseDC, GetDC, GetClientRect, EndPaint, EndDialog |
| GDI32.dll | CreateSolidBrush, DeleteObject, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, GetStockObject, SaveDC, RestoreDC, SetBkMode, BitBlt, CreateRectRgnIndirect, CreatePolygonRgn, CombineRgn, SelectClipRgn, Ellipse, Rectangle, CreatePen |
| MSVCP90.dll | ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?uncaught_exception@std@@YA_NXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?str@?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ, ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z |
| MSIMG32.dll | AlphaBlend, GradientFill |
| MSVCR90.dll | _amsg_exit, _CxxThrowException, __CxxFrameHandler3, _controlfp_s, _invoke_watson, _except_handler4_common, ?_type_info_dtor_internal_method@type_info@@QAEXXZ, ?terminate@@YAXXZ, _crt_debugger_hook, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, ??1exception@std@@UAE@XZ, ??3@YAXPAX@Z, ??0exception@std@@QAE@XZ, ??0exception@std@@QAE@ABV01@@Z, ??2@YAPAXI@Z, _invalid_parameter_noinfo, srand, rand, _time64, _wcslwr, atoi, _unlock, __dllonexit, _encode_pointer, _lock, _onexit, _decode_pointer, memcpy, __wgetmainargs, _cexit, _exit, _XcptFilter, exit, _wcmdln |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 07/16/21-17:07:12.259592 | ICMP | 486 | ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited | 104.131.103.37 | 192.168.2.3 | ||
| 07/16/21-17:07:15.256691 | ICMP | 486 | ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited | 104.131.103.37 | 192.168.2.3 | ||
| 07/16/21-17:07:21.273124 | ICMP | 486 | ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited | 104.131.103.37 | 192.168.2.3 | ||
| 07/16/21-17:07:42.618824 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 72.10.63.118 | 192.168.2.3 | ||
| 07/16/21-17:07:45.806111 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 72.10.63.118 | 192.168.2.3 | ||
| 07/16/21-17:07:51.997887 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 72.10.63.118 | 192.168.2.3 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 16, 2021 17:06:20.542170048 CEST | 49718 | 80 | 192.168.2.3 | 58.171.153.81 |
| Jul 16, 2021 17:06:23.548013926 CEST | 49718 | 80 | 192.168.2.3 | 58.171.153.81 |
| Jul 16, 2021 17:06:29.548536062 CEST | 49718 | 80 | 192.168.2.3 | 58.171.153.81 |
| Jul 16, 2021 17:06:44.281224966 CEST | 49727 | 443 | 192.168.2.3 | 104.131.103.128 |
| Jul 16, 2021 17:06:44.403786898 CEST | 443 | 49727 | 104.131.103.128 | 192.168.2.3 |
| Jul 16, 2021 17:06:44.908982992 CEST | 49727 | 443 | 192.168.2.3 | 104.131.103.128 |
| Jul 16, 2021 17:06:45.031189919 CEST | 443 | 49727 | 104.131.103.128 | 192.168.2.3 |
| Jul 16, 2021 17:06:45.534087896 CEST | 49727 | 443 | 192.168.2.3 | 104.131.103.128 |
| Jul 16, 2021 17:06:45.657490969 CEST | 443 | 49727 | 104.131.103.128 | 192.168.2.3 |
| Jul 16, 2021 17:06:48.471726894 CEST | 49728 | 8080 | 192.168.2.3 | 66.228.49.173 |
| Jul 16, 2021 17:06:51.472075939 CEST | 49728 | 8080 | 192.168.2.3 | 66.228.49.173 |
| Jul 16, 2021 17:06:57.472614050 CEST | 49728 | 8080 | 192.168.2.3 | 66.228.49.173 |
| Jul 16, 2021 17:07:12.132922888 CEST | 49734 | 8080 | 192.168.2.3 | 104.131.103.37 |
| Jul 16, 2021 17:07:15.130383968 CEST | 49734 | 8080 | 192.168.2.3 | 104.131.103.37 |
| Jul 16, 2021 17:07:21.146560907 CEST | 49734 | 8080 | 192.168.2.3 | 104.131.103.37 |
| Jul 16, 2021 17:07:35.370628119 CEST | 49740 | 8080 | 192.168.2.3 | 149.62.173.247 |
| Jul 16, 2021 17:07:35.438725948 CEST | 8080 | 49740 | 149.62.173.247 | 192.168.2.3 |
| Jul 16, 2021 17:07:35.944820881 CEST | 49740 | 8080 | 192.168.2.3 | 149.62.173.247 |
| Jul 16, 2021 17:07:36.012451887 CEST | 8080 | 49740 | 149.62.173.247 | 192.168.2.3 |
| Jul 16, 2021 17:07:36.523617983 CEST | 49740 | 8080 | 192.168.2.3 | 149.62.173.247 |
| Jul 16, 2021 17:07:36.594460011 CEST | 8080 | 49740 | 149.62.173.247 | 192.168.2.3 |
| Jul 16, 2021 17:07:40.373577118 CEST | 49741 | 7080 | 192.168.2.3 | 72.47.248.48 |
| Jul 16, 2021 17:07:43.382858038 CEST | 49741 | 7080 | 192.168.2.3 | 72.47.248.48 |
| Jul 16, 2021 17:07:49.398936987 CEST | 49741 | 7080 | 192.168.2.3 | 72.47.248.48 |
| Jul 16, 2021 17:08:04.116400003 CEST | 49744 | 8080 | 192.168.2.3 | 68.183.170.114 |
| Jul 16, 2021 17:08:07.103610039 CEST | 49744 | 8080 | 192.168.2.3 | 68.183.170.114 |
| Jul 16, 2021 17:08:13.103981018 CEST | 49744 | 8080 | 192.168.2.3 | 68.183.170.114 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 16, 2021 17:06:02.333093882 CEST | 50200 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:02.398982048 CEST | 53 | 50200 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:02.403018951 CEST | 51281 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:02.455171108 CEST | 53 | 51281 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:03.199887991 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:03.251107931 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:04.301538944 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:04.360388994 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:05.009922981 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:05.080878973 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:05.522526026 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:05.575153112 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:06.713778019 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:06.763395071 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:07.789093018 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:07.841680050 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:08.611358881 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:08.670780897 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:10.446573019 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:10.504580975 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:11.560636997 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:11.613158941 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:12.701705933 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:12.751097918 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:13.865761995 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:13.920089960 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:16.677190065 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:16.726804018 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:17.607249975 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:17.669481039 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:18.412681103 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:18.466411114 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:19.185880899 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:19.238326073 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:20.020277023 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:20.072833061 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:20.871370077 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:20.925894976 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:22.051337957 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:22.109612942 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:22.853486061 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:22.902765989 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:37.889744043 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:37.957566977 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:39.148256063 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:39.210594893 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:53.667342901 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:53.735356092 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:06:57.148108959 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:06:57.205549002 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:07:11.947230101 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:07:12.015654087 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:07:15.400922060 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:07:15.462726116 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:07:46.678647041 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:07:46.753209114 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
| Jul 16, 2021 17:07:51.150878906 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jul 16, 2021 17:07:51.219223976 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
ICMP Packets |
|---|
| Timestamp | Source IP | Dest IP | Checksum | Code | Type |
|---|---|---|---|---|---|
| Jul 16, 2021 17:07:12.259592056 CEST | 104.131.103.37 | 192.168.2.3 | 8f70 | (Unknown) | Destination Unreachable |
| Jul 16, 2021 17:07:15.256690979 CEST | 104.131.103.37 | 192.168.2.3 | 8f70 | (Unknown) | Destination Unreachable |
| Jul 16, 2021 17:07:21.273123980 CEST | 104.131.103.37 | 192.168.2.3 | 8f70 | (Unknown) | Destination Unreachable |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 17:06:08 |
| Start date: | 16/07/2021 |
| Path: | C:\Users\user\Desktop\mormanti.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc10000 |
| File size: | 102912 bytes |
| MD5 hash: | 6C94EDFEA6E5EE001B00122C9D01BD8A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 17:06:09 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc10000 |
| File size: | 102912 bytes |
| MD5 hash: | 6C94EDFEA6E5EE001B00122C9D01BD8A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 17:06:15 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:35 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:37 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:45 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:46 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:47 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:47 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:47 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:48 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:49 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\SgrmBroker.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff641450000 |
| File size: | 163336 bytes |
| MD5 hash: | D3170A3F3A9626597EEE1888686E3EA6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:06:49 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7488e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:07:50 |
| Start date: | 16/07/2021 |
| Path: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6922b0000 |
| File size: | 455656 bytes |
| MD5 hash: | A267555174BFA53844371226F482B86B |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:07:50 |
| Start date: | 16/07/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2800000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
Disassembly |
|---|
Code Analysis |
|---|
Execution Graph |
|---|
| Execution Coverage: | 8% |
| Dynamic/Decrypted Code Coverage: | 76.8% |
| Signature Coverage: | 4% |
| Total number of Nodes: | 1333 |
| Total number of Limit Nodes: | 24 |
Graph
Executed Functions |
|---|
Function 00C121FD, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 164windowlibrarymemoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2871, Relevance: 4.6, APIs: 3, Instructions: 144fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC388F, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC58E2, Relevance: 3.1, APIs: 2, Instructions: 132fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1285B, Relevance: 3.0, APIs: 2, Instructions: 17COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC67D8, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC5A8F, Relevance: 1.6, APIs: 1, Instructions: 108fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC274C, Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2FB6, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC4171, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB23AF, Relevance: 5.1, Strings: 4, Instructions: 106COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2A70, Relevance: 5.1, Strings: 4, Instructions: 106COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB253B, Relevance: 2.6, Strings: 2, Instructions: 118COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2BFC, Relevance: 2.6, Strings: 2, Instructions: 118COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB0467, Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB277C, Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC2E3D, Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DB304D, Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02DC370E, Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C113AF, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 231windowCOMMON
Download Yara Rule
| C-Code - Quality: 59% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11129, Relevance: 12.0, APIs: 8, Instructions: 43COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 67% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1186A, Relevance: 10.6, APIs: 7, Instructions: 100COMMON
Download Yara Rule
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C123C4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32windowregistryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11772, Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
| C-Code - Quality: 80% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11271, Relevance: 9.0, APIs: 6, Instructions: 40windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C111BA, Relevance: 9.0, APIs: 6, Instructions: 27COMMON
Download Yara Rule
| C-Code - Quality: 95% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11EAD, Relevance: 7.6, APIs: 5, Instructions: 100COMMON
Download Yara Rule
| C-Code - Quality: 32% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 45% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C12435, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C119A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 61% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11D28, Relevance: 6.0, APIs: 4, Instructions: 21COMMON
Download Yara Rule
| C-Code - Quality: 25% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 10.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 309 |
| Total number of Limit Nodes: | 4 |
Graph
Callgraph |
|---|
Executed Functions |
|---|
Function 00C121FD, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 164windowlibrarymemoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1285B, Relevance: 3.0, APIs: 2, Instructions: 17COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C113AF, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 231windowCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 59% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11129, Relevance: 12.0, APIs: 8, Instructions: 43COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 67% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C1186A, Relevance: 10.6, APIs: 7, Instructions: 100COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C123C4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32windowregistryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11772, Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 80% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11271, Relevance: 9.0, APIs: 6, Instructions: 40windowCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C111BA, Relevance: 9.0, APIs: 6, Instructions: 27COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 95% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11EAD, Relevance: 7.6, APIs: 5, Instructions: 100COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 32% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 45% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C12435, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C119A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 61% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00C11D28, Relevance: 6.0, APIs: 4, Instructions: 21COMMON
Download Yara Rule
| C-Code - Quality: 25% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |