Play interactive tour

Edit tour

Windows Analysis Report GimmerBot.exe

Overview

General Information

Sample Name:	GimmerBot.exe
Analysis ID:	478824
MD5:	dbde99c0ef07b4c3e3339189b950f9d1
SHA1:	c85e474225c32359054e96e81f7c3d16a85cc65d
SHA256:	dda8e5e4b93708ef5042d3e46027670a9ffa93f4c18646d0e48b13f8d1b013fe
Tags:	bitbucketorgexe
Infos:
Most interesting Screenshot:

Detection

Grandsteal

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected Grandsteal

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains method to dynamically call methods (often used by packers)

Found many strings related to Crypto-Wallets (likely being stolen)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

GimmerBot.exe (PID: 5148 cmdline: 'C:\Users\user\Desktop\GimmerBot.exe' MD5: DBDE99C0EF07B4C3E3339189B950F9D1)

GimmerBot.exe (PID: 1400 cmdline: {path} MD5: DBDE99C0EF07B4C3E3339189B950F9D1)

cleanup

Malware Configuration

Threatname: Grandsteal

{"C2 url": ["195.2.75.10:2012"], "Bot Id": "fbgimmer"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Grandsteal	Yara detected Grandsteal	Joe Security
00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.248714982.0000000003151000.00000004.00000001.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x6950:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp	JoeSecurity_Grandsteal	Yara detected Grandsteal	Joe Security
00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GimmerBot.exe PID: 5148	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x5613:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x5694:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0xe799:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: GimmerBot.exe PID: 5148	JoeSecurity_Grandsteal	Yara detected Grandsteal	Joe Security
Process Memory Space: GimmerBot.exe PID: 5148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GimmerBot.exe PID: 1400	JoeSecurity_Grandsteal	Yara detected Grandsteal	Joe Security
Process Memory Space: GimmerBot.exe PID: 1400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.GimmerBot.exe.400000.0.unpack	JoeSecurity_Grandsteal	Yara detected Grandsteal	Joe Security
4.2.GimmerBot.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.GimmerBot.exe.44e3728.3.unpack	JoeSecurity_Grandsteal	Yara detected Grandsteal	Joe Security
1.2.GimmerBot.exe.44e3728.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.GimmerBot.exe.44e3728.3.raw.unpack	JoeSecurity_Grandsteal	Yara detected Grandsteal	Joe Security
1.2.GimmerBot.exe.44e3728.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.GimmerBot.exe.400000.0.unpack

Malware Configuration Extractor: Grandsteal {"C2 url": ["195.2.75.10:2012"], "Bot Id": "fbgimmer"}

Multi AV Scanner detection for submitted file

Show sources

Source: GimmerBot.exe	Virustotal: Detection: 64%			Perma Link
Source: GimmerBot.exe	ReversingLabs: Detection: 55%

Antivirus / Scanner detection for submitted sample

Show sources

Source: GimmerBot.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: https://f.tsuyogari.ru/192843027.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: https://f.tsuyogari.ru/192843027.exe

Virustotal: Detection: 12%

Perma Link

Source: GimmerBot.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: GimmerBot.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\GimmerBot.exe

Code function: 4x nop then jmp 01537631h

1_2_0153750F

Source: Joe Sandbox View

ASN Name: VDSINA-ASRU VDSINA-ASRU

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 195.2.75.10:2012

Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.75.10
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.75.10
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.75.10

Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: GimmerBot.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: GimmerBot.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: GimmerBot.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: GimmerBot.exe	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: GimmerBot.exe	String found in binary or memory: http://crl.globalsign.net/root.crl0O
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: GimmerBot.exe	String found in binary or memory: http://ocsp.globalsign.com/ExtendedSSLSHA256CACross0
Source: GimmerBot.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: GimmerBot.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: GimmerBot.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: GimmerBot.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://stackoverflow.com/q/11564914;
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://stackoverflow.com/q/14436606/
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://stackoverflow.com/q/2152978/23354sCannot
Source: GimmerBot.exe	String found in binary or memory: http://www.globalsign.net/repository/03
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://f.tsuyogari.ru/192843027.exe
Source: GimmerBot.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: GimmerBot.exe	String found in binary or memory: https://www.globalsign.com/repository/03

Source: GimmerBot.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000001.00000002.248714982.0000000003151000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file

Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_0153E460	1_2_0153E460
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_0153DA68	1_2_0153DA68
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_0153D218	1_2_0153D218
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_0153B2F0	1_2_0153B2F0
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_0153C6A8	1_2_0153C6A8
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_01530878	1_2_01530878
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_01530888	1_2_01530888
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_01536A51	1_2_01536A51
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_01536A60	1_2_01536A60
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_015392C8	1_2_015392C8
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 1_2_01530AF8	1_2_01530AF8
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 4_2_00E65303	4_2_00E65303
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 4_2_00E61540	4_2_00E61540
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 4_2_00E65958	4_2_00E65958
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 4_2_00E62D58	4_2_00E62D58
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 4_2_00E63080	4_2_00E63080
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 4_2_00E6153F	4_2_00E6153F
Source: C:\Users\user\Desktop\GimmerBot.exe	Code function: 4_2_00E63E2B	4_2_00E63E2B

Source: GimmerBot.exe, 00000001.00000002.249651027.0000000003685000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamegimmer.exe4 vs GimmerBot.exe
Source: GimmerBot.exe, 00000001.00000002.248714982.0000000003151000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSparta.dll. vs GimmerBot.exe
Source: GimmerBot.exe, 00000004.00000002.504115974.0000000000EBA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs GimmerBot.exe
Source: GimmerBot.exe, 00000004.00000000.247105439.00000000006E6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegimmer.exe4 vs GimmerBot.exe
Source: GimmerBot.exe	Binary or memory string: OriginalFilenamegimmer.exe4 vs GimmerBot.exe

Source: GimmerBot.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GimmerBot.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: GimmerBot.exe

Static PE information: invalid certificate

Source: GimmerBot.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: GimmerBot.exe	Virustotal: Detection: 64%
Source: GimmerBot.exe	ReversingLabs: Detection: 55%

Source: GimmerBot.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GimmerBot.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GimmerBot.exe 'C:\Users\user\Desktop\GimmerBot.exe'
Source: C:\Users\user\Desktop\GimmerBot.exe	Process created: C:\Users\user\Desktop\GimmerBot.exe {path}
Source: C:\Users\user\Desktop\GimmerBot.exe	Process created: C:\Users\user\Desktop\GimmerBot.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GimmerBot.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/1

Source: C:\Users\user\Desktop\GimmerBot.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\GimmerBot.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: GimmerBot.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GimmerBot.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\GimmerBot.exe

Code function: 1_2_015355A7 push es; retf

1_2_015355A8

Source: initial sample

Static PE information: section name: .text entropy: 7.84895459195

Source: GimmerBot.exe, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.cs	High entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
Source: GimmerBot.exe, Lab1/FormLab1.cs	High entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
Source: GimmerBot.exe, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.cs	High entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
Source: GimmerBot.exe, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.cs	High entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
Source: GimmerBot.exe, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.cs	High entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
Source: GimmerBot.exe, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.cs	High entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
Source: GimmerBot.exe, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	High entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
Source: GimmerBot.exe, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.cs	High entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
Source: GimmerBot.exe, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.cs	High entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.cs	High entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, Lab1/FormLab1.cs	High entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.cs	High entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.cs	High entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.cs	High entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.cs	High entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.cs	High entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.cs	High entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
Source: 1.2.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	High entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.cs	High entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, Lab1/FormLab1.cs	High entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.cs	High entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.cs	High entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.cs	High entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.cs	High entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.cs	High entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	High entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
Source: 1.0.GimmerBot.exe.bd0000.0.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.cs	High entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
Source: 4.0.GimmerBot.exe.610000.0.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.cs	High entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
Source: 4.0.GimmerBot.exe.610000.0.unpack, Lab1/FormLab1.cs	High entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
Source: 4.0.GimmerBot.exe.610000.0.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.cs	High entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
Source: 4.0.GimmerBot.exe.610000.0.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.cs	High entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
Source: 4.0.GimmerBot.exe.610000.0.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.cs	High entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
Source: 4.0.GimmerBot.exe.610000.0.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.cs	High entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
Source: 4.0.GimmerBot.exe.610000.0.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	High entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'
Source: 4.0.GimmerBot.exe.610000.0.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.cs	High entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
Source: 4.0.GimmerBot.exe.610000.0.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.cs	High entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
Source: 4.2.GimmerBot.exe.610000.1.unpack, KFgV3QMKpRoDPZFWZ4/CaIZKNsBuQsM0iMuHO.cs	High entropy of concatenated method names: '.ctor', 'UNqCMK38WL', 'R3mCvjobAZ', 'HvBCkEZC2q', 'koUC8d6T0h', 'nHPCqrIeft', 'nZbCA8Ycso', 'nVwC3aL1KZ', 'QF5CatIjCi', 'beuCjX85j3'
Source: 4.2.GimmerBot.exe.610000.1.unpack, ucsoAVcwaL1KZRF5tI/U6T0hABHPrIeft3Zb8.cs	High entropy of concatenated method names: 'xrvhhwbqq5', 'nPohfpMQty', 'sc2hO7XxI7', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'EDFVkYOfZDSrJWyy9p', 'HUKE2lDulZk8lJRyyL', 'ykb6jBIy7JGZsmXj1i', 'cZXbRTdlEkXMuiHw7A'
Source: 4.2.GimmerBot.exe.610000.1.unpack, Lab1/FormLab1.cs	High entropy of concatenated method names: '.ctor', 'oRQoUthgY', 'a5ih8lBKL', 'Dispose', 'uGEfMaLNC', 'CD9GX0XVUYhrUHn2KL', 'JTRmblxTdY3AqDDJCg', 'Bp32lkyU026iqjk3OU', 'ABZLZhPLthoV5TNZti', 'Q2lrv3MBFhVxJ97B5p'
Source: 4.2.GimmerBot.exe.610000.1.unpack, y1xmiW5A1I40ewigNW/MuINH2E6N6h1w390Dl.cs	High entropy of concatenated method names: '.ctor', 'iASCFUb3f4', 'qTICCuvFYi', 'O1SCWRffOB', 'BXYCo8E63A', 'oedCh2lUVN', 'Dispose', 'rPBCfRSbsn', 'aGqF8mT8Z1prf4GPAW', 'nZWCXRa4COs9BGSRjH'
Source: 4.2.GimmerBot.exe.610000.1.unpack, jKUDeA3BcACkXrCg89/PhBSmVA4h5SXCsOTvU.cs	High entropy of concatenated method names: '.ctor', 'RRDW822b0U', 'zJxWqsHCx2', 'BBgWAv8SOK', 'ggmW3xrWMN', 'dbkb5xH1ipsC5BHnuCM', 'g817BHHTS61AmxwXYr6', 'nEiyxhHaQRCYqXAPp6V', 'DvaQWgHFS5RkoshMSWb', 'cUCbtlHn7djy8yVYY4J'
Source: 4.2.GimmerBot.exe.610000.1.unpack, nPw3F3kiaAT9L2m3Ra/y3kVoovs26cJYUhTxH.cs	High entropy of concatenated method names: 'Qn6WEVXta0', 'CFAW57KTDM', '.ctor', 'rMFCzSsLCx', 'JKrWFujUbK', 'SGNWCDdwn1', 'RVJWWJrBd1', 'qDKWorKHYT', 'WxwWhwX4Z6', 'QmnWfbUvEg'
Source: 4.2.GimmerBot.exe.610000.1.unpack, udSnyQOn855MTUH39h/XMHL7Hfn319dJ3QbqC.cs	High entropy of concatenated method names: '.ctor', 'DXJmKaAfS', 'I7e10qwHJ', 'R48ZI2NCY', 'P4wHp1fUi', 'QLj0j548v', 'emti8V8eM', 'mKJuQosgW', 'pIFbx5oSr', 'S1OVh1Urj'
Source: 4.2.GimmerBot.exe.610000.1.unpack, VkqeSJKXJKaAfST7e0/EmhTuxgixP0ahfn9uU.cs	High entropy of concatenated method names: 'sKNnFSggqjChf', '.ctor', '.cctor', 'EgPvcylUcujPNS5a6Gc', 'sciDT5lliNxAlBSKPXt', 'cPqx4qlksxQK38ktsiY', 'dA3OA6ldVEgTf9bsXaX', 'd1Mfp3lAcY27JGUCbGh', 'zIWqTclHNHxJ45Vm6gx', 'mDb4UolRyqL1e0yqgZl'
Source: 4.2.GimmerBot.exe.610000.1.unpack, UbuLjjY548vfmt8V8e/DCYi4w6p1fUi320XZd.cs	High entropy of concatenated method names: '.cctor', 'GUsnFSgs6jGAN', 'qknooMPGd2', 'BLAohGB5O9', 'YFGofWp81N', 'lbHoOTKsWA', 'eRHoEcXLTi', 'MNFo5lFho5', 'Pm3os9CVxd', 'UnsoMTfYa6'

Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\GimmerBot.exe TID: 2388	Thread sleep time: -41000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1156	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1156	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1300	Thread sleep count: 1022 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe TID: 1300	Thread sleep time: -102200s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\GimmerBot.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\GimmerBot.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe

Window / User API: threadDelayed 1022

Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe	Thread delayed: delay time: 41000			Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	Binary or memory string: VMwareVMware
Source: GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	Binary or memory string: VMWare
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: GimmerBot.exe, 00000001.00000002.252225483.0000000003A16000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: GimmerBot.exe, 00000004.00000002.504163783.0000000000EE1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\GimmerBot.exe

Code function: 1_2_0153C508 CheckRemoteDebuggerPresent,

1_2_0153C508

Source: C:\Users\user\Desktop\GimmerBot.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe

Process created: C:\Users\user\Desktop\GimmerBot.exe {path}

Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe	Queries volume information: C:\Users\user\Desktop\GimmerBot.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GimmerBot.exe	Queries volume information: C:\Users\user\Desktop\GimmerBot.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\GimmerBot.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Grandsteal

Show sources

Source: Yara match	File source: 4.2.GimmerBot.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GimmerBot.exe.44e3728.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GimmerBot.exe.44e3728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GimmerBot.exe PID: 1400, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp	String found in binary or memory: Exodus#\Electrum\wallets
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp	String found in binary or memory: Bytecoin+\Exodus\exodus.wallet
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp	String found in binary or memory: Electrum#\Ethereum\wallets
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp	String found in binary or memory: Bytecoin+\Exodus\exodus.wallet
Source: GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp	String found in binary or memory: Electrum#\Ethereum\wallets
Source: GimmerBot.exe	String found in binary or memory: set_UseMachineKeyStore

Source: Yara match	File source: 4.2.GimmerBot.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GimmerBot.exe.44e3728.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GimmerBot.exe.44e3728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GimmerBot.exe PID: 1400, type: MEMORYSTR

Remote Access Functionality:

Yara detected Grandsteal

Show sources

Source: Yara match	File source: 4.2.GimmerBot.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GimmerBot.exe.44e3728.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GimmerBot.exe.44e3728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GimmerBot.exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GimmerBot.exe PID: 1400, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GimmerBot.exe	64%	Virustotal		Browse
GimmerBot.exe	56%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
GimmerBot.exe	100%	Avira	HEUR/AGEN.1138166

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.GimmerBot.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1134619	Download File
1.2.GimmerBot.exe.bd0000.0.unpack	100%	Avira	HEUR/AGEN.1138166	Download File
1.0.GimmerBot.exe.bd0000.0.unpack	100%	Avira	HEUR/AGEN.1138166	Download File
4.0.GimmerBot.exe.610000.0.unpack	100%	Avira	HEUR/AGEN.1138166	Download File
4.2.GimmerBot.exe.610000.1.unpack	100%	Avira	HEUR/AGEN.1138166	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.globalsign.net/repository/03	0%	URL Reputation	safe
https://f.tsuyogari.ru/192843027.exe	13%	Virustotal		Browse
https://f.tsuyogari.ru/192843027.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	false		high
http://stackoverflow.com/q/11564914;	GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	false		high
http://ip-api.com/json/	GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	false		high
http://stackoverflow.com/q/2152978/23354sCannot	GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	false		high
http://www.globalsign.net/repository/03	GimmerBot.exe	false	URL Reputation: safe	unknown
https://f.tsuyogari.ru/192843027.exe	GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://stackoverflow.com/q/14436606/	GimmerBot.exe, 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, GimmerBot.exe, 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.2.75.10	unknown	Russian Federation		48282	VDSINA-ASRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	478824
Start date:	07.09.2021
Start time:	10:38:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	GimmerBot.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.8% (good quality ratio 1.9%) Quality average: 45.9% Quality standard deviation: 39.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 73 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
10:39:19	API Interceptor	1x Sleep call for process: GimmerBot.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VDSINA-ASRU	video.exe	Get hash	malicious	Browse	94.103.86.184
	HEWFj6cmsN.exe	Get hash	malicious	Browse	178.208.83.23
	wkJ6cREJOS.exe	Get hash	malicious	Browse	109.234.32.63
	09m5uwn6Wm.exe	Get hash	malicious	Browse	94.103.80.219
	EVSON49uVr.exe	Get hash	malicious	Browse	195.2.93.247
	eTHJDdbBie.exe	Get hash	malicious	Browse	185.209.30.177
	j2p2BI1bd2.exe	Get hash	malicious	Browse	94.103.83.88
	Ee0iNT99wg.exe	Get hash	malicious	Browse	109.234.32.63
	malo.js	Get hash	malicious	Browse	195.2.92.62
	tTdPwZJ6Ia.exe	Get hash	malicious	Browse	94.103.80.73
	PO4318.exe	Get hash	malicious	Browse	178.208.83.38
	u9cYJIDo4S.exe	Get hash	malicious	Browse	195.2.78.163
	VibR4H3H85.exe	Get hash	malicious	Browse	195.2.78.163
	XeH814tuWy.exe	Get hash	malicious	Browse	195.2.78.163
	mosoxxxHack.exe	Get hash	malicious	Browse	109.234.32.63
	n09ZZ3WpGK.exe	Get hash	malicious	Browse	195.2.78.238
	ZhmNYDjrym.exe	Get hash	malicious	Browse	94.103.80.73
	onekb0XOFQ.exe	Get hash	malicious	Browse	109.234.32.63
	q2t57gIiIY.exe	Get hash	malicious	Browse	94.103.80.169
	3279B2CD8DF2AD838397940CEC377D3DB13744CE713ED.exe	Get hash	malicious	Browse	94.103.93.227

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GimmerBot.exe.log Download File
Process:	C:\Users\user\Desktop\GimmerBot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	507
Entropy (8bit):	5.326917011299938
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPk21t92n4M6:MLUE4Kx1qE4qpE4Ks2f84j
MD5:	390D3316EAFD992B222CE8739F83B38E
SHA1:	97AD9DCC639591E928D11598C240438463B6C570
SHA-256:	B0E13991DAE15F2D848345A35732955172D045869B8CB1C4B55C897710B92F13
SHA-512:	FF0B69E1741BCF7B1060127FB1AA14F77B9C3460D551F1FD731DC8AAEF5ABDBCAE06FE0A3469AA60B1E15093FCD7DB3898E0BC811A089B3CE689D8C24A363CDF
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.230420653580413
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	GimmerBot.exe
File size:	878896
MD5:	dbde99c0ef07b4c3e3339189b950f9d1
SHA1:	c85e474225c32359054e96e81f7c3d16a85cc65d
SHA256:	dda8e5e4b93708ef5042d3e46027670a9ffa93f4c18646d0e48b13f8d1b013fe
SHA512:	ec7d3af3f215bca8ea037dcc98a3f8ef425552d007e68b24d29adb9d7e14ee0113e782e6b4e78acabdc7c394710190b1efe1f85ac5da87ba8ec2855ad849d857
SSDEEP:	24576:AIiCT/qn22huIcHZCNY+GQ/BTaS7smxq:yCzq7gkHBQmx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1_.....................<.......'... ...@....@.. ....................................@................................

File Icon


Icon Hash:	1271e8f8dcd47192

Static PE Info

General
Entrypoint:	0x4a270e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F3199CF [Mon Aug 10 19:02:39 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	9/2/2016 1:26:58 AM 9/3/2018 1:26:58 AM
Subject Chain	CN=Acer Incorporated, O=Acer Incorporated, L=New Taipei, S=New Taipei, C=TW
Version:	3
Thumbprint MD5:	A2FDBEC3475CF779D8414193E938A720
Thumbprint SHA-1:	D8808289749D96E91DB283F10CBD2C4154D4034A
Thumbprint SHA-256:	9578515B884CC79F335FDA649CD12787478729EC8CAFA3EFD250DF1F0AD40600
Serial:	63F07348D0F35040ADB2EC28

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa26c0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x337fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd4800	0x2130	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa0714	0xa0800	False	0.9149432316	SysEx File - Solton	7.84895459195	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xa4000	0x1e8	0x200	False	0.859375	data	6.62495715504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x337fc	0x33800	False	0.276561551881	data	4.11415766001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa6310	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xb6b38	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0xbad60	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xbd308	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xbe3b0	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xbe818	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xbec80	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xbfd28	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xc22d0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0xc64f8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd6d20	0x2540	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xd9260	0xa0	data
RT_VERSION	0xd9300	0x310	data
RT_MANIFEST	0xd9610	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	GimmerBot 2019
Assembly Version	1.0.0.0
InternalName	Stubv4.0.exe
FileVersion	1.0.0.0
CompanyName	GimmerBot
Assembly Copyright	GimmerBot 2019
ProductVersion	1.0.0.0
FileDescription	GimmerBot-2.2.386.Setup
OriginalFilename	gimmer.exe
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2021 10:39:24.261918068 CEST	49705	2012	192.168.2.7	195.2.75.10
Sep 7, 2021 10:39:27.276138067 CEST	49705	2012	192.168.2.7	195.2.75.10
Sep 7, 2021 10:39:33.276699066 CEST	49705	2012	192.168.2.7	195.2.75.10

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: GimmerBot.exe PID: 5148 Parent PID: 5516

General

Start time:	10:39:18
Start date:	07/09/2021
Path:	C:\Users\user\Desktop\GimmerBot.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\GimmerBot.exe'
Imagebase:	0xbd0000
File size:	878896 bytes
MD5 hash:	DBDE99C0EF07B4C3E3339189B950F9D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000001.00000002.248714982.0000000003151000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Grandsteal, Description: Yara detected Grandsteal, Source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.252618204.0000000004323000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: GimmerBot.exe PID: 1400 Parent PID: 5148

General

Start time:	10:39:22
Start date:	07/09/2021
Path:	C:\Users\user\Desktop\GimmerBot.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x610000
File size:	878896 bytes
MD5 hash:	DBDE99C0EF07B4C3E3339189B950F9D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Grandsteal, Description: Yara detected Grandsteal, Source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.502581599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: GimmerBot.exe PID: 5148 Parent PID: 5516 GimmerBot.exeCOMMON

Executed Functions

Function 0153B2F0, Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

<, xrefs: 0153B406
sV3, xrefs: 0153B456

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID: <$sV3
API String ID: 0-553286724
Opcode ID: a05bd7b5614287be8e997a7a44b7d408821331ee30ea40ea5b8266eba03ab441
Instruction ID: 0bb269915c69893aab1a8750671034d43fa55fabf9a0839c9954c9c8e0507d6b
Opcode Fuzzy Hash: a05bd7b5614287be8e997a7a44b7d408821331ee30ea40ea5b8266eba03ab441
Instruction Fuzzy Hash: CF51A375E006188FDB58CFAAC8406DDBBF2BF89304F14C0AAD519AB264EB305A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0153C508, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0153C57F

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: fd393f011045d22ee7d7d8cb092e18c01000fd4cacf2f124b3336e0ed6c5eba9
Instruction ID: cfb3cfaeafe57dcfd1521002cdc374d24a658cd3417217bd4e8be737db60b80e
Opcode Fuzzy Hash: fd393f011045d22ee7d7d8cb092e18c01000fd4cacf2f124b3336e0ed6c5eba9
Instruction Fuzzy Hash: 252114B19012198FCB00CF9AD884BEEBBF4AF49224F14846AE459B7240D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0153D218, Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

D94!, xrefs: 0153D3F9

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID: D94!
API String ID: 0-3922406848
Opcode ID: 99e27c493e9f57840cd84fb790c2466853a7f535def8f463acfeab726a1af8df
Instruction ID: 3d5a9a437e28ea390a2143a41792c7d7f11798450e4aac28b5901680155e6084
Opcode Fuzzy Hash: 99e27c493e9f57840cd84fb790c2466853a7f535def8f463acfeab726a1af8df
Instruction Fuzzy Hash: FF81C174E102198FDB08CFE9D984AAEFBB2FF89310F10842AD919AB354DB349945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0153DA68, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b842ae8a561e2000ed8bd385dac0334251143c82b0aaf929294e1c4eed0b377
Instruction ID: 90a3b8e3c06e528b3920e6696828aa36c9102ad4a995af3b55e3b6e85cd42ef4
Opcode Fuzzy Hash: 7b842ae8a561e2000ed8bd385dac0334251143c82b0aaf929294e1c4eed0b377
Instruction Fuzzy Hash: 7051F470E142098FDB08CFEAD5456AEFBF2FF88200F14D46AD419AB254D7749A42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0153C6A8, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b493a7df299aa3d34b0947d1b57ba68b57faad6720cdb39140a33713bcf9373a
Instruction ID: 8b8574b59db82c9f8c6d0e57024048e0a6cb272a8e0c29565a2a6d48df6ecbb5
Opcode Fuzzy Hash: b493a7df299aa3d34b0947d1b57ba68b57faad6720cdb39140a33713bcf9373a
Instruction Fuzzy Hash: F331DA71E006189FEB18DFAAD84079EF7F3BFC9204F14C0AAD518AB254DB3059459F61

Uniqueness

Uniqueness Score: -1.00%

Function 0153E460, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5087c9d840c77b98f0dc39f779c65a26c8ecd4ebc33e1ad997d84e5cb05b2eea
Instruction ID: 20845d0fb6edf1290547f9440df0885522137e670eb5356f10245aec46aeab9a
Opcode Fuzzy Hash: 5087c9d840c77b98f0dc39f779c65a26c8ecd4ebc33e1ad997d84e5cb05b2eea
Instruction Fuzzy Hash: 8731D671E106188BDB18CFAAD84569EBBB7EFC8311F14C0AAE409AB258DB355A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0153C5E8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0153C65B

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b410afe831182ec71a4524bee0f7d38bc36d103501d5ce74c26c0dc08fb8d650
Instruction ID: a753b00273a701c155e05f840f5843068fe13506450ffa2363ff7ef9b4435612
Opcode Fuzzy Hash: b410afe831182ec71a4524bee0f7d38bc36d103501d5ce74c26c0dc08fb8d650
Instruction Fuzzy Hash: 0421E775D006499FCB10CF9AC884BDEFBF4FB48320F10842AE568A7250D775A555DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0117D1AD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.247844106.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9eb1ad83d6874325111818d543b85b0707f6d161998e3f0927a03467462bd4c
Instruction ID: 5c44dfdab06eb17d98728ef7a1e3166d106c95b8404a139604dd0ec2f7addf6a
Opcode Fuzzy Hash: c9eb1ad83d6874325111818d543b85b0707f6d161998e3f0927a03467462bd4c
Instruction Fuzzy Hash: D2012B71409348EEEB194AA9EC807A3BFACEF45274F08C45AED084B346C779D844C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D1AC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.247844106.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1770fa8ffb5381a9b538dbb2ce94d9d177e31a7e3226c54ea972adf656297bd9
Instruction ID: ab09913fe89b7a2482d452244dea709e2a5390b933d5c5684f7389f374914736
Opcode Fuzzy Hash: 1770fa8ffb5381a9b538dbb2ce94d9d177e31a7e3226c54ea972adf656297bd9
Instruction Fuzzy Hash: 8AF06271404288AAEB158A59DCC4BA2FFA8EF45774F18C45AED085B386C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01536A60, Relevance: 5.2, Strings: 4, Instructions: 224COMMON

Download Yara Rule

Strings

8, xrefs: 0153710C
;~, xrefs: 015370B4
8, xrefs: 015371DC
*/, xrefs: 01537232

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID: */$8$8$;~
API String ID: 0-3083792531
Opcode ID: 5fbc4675bae4188892cd4d6d779a088445f4526b2dbb7946bc7feded96a1302c
Instruction ID: e208d079859b6fa50d0d981b0cda363ea72086a86d79c5797a968f4137b8b5c8
Opcode Fuzzy Hash: 5fbc4675bae4188892cd4d6d779a088445f4526b2dbb7946bc7feded96a1302c
Instruction Fuzzy Hash: 6AB126B0D05669CBDB65CF16D8483D9BBB1BB89304F1085E9C05CAB294DBB54BC8CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0153750F, Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

8, xrefs: 0153710C
;~, xrefs: 015370B4
8, xrefs: 015371DC
*/, xrefs: 01537232

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID: */$8$8$;~
API String ID: 0-3083792531
Opcode ID: 645fe94c410019bf3c2d080fba31f29fbee7cf63f421949f332ffa77f5c3dfa2
Instruction ID: 376a631494496d5e421e2e3ca266ff3c9a5cbc01c2808cad3ebd1d2c5a3dfd77
Opcode Fuzzy Hash: 645fe94c410019bf3c2d080fba31f29fbee7cf63f421949f332ffa77f5c3dfa2
Instruction Fuzzy Hash: 48A120B0C0566ADBDB659F24D8487E9BBF0FB8A305F5055DAC01AAB284D7B44AC8CF44

Uniqueness

Uniqueness Score: -1.00%

Function 01536A51, Relevance: 5.2, Strings: 4, Instructions: 201COMMON

Download Yara Rule

Strings

8, xrefs: 0153710C
;~, xrefs: 015370B4
8, xrefs: 015371DC
*/, xrefs: 01537232

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID: */$8$8$;~
API String ID: 0-3083792531
Opcode ID: cb05134504e815ed1da8e2669f0350330a6de492df8aa9de9aca903337d24c3e
Instruction ID: 37572ac728b88120cb8d0d0cf047685b5bab824dc40b53d142fcbe49b46a8e2d
Opcode Fuzzy Hash: cb05134504e815ed1da8e2669f0350330a6de492df8aa9de9aca903337d24c3e
Instruction Fuzzy Hash: 29A125B0D41669DBDB65CF26D8483D9BBF1BB89304F1085EAC019AB294D7B54BC9CF40

Uniqueness

Uniqueness Score: -1.00%

Function 015392C8, Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

#, xrefs: 0153937A

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 968c84e8062907847a2edfe479a72498e992175c0791054c01419593ecd09fd6
Instruction ID: 7a315febb8d8f08a76ba10bed9639166f6fef3b23541a0e04110e84433644eea
Opcode Fuzzy Hash: 968c84e8062907847a2edfe479a72498e992175c0791054c01419593ecd09fd6
Instruction Fuzzy Hash: 9121BCB1D056188BEB2DCF6B89042CAB7F7BFC9304F04D4F98448AB254DB704A858E45

Uniqueness

Uniqueness Score: -1.00%

Function 01530888, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d575d354f849b9291aa6b5dcf464cfced8631cef8503271a66d41bda16e295b6
Instruction ID: 960e644f0d983f7f6c6d58b67dc4caab1e952258b66f1db04624f3ee2360df88
Opcode Fuzzy Hash: d575d354f849b9291aa6b5dcf464cfced8631cef8503271a66d41bda16e295b6
Instruction Fuzzy Hash: DE515A70E24209CFDB59DFBAE54069EBBF2FF85208F04C439D4249B764EB7458469B81

Uniqueness

Uniqueness Score: -1.00%

Function 01530878, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf83f16a1ca91204e41dcad24439fb29bd5cca2f3d7ec46af5391ff9a98df7ec
Instruction ID: 2755b4c0883d92110ecbb3355081af2fd8912ee633726d553c53a64fda60d56a
Opcode Fuzzy Hash: bf83f16a1ca91204e41dcad24439fb29bd5cca2f3d7ec46af5391ff9a98df7ec
Instruction Fuzzy Hash: 4D515B70A24209CFDB59DFBAE54069EBBF2FF85208F04C439D4249B764EB3458469B81

Uniqueness

Uniqueness Score: -1.00%

Function 01530AF8, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.248407191.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00ce774ba029bc37b48bf2e840b5744d87267f8f452a4d2fd5f64d131fada17
Instruction ID: bc80883884f4d893d5b426025ee7ea099955f9a00cc0e3e2c37198b6525599d4
Opcode Fuzzy Hash: c00ce774ba029bc37b48bf2e840b5744d87267f8f452a4d2fd5f64d131fada17
Instruction Fuzzy Hash: 924141B1D056188BEB5DCF6B8D4479EFAF7BFC8204F14C1BA951CAB254EB7009858E11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: GimmerBot.exe PID: 1400 Parent PID: 5148 GimmerBot.exeCOMMON

Executed Functions

Function 00E62D58, Relevance: 3.6, Strings: 2, Instructions: 1114COMMON

Download Yara Rule

Strings

4, xrefs: 00E63707
Xc)l, xrefs: 00E63875

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: 4$Xc)l
API String ID: 0-1577225584
Opcode ID: 2a3b2283d461f75fea435b525b227fa68e83567efcf9cff3a7c9b18784a622f1
Instruction ID: ac5eee0ebce8e377fc3099852e93a67e7ec2036b26e6a4313fa70621a98a63e1
Opcode Fuzzy Hash: 2a3b2283d461f75fea435b525b227fa68e83567efcf9cff3a7c9b18784a622f1
Instruction Fuzzy Hash: E2A20734A40218CFDB14DF69D994B9DB7B6BF49344F1190A9E909AB361CB30EE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E65958, Relevance: 2.8, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

<n)l, xrefs: 00E65B6E
\$l, xrefs: 00E659BD

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: <n)l$\$l
API String ID: 0-4170098607
Opcode ID: a2e90c5638569c2c1d781bac5315ed6b0246d8cbac4c6dfa14a37e841c4ee8c2
Instruction ID: f34316442c90942ed52b9f7223c943ec868e8ca1642d3c5dea17f990243c8774
Opcode Fuzzy Hash: a2e90c5638569c2c1d781bac5315ed6b0246d8cbac4c6dfa14a37e841c4ee8c2
Instruction Fuzzy Hash: A4A168357406198FCB14DF79C894A6EB7E6AF89748B1584A9EA02DF364EB30DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E63080, Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

4, xrefs: 00E63707

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: a052325d042070de3e181d467e3d5678da65aecbeb4d143a7d2ce5715b4e377f
Instruction ID: 8d4b6ddd3bc0c74f33b79b9a6c3629908bcd2cd47585e5ed26150964e6a2fe01
Opcode Fuzzy Hash: a052325d042070de3e181d467e3d5678da65aecbeb4d143a7d2ce5715b4e377f
Instruction Fuzzy Hash: 7B221734A40218CFDB14DF64D984BADB7B6BF49348F1190A9E909AB361DB31EE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E65303, Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3eff133650578b260c4f397dc4ff6ed0ed0a91934e0e0fa182570c99e36703c
Instruction ID: 5c24363071f3db41c54639b2592d1556b45226399e8d249662619ea5f6c802d5
Opcode Fuzzy Hash: d3eff133650578b260c4f397dc4ff6ed0ed0a91934e0e0fa182570c99e36703c
Instruction Fuzzy Hash: C8F18C36B002058FDB04DF69D590AADBBE2EF88344F149069E906EF361DB31ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E61540, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c1d9d6231933262b98ebb83b92fde8e0f0b9a7a0936075dd58ae46aca1b4bd
Instruction ID: f6830b485a010650add70795436ae07b827b6a858b497823b224479f9591e42d
Opcode Fuzzy Hash: 90c1d9d6231933262b98ebb83b92fde8e0f0b9a7a0936075dd58ae46aca1b4bd
Instruction Fuzzy Hash: A9A1D5707006054BCB58FBB898652AFB2E7AFC5208B454D2CD607DB794DF30ED0A8792

Uniqueness

Uniqueness Score: -1.00%

Function 00E6153F, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe6a413bf58d542739be1e138d3b32b381ecafdb4e213d97bb1e0e556e7aa48
Instruction ID: 93aa36a7bec45ac329f55e429b0f9103dc08a70802b1252907e9927178159314
Opcode Fuzzy Hash: 5fe6a413bf58d542739be1e138d3b32b381ecafdb4e213d97bb1e0e556e7aa48
Instruction Fuzzy Hash: EDA1D4707006054FCB58FBB898652AFB2E7AFC5208B45492CD607DB794DF30ED0A8792

Uniqueness

Uniqueness Score: -1.00%

Function 00E68AC0, Relevance: 16.6, Strings: 13, Instructions: 328COMMON

Download Yara Rule

Strings

De, xrefs: 00E68C24
$%%l, xrefs: 00E68DD1
\g, xrefs: 00E68E19
\g, xrefs: 00E68E0D
$%%l, xrefs: 00E68D90
Dc, xrefs: 00E68B88
$%%l, xrefs: 00E68D7E
\g, xrefs: 00E68DE3
$%%l, xrefs: 00E68DC5
Dd, xrefs: 00E68BD6
$%%l, xrefs: 00E68D3D
$%%l, xrefs: 00E68D72
Xf, xrefs: 00E68C72

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: $%%l$$%%l$$%%l$$%%l$$%%l$$%%l$Dc$Dd$De$Xf$\g$\g$\g
API String ID: 0-2912078257
Opcode ID: 6b0ef57dbef24174c48d78ab3ea1f9f9979dd905ebe029f3db9f49fb14cdbb4e
Instruction ID: a3a6b55c2653ff501d1d95e0862aef884c84646ed502c5631ba4e5568b2ccc3a
Opcode Fuzzy Hash: 6b0ef57dbef24174c48d78ab3ea1f9f9979dd905ebe029f3db9f49fb14cdbb4e
Instruction Fuzzy Hash: A4C1CE707402028FCB44EF38D595A6E77E2AF89348B105A69E506DF3A2DF71EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E68ABF, Relevance: 12.8, Strings: 10, Instructions: 277COMMON

Download Yara Rule

Strings

De, xrefs: 00E68C24
$%%l, xrefs: 00E68D3D
$%%l, xrefs: 00E68D72
\g, xrefs: 00E68E0D
$%%l, xrefs: 00E68D90
Dc, xrefs: 00E68B88
\g, xrefs: 00E68DE3
Xf, xrefs: 00E68C72
$%%l, xrefs: 00E68DC5
Dd, xrefs: 00E68BD6

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: $%%l$$%%l$$%%l$$%%l$Dc$Dd$De$Xf$\g$\g
API String ID: 0-3648936473
Opcode ID: cf960901b24ab3e59854cc306d629806e20a658f26c50de53b612cce23f63acf
Instruction ID: 59d54bbaea433cae69c3081564af0b4c001cbd8dab62acb1ac3249cc915153a6
Opcode Fuzzy Hash: cf960901b24ab3e59854cc306d629806e20a658f26c50de53b612cce23f63acf
Instruction Fuzzy Hash: A4A1A1707402028FCB14DF38D595AAE77E2EF89348B505A29E5069F3A2DF71EC458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E64728, Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

Xc)l, xrefs: 00E6481D
Xc)l, xrefs: 00E6482D

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: Xc)l$Xc)l
API String ID: 0-618629790
Opcode ID: cc74127df53e6b6eb8c8b034a7e3c301967dcec48376c3d0a53b61984021587a
Instruction ID: 188135f2a59ee5d6b9ab15218d8a0bc3b99ffae1bc797ebfc4e0105983eaa80b
Opcode Fuzzy Hash: cc74127df53e6b6eb8c8b034a7e3c301967dcec48376c3d0a53b61984021587a
Instruction Fuzzy Hash: D7229D70E402198FCB05EFA5E854AAEBBF1BF88744F14941AE811BB3A5DB349D46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E69FA8, Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

d+)l, xrefs: 00E69FCC
|p, xrefs: 00E69FB7

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: d+)l$|p
API String ID: 0-773754695
Opcode ID: 793cb821574651198b80f48cad77093af4524fad83076b6ef57f41f48f8a5131
Instruction ID: 28aa07e4343d734f1c1bcc7da7e05c0e9b24c27ef7cdb7466e236bcb4c5b2806
Opcode Fuzzy Hash: 793cb821574651198b80f48cad77093af4524fad83076b6ef57f41f48f8a5131
Instruction Fuzzy Hash: 53310330B102058FCB04DF29D84096EB3A6EFC8318B05852AE609EB390DF70ED068B92

Uniqueness

Uniqueness Score: -1.00%

Function 00E67219, Relevance: 2.6, Strings: 2, Instructions: 57COMMON

Download Yara Rule

Strings

,-, xrefs: 00E67296
D+, xrefs: 00E67270

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: ,-$D+
API String ID: 0-3289906048
Opcode ID: 5b4d45c5f98ea993a6ca6a2d5a2dd28412e63234502d8fd001b1f514dc467332
Instruction ID: 9758425ca34b20e2c4ae6886683e3c12e108849f71cf5f5627ea15547167e23c
Opcode Fuzzy Hash: 5b4d45c5f98ea993a6ca6a2d5a2dd28412e63234502d8fd001b1f514dc467332
Instruction Fuzzy Hash: 1D212E70D0424AAFCF44EFA4D8665AEBB72EF89300F01446EE601BB3A5DB351E45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E67228, Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

,-, xrefs: 00E67296
D+, xrefs: 00E67270

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: ,-$D+
API String ID: 0-3289906048
Opcode ID: 6b15e777cfa7a4e5ba139614abe87d6dc783f20b6d737b297f8fdd64e7258e90
Instruction ID: 44c91612c794d3a36dee031dddd662083d95fa3f10d63aa6b70753877388c373
Opcode Fuzzy Hash: 6b15e777cfa7a4e5ba139614abe87d6dc783f20b6d737b297f8fdd64e7258e90
Instruction Fuzzy Hash: 60110774A0014AAFCF44EFA4D8665AEBB72EF89300F00446DE6027B394DB312A459BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A348, Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

|p, xrefs: 00E6A5E3

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: |p
API String ID: 0-3842814100
Opcode ID: 31e13aa50e5ac0266d2d2a216dcf5841a5b35c2a914477d5c3fc72d718960808
Instruction ID: e7a7c387de283a96a3b3532dce3e71cd156f2dc0fd310e3289099d78b29cc223
Opcode Fuzzy Hash: 31e13aa50e5ac0266d2d2a216dcf5841a5b35c2a914477d5c3fc72d718960808
Instruction Fuzzy Hash: 65A18930A502048FCB24DF68D544BAEB7F1AF88358F1994A8D506BB3A1DB75ED04CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00E61F78, Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

!, xrefs: 00E621C8

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-133318149
Opcode ID: d1b46e53855c1f4db1131c6b297df3175541724b81c2215ef9365cfed03c5171
Instruction ID: 944cab446a94855e2a6b6b292c98b6b1a119737d2c16e994ec7f6db175d9a096
Opcode Fuzzy Hash: d1b46e53855c1f4db1131c6b297df3175541724b81c2215ef9365cfed03c5171
Instruction Fuzzy Hash: A2817735B446158FDB05DFA5E898BADBBF1AF89351F14806AEA01EB3A1CB35CC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E62720, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

Xc)l, xrefs: 00E627CA

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: Xc)l
API String ID: 0-1697529776
Opcode ID: a8c3ca4b8f8984729624aa88d5b242717d0dfa6357ea66bf64075b0cf289aacd
Instruction ID: 7936c59b0c6f6f8d568947746649dbd3073b0a0fed6239fbfad6587646d04b84
Opcode Fuzzy Hash: a8c3ca4b8f8984729624aa88d5b242717d0dfa6357ea66bf64075b0cf289aacd
Instruction Fuzzy Hash: 0841CE35B001148FCB04DFA9D8909AEB7F2EF85354B15816AEA05EF361DB31EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E62438, Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

)., xrefs: 00E6244F

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: ).
API String ID: 0-1043171518
Opcode ID: e55ca91a9fa488a1bbfc63e3ba358eff8f0263a523c763d6a5fef4da9b9b0381
Instruction ID: 04cf75dae743c521c18dca4d659c254e89999c49f1484d4bffed61403078424c
Opcode Fuzzy Hash: e55ca91a9fa488a1bbfc63e3ba358eff8f0263a523c763d6a5fef4da9b9b0381
Instruction Fuzzy Hash: 5041E231A406158FCB14DFA5E8546BEBBB1FF88348F00946AD656FB294DB30DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E69368, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

|p, xrefs: 00E69422

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: |p
API String ID: 0-3842814100
Opcode ID: d769ec1b195ad52a534b01a9c2d1f3b2d09ae39fab36ef2f168b57b418c1529c
Instruction ID: 5aabe9e06a9d6d1f152e4e148d6babccce2befaab0069a45385a83f2fb65a4ad
Opcode Fuzzy Hash: d769ec1b195ad52a534b01a9c2d1f3b2d09ae39fab36ef2f168b57b418c1529c
Instruction Fuzzy Hash: C72198303043008FC724DF28D4506AAB3A6EF89398B504938E116DB391DB72EC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E692C1, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

P, xrefs: 00E692E3

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: b798cba320004d429f24ea10d503e7667fe8abc5de86e1f08d8b3faa221702cc
Instruction ID: 4dc7a913c472d161b8ce85b580c3ea7cd93610fbf88a6c3a7a778123bf8ac7fb
Opcode Fuzzy Hash: b798cba320004d429f24ea10d503e7667fe8abc5de86e1f08d8b3faa221702cc
Instruction Fuzzy Hash: 6A01D2316102119FC764EFB8E4619AFB3BAEFC13147408D3DE206DB2A0DB31AD058B92

Uniqueness

Uniqueness Score: -1.00%

Function 00E67E93, Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

3, xrefs: 00E67ED7

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: 3
API String ID: 0-1770408200
Opcode ID: 1662d66f6e1883be2edd39901c75e02cfd4ff19a6ba4925bfa7e6825bb4bbf54
Instruction ID: f3dfbecafc09d3e33f8a252b18a88b887ad89c81b31e37bd6911ac10129d4242
Opcode Fuzzy Hash: 1662d66f6e1883be2edd39901c75e02cfd4ff19a6ba4925bfa7e6825bb4bbf54
Instruction Fuzzy Hash: 7B014074B042178F8B10EF79E85549FFBA6EFC9648310897AD419EB314EB709E098B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E69C51, Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

d+)l, xrefs: 00E69C85

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: d+)l
API String ID: 0-2707072209
Opcode ID: 28325b9a46537b08d35cc16855dd78ce4546341b7a72463718992daa9e162a27
Instruction ID: fd1e73ed2918b6b819726f176992fafdaffa58aefbc81e58680b6d9d15fdab33
Opcode Fuzzy Hash: 28325b9a46537b08d35cc16855dd78ce4546341b7a72463718992daa9e162a27
Instruction Fuzzy Hash: 56016D306047425BC314A769E42265BB7969FC2358F04C93DE12A9F652DF72AD0A8BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00E66E61, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b380f076920073d9f99455cea11159a659a58d03e41a19c2dc21284fd4ee2953
Instruction ID: 774d8e820eda66d3e0111751da1b564ea5929ae9174e9bcdf3c0c7259a73d2a3
Opcode Fuzzy Hash: b380f076920073d9f99455cea11159a659a58d03e41a19c2dc21284fd4ee2953
Instruction Fuzzy Hash: F051CB707402018F8B29EB75E4605AE77A7AFC6348750487DEA06AF7A1DF31DC46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E661D0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f56f3bde63b3e120f72549f64271ab342af74111f5b3549c9afa3ffc3c44e6
Instruction ID: b3fe6796640b96a548c0df8b8971844219085df894a01a96d127f558a811b2aa
Opcode Fuzzy Hash: d2f56f3bde63b3e120f72549f64271ab342af74111f5b3549c9afa3ffc3c44e6
Instruction Fuzzy Hash: 2551FF303442858FCB14DFB9D8606AE7BA2AFC5348B154879E906DB7A2DF31DC46C791

Uniqueness

Uniqueness Score: -1.00%

Function 00E63D53, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996c27746fca20bec1ba6fc8ff37676517012b8828a46f5557221945b3fa1fb8
Instruction ID: fd8c34f5fc5e0dab456e26fbdf24a9417da16e69266954c2770110e551c2a2a7
Opcode Fuzzy Hash: 996c27746fca20bec1ba6fc8ff37676517012b8828a46f5557221945b3fa1fb8
Instruction Fuzzy Hash: 8441A0707451048FCB44DB79D848AAE77F2AF89358F1694A8D006EB2A1DB31DC44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E62D48, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efef314b49f630abb98f91ad584f34ddc773eaeeb6e316bcfa799523fb0935b6
Instruction ID: 1675c0e90656fe2d10878cd79f6cca835d6390d1179e52460b82191dd4e74400
Opcode Fuzzy Hash: efef314b49f630abb98f91ad584f34ddc773eaeeb6e316bcfa799523fb0935b6
Instruction Fuzzy Hash: 8041F835B506148FDB25CB24D881F99B7B1EB89354F1181EAEA19AB3A2CA31ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E66C88, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283315f258b7bcfb7d5214f5b802effdcb8e4c9f4a7f534e339d6958d224dc4c
Instruction ID: 6f1118f8c512253db3270ffd0376b48f65c4f80f615ff7ed782d320887497bec
Opcode Fuzzy Hash: 283315f258b7bcfb7d5214f5b802effdcb8e4c9f4a7f534e339d6958d224dc4c
Instruction Fuzzy Hash: 0031BC307502058FDB14EBA4D4647AEBBF6AF8A348F149429D506FB391DF70AC05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E62920, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c437eb08209bd40a1b8c1cb7aa63213360e7bdf5d5d34a11a854559a30964a
Instruction ID: 7f2d26d2a1a08ed1345fa80a6e24f82f2375c64cbb9d845609f0072dbe92d3b9
Opcode Fuzzy Hash: 40c437eb08209bd40a1b8c1cb7aa63213360e7bdf5d5d34a11a854559a30964a
Instruction Fuzzy Hash: 42313A357409018F8B14DF79E89496A77E5FF8879871564BCEA06DF365EB30DC018B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A158, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52285269e9138f64d88598aa9a6f811a2cf1197589992f7b2edeee94f541120f
Instruction ID: 7d7d5ca7db2e8e84f422a82577212eb4517e66bbbb0ede36ae64f0e6eb8728e2
Opcode Fuzzy Hash: 52285269e9138f64d88598aa9a6f811a2cf1197589992f7b2edeee94f541120f
Instruction Fuzzy Hash: 573122B0D002589FCB10CFA9D490ADEBFF5AF48348F188429E819BB350DB349945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6199F, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104155372b645a14693e7dcc3931d41ff55ccf630bba771d4090fb7e5c68ee95
Instruction ID: b766b6f5d5536a48adbcb73ed3c116c90f3b0d0c1896e98547e7c3d38321c730
Opcode Fuzzy Hash: 104155372b645a14693e7dcc3931d41ff55ccf630bba771d4090fb7e5c68ee95
Instruction Fuzzy Hash: 0721DD353093419FC716DB74985456EBBA2BFC624871989BEE80ADB391DB30EC09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E68340, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b80f3f91c5ff1a28409886876d2f1e1c4dbaa85d36838772e2cd7fc7ea234c
Instruction ID: aedae8047ce792dc2653f0b20973ff460ddf2e46ad3414a0bc0b8d018bc69893
Opcode Fuzzy Hash: 95b80f3f91c5ff1a28409886876d2f1e1c4dbaa85d36838772e2cd7fc7ea234c
Instruction Fuzzy Hash: DD21F534A402059FCB14DF64D468BAEBBF5EF897A4F04A569E845EB350DB70ED408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E64650, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270a2d5f9cd995e841e6b37a7c4eccf2a2c35e4a186eeb019f44843a8d225698
Instruction ID: 91ffc60da8f5bd03baedfaf87bc999d2542dd263ce89e2949f3812a2edd03d01
Opcode Fuzzy Hash: 270a2d5f9cd995e841e6b37a7c4eccf2a2c35e4a186eeb019f44843a8d225698
Instruction Fuzzy Hash: 232190B13442459FDB05CF2AD8809AA7BE6AF8B759B1940A6F844DF3B1CA31DC40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD510, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503672361.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985434f20a47f40a0912d8af299b03e29e49e8622b22539a64ba70b321b1c4cb
Instruction ID: 0d31ca3044411548a1271b4d5d36b839544aa4addbf44bca0e6b9fcbbd1f6395
Opcode Fuzzy Hash: 985434f20a47f40a0912d8af299b03e29e49e8622b22539a64ba70b321b1c4cb
Instruction Fuzzy Hash: DC2145B1904205DFCB05DF00D8C0B27BF65FB8932CF248569E8074B646C336D956DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD424, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503672361.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5774a2e59a0392325e588c8134825f7d0111b115339f5277dc1dfeecfa26fdcf
Instruction ID: 7ed8b127a9d395a7cfc58d1a8a9489afbb0ccfca402d01596a14cebe3d3e4907
Opcode Fuzzy Hash: 5774a2e59a0392325e588c8134825f7d0111b115339f5277dc1dfeecfa26fdcf
Instruction Fuzzy Hash: B62128B5504245DFDB05DF14D8C0B27BF65FB88328F24C569E8070B646C33AE856D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E69359, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84cf91bf21ea5a0137f3c93c4ba130b7acc64ccd37fff41f019448b6adc92b6
Instruction ID: 31233196fdba17ac1118cc45b42a721c6cb8d089c896dd1846656d2b92fcf543
Opcode Fuzzy Hash: a84cf91bf21ea5a0137f3c93c4ba130b7acc64ccd37fff41f019448b6adc92b6
Instruction Fuzzy Hash: F921BA313043108FC724CF38E8546AE77A6EF8A398F504979E116AB3A1DB72DC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD50B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503672361.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: 9eb6243411d73d5098bed3e8a46530ef5291e52b7fa123397bc9e22535d4d6f6
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: B111E6B6904281CFCF12DF10D5C4B16BF71FB95328F28C6AAD8064B656C336D95ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD41F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503672361.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: eda862f51a96a7e38bdf0fa0411e17aff3846416632c2825cc67bba4b7cb6c40
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: E9110B76404280DFCF12CF10D5C4B16BF71FB99324F24C5A9D8460B656C336D556CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A2A0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f22f3453bade8933b3d71865f2c1966ef3e8d36a4b91aa55db257f9aa47adbd
Instruction ID: fce21b9fd30c9c687ea14c8ee773cee0fcaa9ae9cede16c65cfb166ac67d6a04
Opcode Fuzzy Hash: 8f22f3453bade8933b3d71865f2c1966ef3e8d36a4b91aa55db257f9aa47adbd
Instruction Fuzzy Hash: B111E131B442055FC714CB6AD814A5BB7E6EFCA318B18C43ED10AAB311CB72AC018B92

Uniqueness

Uniqueness Score: -1.00%

Function 00E62690, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436d57f7d61ef180d84f897fca08733551861cfadc8921bc0c8756791c29a551
Instruction ID: 19674caef00d80f2cd8f3b7d35814a28a1f8f0cdab590a6737d25f804722ad21
Opcode Fuzzy Hash: 436d57f7d61ef180d84f897fca08733551861cfadc8921bc0c8756791c29a551
Instruction Fuzzy Hash: 4401D4376482585FD714DAA9E440BDEFBF8EB653A1F1480ABE984DB250D631ED80C750

Uniqueness

Uniqueness Score: -1.00%

Function 00E68A21, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b2a46ca0fa5eb4be62a3ba32a0ec681cbfec31146c5b17dd3bc2aa8192ecaf
Instruction ID: e670d074bef34beec48f4cf5153f48a208e7e71b47b32bf0fe6719855073f966
Opcode Fuzzy Hash: 06b2a46ca0fa5eb4be62a3ba32a0ec681cbfec31146c5b17dd3bc2aa8192ecaf
Instruction Fuzzy Hash: E501B571A042456FCB10DBB89C55BAF7BA6ABC5314F100A29E115AB3C1DBB129058B95

Uniqueness

Uniqueness Score: -1.00%

Function 00E69CE8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd4e8c7fb9b965ed727f179dedeb2e182b750d0d565f2901e71e3052a6af4a0
Instruction ID: 1a1b05baa47876a54911f9bc454244bbd3a3f0c17c85044723e0026db8ecf995
Opcode Fuzzy Hash: cfd4e8c7fb9b965ed727f179dedeb2e182b750d0d565f2901e71e3052a6af4a0
Instruction Fuzzy Hash: E901B131D042588BDB24CBA5C8047EEBBF9AF49714F189569D055B72C1CB745844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6665D, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5899c48cd2be3bf7f79e8150255806cd9fd591735bc0a0b90ce80046620edc6
Instruction ID: 47f8fd07e077bcd339257d2f87a82e5e51ce888384dfe3250e2708422c9b7100
Opcode Fuzzy Hash: b5899c48cd2be3bf7f79e8150255806cd9fd591735bc0a0b90ce80046620edc6
Instruction Fuzzy Hash: 22012531A40218CBCB19DB64D8519DEB7F2AF89341F2046ADE402BB3A1CB769D01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E61990, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa5091b04c807acec71230b11d38af62ba889f2be68deff8dd0d20261d7e6b5
Instruction ID: 30e23bcdd3a9ac2a6089e57b75ff8b33db59ef03eeec25ecc2e633fb583dafb0
Opcode Fuzzy Hash: 9fa5091b04c807acec71230b11d38af62ba889f2be68deff8dd0d20261d7e6b5
Instruction Fuzzy Hash: 4E01A4797093429FD7028B21F884A2ABB72FFC134572985BBD415DB341D735D80ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E60F27, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabd690f8657cd5f2059ed039d67b8302e263dfa4e13360529a4733ec2131a0e
Instruction ID: 064c19aa521b35423d9c4e2cd43fb7387cb060f81dc493cd612fb6b7e5b108f1
Opcode Fuzzy Hash: aabd690f8657cd5f2059ed039d67b8302e263dfa4e13360529a4733ec2131a0e
Instruction Fuzzy Hash: BF0186303142029FC714DB59E855BAE77E6DFC5304F10863DE14ACB665CFB16D064B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E69B81, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df224f7735b67b243db4402f0c19d1d2327dc96e7abb2415083d9005240efbf
Instruction ID: d20685777280fdd1f6826af5ecd2a36b33bc6c9d560956f795af4505226abcc8
Opcode Fuzzy Hash: 0df224f7735b67b243db4402f0c19d1d2327dc96e7abb2415083d9005240efbf
Instruction Fuzzy Hash: 3D013C70A0020ACFCB54DFB4E9046AEBBB5EF45305B1084AEC81AE3251DB36D901CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00E68490, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928eac8545d5059b63f35dd6a9e35bb02ca561c7b0834b3ea084921bb81f7a9e
Instruction ID: 79b31f5ad3069afe9065c9b55c7fc12a12e340e54ddd2325181b782a494d2eef
Opcode Fuzzy Hash: 928eac8545d5059b63f35dd6a9e35bb02ca561c7b0834b3ea084921bb81f7a9e
Instruction Fuzzy Hash: E2F012316041059FC754CA68D59199ABBE5EB48364F20D67EE82DD7381DE32ED42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E6194F, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2056451176c2dda0dc7d0c2002f6de07fad38ebba0e15998c0a5360371202877
Instruction ID: 07d63d13b32994d2ca119a415760e4767c89d674b7ff041bcfde3f00d30c41da
Opcode Fuzzy Hash: 2056451176c2dda0dc7d0c2002f6de07fad38ebba0e15998c0a5360371202877
Instruction Fuzzy Hash: 23F03976704224AF9711CE9DE880D9ABBE9EB883A0714812AF849D7312CA70DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E68ED1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11060d36d02da8de570695287357357b69124546b6f7c14546ab675179d00340
Instruction ID: 0889f71d97aa573e66543b132d00ef9e1c7d745de6a363c176fcc4c7d65fa981
Opcode Fuzzy Hash: 11060d36d02da8de570695287357357b69124546b6f7c14546ab675179d00340
Instruction Fuzzy Hash: CDF0E570708244DFC719FFB0D82166937B69F86248F1044BD9109DBB91DE319E06D761

Uniqueness

Uniqueness Score: -1.00%

Function 00E68425, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da669167059b94cad7765420c05b72b9ca1bb488155982aaa7698418bbc183d2
Instruction ID: 705248f62ff82e6b8b07bcb3fd7032d538befacbd8e3436ef1ac05baf1d81057
Opcode Fuzzy Hash: da669167059b94cad7765420c05b72b9ca1bb488155982aaa7698418bbc183d2
Instruction Fuzzy Hash: 12F01C397101059F8F04DFA8D4509DEB7F2EF89264711C4A5E908EB251DB31ED559B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E68F30, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6aee78fe90b48abdf4b12988bab8512c178fcbd919231bfd3550587a0a2bd72
Instruction ID: 6556e279d51edba1be44ad52b015bf05807da0165e59975b4eedd23647032bd5
Opcode Fuzzy Hash: d6aee78fe90b48abdf4b12988bab8512c178fcbd919231bfd3550587a0a2bd72
Instruction Fuzzy Hash: 66E09A31700212AF4B14AB6AA84285BBBD9EAC9B64340C93BF10DFB200DA61AC0487E5

Uniqueness

Uniqueness Score: -1.00%

Function 00E69EBE, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4f04226be3f689599dc7124d5949f5914d2f889b7e40e91e1fc3440dc41a6b
Instruction ID: dda52834b8fa263dba87f467ce3ea6209c35310e490b7455261d23bcf926176f
Opcode Fuzzy Hash: 9e4f04226be3f689599dc7124d5949f5914d2f889b7e40e91e1fc3440dc41a6b
Instruction Fuzzy Hash: F8E092317002108FC740DF58E8C55AE77A5EF85324700456BE109DF271DB719C058F90

Uniqueness

Uniqueness Score: -1.00%

Function 00E60438, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cad15457e1b045b39f0da1b88b28cbfb6dc2cfefbf133e2369e9f7a9093ff2d
Instruction ID: 9e6fedb43aaca08328832374ec2041fb844e97877c5a9032d4107570789de2d4
Opcode Fuzzy Hash: 8cad15457e1b045b39f0da1b88b28cbfb6dc2cfefbf133e2369e9f7a9093ff2d
Instruction Fuzzy Hash: 1DE0263560C2C09FCB026324F8248AEBF7ADEC3B2071501AFE882CB253C7150C02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E61A98, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20d77ff1b6880a7e4c793b3b1f6df2f3d714f8a985e7cb560200f86c4d80628
Instruction ID: 6176e1da46fb9d39eff753583f229e27791f7054a65d247096647f2e541413cc
Opcode Fuzzy Hash: e20d77ff1b6880a7e4c793b3b1f6df2f3d714f8a985e7cb560200f86c4d80628
Instruction Fuzzy Hash: 47E026307453008FCB645BF5A80172133E8EF84755F1890AAE709AB380EAB29C01C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E69DD9, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d96acf4300339105f1944d716fb0d3536d4faa937548679c3b80273674ceb7b
Instruction ID: 566c758ea9764aaa9d11e974c68ce21e05b32e02817e0260f7fa25e2228f5c6a
Opcode Fuzzy Hash: 5d96acf4300339105f1944d716fb0d3536d4faa937548679c3b80273674ceb7b
Instruction Fuzzy Hash: CAE06536204A508FC324CB2AD044843B7F6EFC9615315C56DD59D47721D731FC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E69C00, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a55f5eebe9a5f7abec37129da1d015c52fab461cd4205e20bece3ddc520b1b
Instruction ID: 05e2308bb832b9af0ad56bbbd6f2daaf232b4ec8987033aa17d0cf97ef19eafb
Opcode Fuzzy Hash: 72a55f5eebe9a5f7abec37129da1d015c52fab461cd4205e20bece3ddc520b1b
Instruction Fuzzy Hash: 78E0C231300A11474721A61EB51549F769ECFC66A8301443EE12AE7701DF709D0407DA

Uniqueness

Uniqueness Score: -1.00%

Function 00E60491, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce125cfced401b3f72c54beb2c0c4a3af491c8253632e2bef8f45970690f834
Instruction ID: f97a05b2e4fd8ba758c6da9eef85679ad76a6928a8c1ef361a9f863b7675b713
Opcode Fuzzy Hash: 0ce125cfced401b3f72c54beb2c0c4a3af491c8253632e2bef8f45970690f834
Instruction Fuzzy Hash: E9E0C2723082135B8744AB28E89149FF253FFC43187408E3AF209C7214CF709D1993E5

Uniqueness

Uniqueness Score: -1.00%

Function 00E61A97, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bdec636bfd2fb1e41a04d6a40615e8030893bcc2a5efcf6809789420302080
Instruction ID: 8313f0de68e4e57f11296592c45e4d9f85dd82dc136eed7c15ec497f343edade
Opcode Fuzzy Hash: 39bdec636bfd2fb1e41a04d6a40615e8030893bcc2a5efcf6809789420302080
Instruction Fuzzy Hash: FEE08C306862009FCB218BB1A805BA537A4AB84755F1881EAEA0AAA690D6B29C01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E69D88, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b084c649c71b06c963fa33147f1a8654287f2ec54069db1e25887659c2cf9b11
Instruction ID: 23fcc45e14fdb5042a8bb9d097d8d62ea0bfae830ab5ba5306da0dd7200fbf37
Opcode Fuzzy Hash: b084c649c71b06c963fa33147f1a8654287f2ec54069db1e25887659c2cf9b11
Instruction Fuzzy Hash: FFE08C315093888BE7296369E454799779A8F46328F00446EE5864BB91CBB6AC81C751

Uniqueness

Uniqueness Score: -1.00%

Function 00E60448, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639ba213939131adeb6945a718cb833673704bf7f2a0b234fbda5916cccc3ddf
Instruction ID: 8b4dc1c8f65952cc83c07e9cd1201f3cb0d25e975c5047261087e532d02a89b8
Opcode Fuzzy Hash: 639ba213939131adeb6945a718cb833673704bf7f2a0b234fbda5916cccc3ddf
Instruction Fuzzy Hash: 5AD05E35300114974A043755F8249AEB77EDAC6F217000129E901C7341CB662D015BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E60EB7, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9602911d05feb24443ce69c2c12e3ec9e8bd62c2a5a4f2471be36f48095dd9a2
Instruction ID: 1b02d089921f339f170c0dbab9322083879892bedd9cb0d7e09649211fd69348
Opcode Fuzzy Hash: 9602911d05feb24443ce69c2c12e3ec9e8bd62c2a5a4f2471be36f48095dd9a2
Instruction Fuzzy Hash: 33E08C30A05208EFCB40DFB4D891BAE77B1EB84204F104AA8E409DB244DA721E00AB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E60EB8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596005a78ede782a37fe011283a816d89ea80a742e3edf576feaca0a9bc8f542
Instruction ID: b8b9df66179df75064d73c49c38d50efc0972e533c0bc4de8721d06568e90884
Opcode Fuzzy Hash: 596005a78ede782a37fe011283a816d89ea80a742e3edf576feaca0a9bc8f542
Instruction Fuzzy Hash: C6E01270A1520DEFCB40DFB5D95176E77B5EB85604F5049A8E508DB244DA726F00A781

Uniqueness

Uniqueness Score: -1.00%

Function 00E60E6F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ebc38369b9dbb5a556f0151c6ca80e2809496561a7ae703e92911293e54f6f
Instruction ID: ff5b14d357b7c39b50e04b9adf42f0a576ceec409cfa4bb1627cb16a9f6daba3
Opcode Fuzzy Hash: a6ebc38369b9dbb5a556f0151c6ca80e2809496561a7ae703e92911293e54f6f
Instruction Fuzzy Hash: C7E0C230A08109EFCB40DFB8E4416AEBBB1EB84304F2046ADE809D7301DA310F009F41

Uniqueness

Uniqueness Score: -1.00%

Function 00E60E70, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fdedbabbb8b9e8d39474162081c45b948a6272b31b607af4a1ccb3221baceb
Instruction ID: 732b0b388a65b8c5b8665e380c1b86d3bbb8552c6d38cea07c663ef3be619eba
Opcode Fuzzy Hash: f3fdedbabbb8b9e8d39474162081c45b948a6272b31b607af4a1ccb3221baceb
Instruction Fuzzy Hash: 60E01270A04209EFCB44DFA8D54169EB7B5EB85304F2046A9E808D7301DA315F009F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E694C0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b16e938fa856a5f18798435e0e5296241059626a4095887e4812aefb8847853
Instruction ID: 99f38a26b59b552768325c0bebff7f768b87ef2c3b0f708f9dc817e05e894b9c
Opcode Fuzzy Hash: 5b16e938fa856a5f18798435e0e5296241059626a4095887e4812aefb8847853
Instruction Fuzzy Hash: A0D05B7091510DEF8B44DFA9E94145D77F5EB8521471045A9D508E7220DF315F00AF41

Uniqueness

Uniqueness Score: -1.00%

Function 00E66BA8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5b90abdb9c3692b78d4dbe24fe2f56c195e240bae8372bdbf7cc66b3fc36b8
Instruction ID: 435979f47839179a2e6f758e0ccedc6231a331622a4523aaefc020aca75cfc75
Opcode Fuzzy Hash: 4c5b90abdb9c3692b78d4dbe24fe2f56c195e240bae8372bdbf7cc66b3fc36b8
Instruction Fuzzy Hash: 6BD01734A14109FF8F84EFB9D95249EB7B9EB85204B1044A9EA09E7210EA312F04AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E684F0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccf0d148863edfd59999eafd0e6c2fc8d029079714dc4e6d7211afca83c752e
Instruction ID: 849d888413ad4b3b2f0a31d867cc6f2f37db9252369736e60b388f4455d192c2
Opcode Fuzzy Hash: 2ccf0d148863edfd59999eafd0e6c2fc8d029079714dc4e6d7211afca83c752e
Instruction Fuzzy Hash: 62A0223020030C838A0833E838082B83BAEC2C8822B0000A2A00E823008E20B80082A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E69931, Relevance: 11.4, Strings: 9, Instructions: 186COMMON

Download Yara Rule

Strings

$%%l, xrefs: 00E69AF8
\g, xrefs: 00E69B47
$%%l, xrefs: 00E699CD
$%%l, xrefs: 00E69A8E
\g, xrefs: 00E69B53
\g, xrefs: 00E69B0F
$%%l, xrefs: 00E69995
$%%l, xrefs: 00E69AEC
$%%l, xrefs: 00E699D9

Memory Dump Source

Source File: 00000004.00000002.503978919.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID: $%%l$$%%l$$%%l$$%%l$$%%l$$%%l$\g$\g$\g
API String ID: 0-3391211552
Opcode ID: f435e2df1a0b5283d33f16d0a087db42836cbb4dd86d52b011c5f97f7848fe8f
Instruction ID: f7fb7ed4e1f1281ae78f5729fc832aa9d9b584104db3ca332aac0bf69862fa01
Opcode Fuzzy Hash: f435e2df1a0b5283d33f16d0a087db42836cbb4dd86d52b011c5f97f7848fe8f
Instruction Fuzzy Hash: 03619A707446028FCB58DF69E09196BB7E6AFC5398710A569D51AEF326EB30EC01CB81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report GimmerBot.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Grandsteal

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back