Play interactive tour
Edit tourWindows Analysis Report CMR-7146846_PDF.pif
Overview
General Information
| Sample Name: | CMR-7146846_PDF.pif (renamed file extension from pif to exe) |
| Analysis ID: | 492199 |
| MD5: | 71028a6ec414b1642243aa4981a3365f |
| SHA1: | 630b016a94f7bee220565d3b9a55a2ae8ef73c5a |
| SHA256: | 167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918 |
| Tags: | agentteslaexe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Moves itself to temp directory
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "Username": "vic@globalmedical.nl", "Password": "W3oxtsMvzRhJV&eBZoFabwZV", "Host": "mail.globalmedical.nl"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 14 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 31 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Compliance: | |
|---|
| Detected unpacking (overwrites its own PE header) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Detected unpacking (creates a PE file in dynamic memory) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00405EC2 | |
| Source: | Code function: | 0_2_004054EC | |
| Source: | Code function: | 0_2_00402671 | |
| Source: | Code function: | 2_2_00404A29 | |
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | Code function: | 0_2_00404FF1 | |
System Summary: | |
|---|
| Initial sample is a PE file and has a suspicious name | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040312A | |
| Source: | Code function: | 0_2_00406354 | |
| Source: | Code function: | 0_2_00404802 | |
| Source: | Code function: | 0_2_00406B2B | |
| Source: | Code function: | 0_2_7365AA0F | |
| Source: | Code function: | 0_2_7365AA1E | |
| Source: | Code function: | 2_2_0040A2A5 | |
| Source: | Code function: | 2_2_0078C268 | |
| Source: | Code function: | 2_2_00787388 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00402053 | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 0_2_004042C1 | |
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Code function: | 2_2_00401489 | |
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation: | |
|---|
| Detected unpacking (overwrites its own PE header) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Detected unpacking (changes PE section rights) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Detected unpacking (creates a PE file in dynamic memory) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 2_2_00401F29 | |
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Moves itself to temp directory | Show sources | ||
| Source: | File moved: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405EC2 | |
| Source: | Code function: | 0_2_004054EC | |
| Source: | Code function: | 0_2_00402671 | |
| Source: | Code function: | 2_2_00404A29 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_0040446F | |
| Source: | Code function: | 2_2_004067FE | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_7365A402 | |
| Source: | Code function: | 0_2_7365A744 | |
| Source: | Code function: | 0_2_7365A706 | |
| Source: | Code function: | 0_2_7365A616 | |
| Source: | Code function: | 0_2_7365A6C7 | |
| Source: | Code function: | 2_2_004035F1 | |
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 2_2_00401E1D | |
| Source: | Code function: | 2_2_0040446F | |
| Source: | Code function: | 2_2_00401C88 | |
| Source: | Code function: | 2_2_00401F30 | |
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 2_2_0040208D | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00401B74 | |
| Source: | Code function: | 0_2_0040312A | |
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Obfuscated Files or Information1 | Credentials in Registry1 | File and Directory Discovery2 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Software Packing31 | Security Account Manager | System Information Discovery127 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Masquerading1 | NTDS | Query Registry1 | Distributed Component Object Model | Clipboard Data1 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Virtualization/Sandbox Evasion131 | LSA Secrets | Security Software Discovery131 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Process Injection112 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Virtualization/Sandbox Evasion131 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 33% | Virustotal | Browse | ||
| 36% | ReversingLabs | Win32.Trojan.Nsisx | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | HEUR/AGEN.1130366 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | HEUR/AGEN.1130366 | Download File | ||
| 100% | Avira | HEUR/AGEN.1130366 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| mail.globalmedical.nl | 185.104.29.70 | true | true | unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.104.29.70 | mail.globalmedical.nl | Netherlands | 206281 | AS-ZXCSNL | true |
General Information |
|---|
| Joe Sandbox Version: | 33.0.0 White Diamond |
| Analysis ID: | 492199 |
| Start date: | 28.09.2021 |
| Start time: | 13:24:51 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 57s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | CMR-7146846_PDF.pif (renamed file extension from pif to exe) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 21 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/2@1/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 13:26:11 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 185.104.29.70 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| mail.globalmedical.nl | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| AS-ZXCSNL | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\CMR-7146846_PDF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 292863 |
| Entropy (8bit): | 7.963948339487451 |
| Encrypted: | false |
| SSDEEP: | 6144:FRBvdnc2iyeAsS4tuh/VUj8t6Ahcms8QA57bsuiSQS/Ve/fH/p15l9:FNe3QhWrcOuiSQS9o5n |
| MD5: | 2FE1DC80424E1F7A367C2EC10F82D6E3 |
| SHA1: | A1CBB2EE20EEB13B7D8A3C322BEE54F2F44246E2 |
| SHA-256: | 8B59DB4A29E96B2178AF1491631076557866ECD5AF4DF7CB1FE02DD7A2AAE38D |
| SHA-512: | 913E7EFA41E4F6B89D95CA396E5542A25469AFB0448CAE56A6B1E63A428381BED38243083962A7916F958C8F3971E1E72485870A1964B99E944FF54A96A554BF |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\CMR-7146846_PDF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 48128 |
| Entropy (8bit): | 6.189023339782808 |
| Encrypted: | false |
| SSDEEP: | 768:rJiJkvsh0Yp4HbcfPTsVhVlI6SzFMdsrLRuxkeedSqlZNH5tTFO+DWB6nXRyigJh:kkvseYHTC3cO+DWB6ppGYud+mMujOstH |
| MD5: | 7DC59F4707DAE01D8BC589B5764FBD65 |
| SHA1: | 53397FB4FCE54937BF30764283934B6573FD63A9 |
| SHA-256: | D8F687BA9EEA4E69AEAAD9CCCAFD1ECC9BE0B1B09C88AB8A4B5728ABA666C903 |
| SHA-512: | F89321E0382AB5CA457F040A3F4D887CAE047A5CA00EFCE4D8A6334E307B07D130788116C30BBD22CA94739FFF17E19B2C221958F013DE32EAC4DA86CBFC680E |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.861641772264295 |
| TrID: |
|
| File name: | CMR-7146846_PDF.exe |
| File size: | 317488 |
| MD5: | 71028a6ec414b1642243aa4981a3365f |
| SHA1: | 630b016a94f7bee220565d3b9a55a2ae8ef73c5a |
| SHA256: | 167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918 |
| SHA512: | 4c403091f4839867d7465e437f30eb3648a114ebf1e16cadbcd4a232f2c9b75fac1ef4d9b7081314eeabb33eb9579ce39373385f122c3104e7a7815c007b790a |
| SSDEEP: | 6144:F8LxBsG3/D9BNOnAvOrA4WXnLHz6g2USzAmD5D96r:/G37sAv14WXnL21zAq96r |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@ |
File Icon |
|---|
 | |
| Icon Hash: | b2a88c96b2ca6a72 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x40312a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b76363e9cb88bf9390860da8e50999d2 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| sub esp, 00000184h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+20h], ebx |
| mov dword ptr [esp+14h], 00409168h |
| mov dword ptr [esp+1Ch], ebx |
| mov byte ptr [esp+18h], 00000020h |
| call dword ptr [004070B0h] |
| call dword ptr [004070ACh] |
| cmp ax, 00000006h |
| je 00007F8814E69F83h |
| push ebx |
| call 00007F8814E6CD64h |
| cmp eax, ebx |
| je 00007F8814E69F79h |
| push 00000C00h |
| call eax |
| mov esi, 00407280h |
| push esi |
| call 00007F8814E6CCE0h |
| push esi |
| call dword ptr [00407108h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], bl |
| jne 00007F8814E69F5Dh |
| push 0000000Dh |
| call 00007F8814E6CD38h |
| push 0000000Bh |
| call 00007F8814E6CD31h |
| mov dword ptr [0042EC24h], eax |
| call dword ptr [00407038h] |
| push ebx |
| call dword ptr [0040726Ch] |
| mov dword ptr [0042ECD8h], eax |
| push ebx |
| lea eax, dword ptr [esp+38h] |
| push 00000160h |
| push eax |
| push ebx |
| push 00429058h |
| call dword ptr [0040715Ch] |
| push 0040915Ch |
| push 0042E420h |
| call 00007F8814E6C964h |
| call dword ptr [0040710Ch] |
| mov ebp, 00434000h |
| push eax |
| push ebp |
| call 00007F8814E6C952h |
| push ebx |
| call dword ptr [00407144h] |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7524 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37000 | 0x9e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x27c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5e66 | 0x6000 | False | 0.670572916667 | data | 6.44065573436 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x12a2 | 0x1400 | False | 0.4455078125 | data | 5.0583287871 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x25d18 | 0x600 | False | 0.458984375 | data | 4.18773476617 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .ndata | 0x2f000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x37000 | 0x9e0 | 0xa00 | False | 0.45390625 | data | 4.4968702957 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x37190 | 0x2e8 | data | English | United States |
| RT_DIALOG | 0x37478 | 0x100 | data | English | United States |
| RT_DIALOG | 0x37578 | 0x11c | data | English | United States |
| RT_DIALOG | 0x37698 | 0x60 | data | English | United States |
| RT_GROUP_ICON | 0x376f8 | 0x14 | data | English | United States |
| RT_MANIFEST | 0x37710 | 0x2cc | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | GetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary |
| USER32.dll | SetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA |
| ADVAPI32.dll | RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 09/28/21-13:27:51.934921 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 28, 2021 13:27:51.594250917 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.626377106 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.626558065 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.691670895 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.692043066 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.725490093 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.726552010 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.758696079 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.759469986 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.814852953 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.815917015 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.850594997 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.851022959 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.899317026 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.899704933 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.931737900 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.931761026 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.934921026 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.935087919 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.936142921 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.936326981 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
| Sep 28, 2021 13:27:51.967371941 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.968470097 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.988909960 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 |
| Sep 28, 2021 13:27:52.047741890 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 28, 2021 13:26:15.902462006 CEST | 65084 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:15.902802944 CEST | 52751 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:15.902992010 CEST | 50286 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:15.921245098 CEST | 53 | 65084 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:15.921355009 CEST | 53 | 52751 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:15.923305988 CEST | 53 | 50286 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:18.632128954 CEST | 54513 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:18.650083065 CEST | 53 | 54513 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:19.515368938 CEST | 62044 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:19.548804045 CEST | 53 | 62044 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:27.973246098 CEST | 63791 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:27.996017933 CEST | 53 | 63791 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:38.550766945 CEST | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:38.573378086 CEST | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:40.262283087 CEST | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:40.308507919 CEST | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:40.709801912 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:40.744368076 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:40.875168085 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:40.906874895 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:41.377712011 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:41.400372982 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:41.759349108 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:41.793154955 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:42.314941883 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:42.334635019 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:42.753433943 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:42.771146059 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:43.561641932 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:43.579701900 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:44.434588909 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:44.454118967 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:45.568591118 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:45.586110115 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:45.710958004 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:45.728020906 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:46.159579992 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:46.180258989 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:26:56.549062967 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:26:56.576152086 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:09.619852066 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:09.640163898 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:12.755260944 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:12.774658918 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:17.192791939 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:17.213989973 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:19.140742064 CEST | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:19.171569109 CEST | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:20.600044012 CEST | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:20.630049944 CEST | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:25.061139107 CEST | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:25.088413000 CEST | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:33.826886892 CEST | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:33.846628904 CEST | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:39.130628109 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:39.150048971 CEST | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:51.468688011 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:51.486551046 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:27:52.046920061 CEST | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:27:52.068717003 CEST | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:28:02.214091063 CEST | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:28:02.236793041 CEST | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
| Sep 28, 2021 13:28:02.414328098 CEST | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
| Sep 28, 2021 13:28:02.433237076 CEST | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Sep 28, 2021 13:27:51.468688011 CEST | 192.168.2.6 | 8.8.8.8 | 0x6149 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Sep 28, 2021 13:27:51.486551046 CEST | 8.8.8.8 | 192.168.2.6 | 0x6149 | No error (0) | 185.104.29.70 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Sep 28, 2021 13:27:51.691670895 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 220 web0113.zxcs.nl ESMTP Exim 4.94.2 Tue, 28 Sep 2021 13:27:51 +0200 |
| Sep 28, 2021 13:27:51.692043066 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 | EHLO 675052 |
| Sep 28, 2021 13:27:51.725490093 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 250-web0113.zxcs.nl Hello 675052 [84.17.52.39] 250-SIZE 104857600 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Sep 28, 2021 13:27:51.726552010 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 | AUTH login dmljQGdsb2JhbG1lZGljYWwubmw= |
| Sep 28, 2021 13:27:51.758696079 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 334 UGFzc3dvcmQ6 |
| Sep 28, 2021 13:27:51.814852953 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 235 Authentication succeeded |
| Sep 28, 2021 13:27:51.815917015 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 | MAIL FROM:<vic@globalmedical.nl> |
| Sep 28, 2021 13:27:51.850594997 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 250 OK |
| Sep 28, 2021 13:27:51.851022959 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 | RCPT TO:<sarah_borte.com.cn@dr.com> |
| Sep 28, 2021 13:27:51.899317026 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 250 Accepted |
| Sep 28, 2021 13:27:51.899704933 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 | DATA |
| Sep 28, 2021 13:27:51.931761026 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 354 Enter message, ending with "." on a line by itself |
| Sep 28, 2021 13:27:51.936326981 CEST | 49834 | 587 | 192.168.2.6 | 185.104.29.70 | . |
| Sep 28, 2021 13:27:51.988909960 CEST | 587 | 49834 | 185.104.29.70 | 192.168.2.6 | 250 OK id=1mVBH5-002nFP-TK |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 13:25:55 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\Desktop\CMR-7146846_PDF.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 317488 bytes |
| MD5 hash: | 71028A6EC414B1642243AA4981A3365F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 13:25:57 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\Desktop\CMR-7146846_PDF.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 317488 bytes |
| MD5 hash: | 71028A6EC414B1642243AA4981A3365F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 0040312A, Relevance: 80.8, APIs: 26, Strings: 20, Instructions: 315stringfilecomCOMMON
Download Yara Rule
| C-Code - Quality: 78% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004054EC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 82% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405EC2, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004039B0, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
Download Yara Rule
| C-Code - Quality: 84% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040361A, Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
Download Yara Rule
| C-Code - Quality: 96% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 80% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402E8E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174fileCOMMON
Download Yara Rule
| C-Code - Quality: 95% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
Download Yara Rule
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365B000, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
Download Yara Rule
| C-Code - Quality: 29% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365A000, Relevance: 7.7, APIs: 5, Instructions: 196fileCOMMON
Download Yara Rule
| C-Code - Quality: 77% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 60% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| C-Code - Quality: 69% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040589E, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040587F, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004053F2, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004030B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004030E2, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00404802, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 98% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404FF1, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
Download Yara Rule
| C-Code - Quality: 96% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004042C1, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273stringCOMMON
Download Yara Rule
| C-Code - Quality: 78% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
Download Yara Rule
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406354, Relevance: .3, Instructions: 334COMMONCrypto
Download Yara Rule
| C-Code - Quality: 79% |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406B2B, Relevance: .3, Instructions: 300COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365AA0F, Relevance: .2, Instructions: 215COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365AA1E, Relevance: .2, Instructions: 207COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365A616, Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365A706, Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365A744, Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 7365A6C7, Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403FCB, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
Download Yara Rule
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 90% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405915, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
Download Yara Rule
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BE9, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403EEA, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404782, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 35% |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 17% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 45% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 84% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404678, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| C-Code - Quality: 77% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| C-Code - Quality: 51% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004056BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
Download Yara Rule
| C-Code - Quality: 67% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 44% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405427, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405701, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405813, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065D01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065D005, Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 27% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
Download Yara Rule
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 95% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| C-Code - Quality: 71% |
|
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |