Play interactive tour
Edit tourWindows Analysis Report RpcNs4.exe
Overview
General Information
| Sample Name: | RpcNs4.exe |
| Analysis ID: | 492876 |
| MD5: | 1ed37c4a225bbd35716cf241e14541a8 |
| SHA1: | 51caf718c3d85847e9f9246b291149a0a7afb698 |
| SHA256: | 8b504e796986fbae7d1bea49c95dfad222758cca5cada56472f40a0bde41e485 |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Emotet
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Emotet |
|---|
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["190.191.171.72:80", "5.189.168.53:8080", "162.241.41.111:7080", "190.85.46.52:7080", "37.205.9.252:7080", "172.96.190.154:8080", "120.51.34.254:80", "181.95.133.104:80", "139.59.61.215:443", "157.7.164.178:8081", "41.185.29.128:8080", "86.57.216.23:80", "185.80.172.199:80", "54.38.143.245:8080", "41.212.89.128:80", "223.17.215.76:80", "37.187.100.220:7080", "167.71.227.113:8080", "8.4.9.137:8080", "113.160.248.110:80", "220.147.247.145:80", "60.125.114.64:443", "182.227.240.189:443", "45.177.120.37:8080", "103.229.73.17:8080", "117.247.235.44:80", "115.78.11.155:80", "79.133.6.236:8080", "139.59.12.63:8080", "91.83.93.103:443", "186.20.52.237:80", "185.208.226.142:8080", "115.79.195.246:80", "116.202.10.123:8080", "162.144.42.60:8080", "185.142.236.163:443", "172.105.78.244:8080", "37.46.129.215:8080", "157.245.138.101:7080", "182.253.83.234:7080", "143.95.101.72:8080", "187.189.66.200:8080", "103.48.68.173:80", "200.116.93.61:80", "223.135.30.189:80", "36.91.44.183:80", "198.57.203.63:8080", "203.153.216.178:7080", "46.32.229.152:8080", "51.38.201.19:7080", "103.93.220.182:80", "103.133.66.57:443", "202.166.170.43:80", "95.216.205.155:8080", "77.74.78.80:443", "78.114.175.216:80", "189.150.209.206:80", "113.156.82.32:80", "58.27.215.3:8080", "192.241.220.183:8080", "185.86.148.68:443", "74.208.173.91:8080", "126.126.139.26:443", "88.247.58.26:80", "49.243.9.118:80", "2.144.244.204:80", "138.201.45.2:8080", "91.75.75.46:80", "119.92.77.17:80", "202.153.220.157:80", "46.105.131.68:8080", "178.33.167.120:8080", "190.192.39.136:80", "115.176.16.221:80", "179.5.118.12:80", "190.190.15.20:80", "113.161.148.81:80", "14.241.182.160:80", "192.163.221.191:8080", "128.106.187.110:80", "190.194.12.132:80", "75.127.14.170:8080", "195.201.56.70:8080", "118.243.83.70:80", "50.116.78.109:8080", "192.210.217.94:8080", "103.80.51.61:8080"]}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Click to see the 1 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Click to see the 5 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 4_2_020B2240 | |
| Source: | Code function: | 4_2_020B2580 | |
| Source: | Code function: | 4_2_020B1F60 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_020B3890 | |
| Source: | Code function: | 4_2_020B3890 | |
Networking: | |
|---|
| C2 URLs / IPs found in malware configuration | Show sources | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
E-Banking Fraud: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 4_2_020B2580 | |
| Source: | Static PE information: | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 2_2_00403B79 | |
| Source: | Code function: | 2_2_004160CC | |
| Source: | Code function: | 2_2_00409163 | |
| Source: | Code function: | 2_2_00416919 | |
| Source: | Code function: | 2_2_0041B92F | |
| Source: | Code function: | 2_2_0041A136 | |
| Source: | Code function: | 2_2_004079A1 | |
| Source: | Code function: | 2_2_0041EAA3 | |
| Source: | Code function: | 2_2_00412B63 | |
| Source: | Code function: | 2_2_00420B08 | |
| Source: | Code function: | 2_2_00415BD8 | |
| Source: | Code function: | 2_2_0041AC13 | |
| Source: | Code function: | 2_2_0041D439 | |
| Source: | Code function: | 2_2_004164E4 | |
| Source: | Code function: | 2_2_00416D4E | |
| Source: | Code function: | 2_2_0041A6A1 | |
| Source: | Code function: | 2_2_020B3B50 | |
| Source: | Code function: | 2_2_020B7830 | |
| Source: | Code function: | 2_2_020B3E70 | |
| Source: | Code function: | 2_2_020B1C10 | |
| Source: | Code function: | 2_2_020B3C90 | |
| Source: | Code function: | 2_2_020B64F0 | |
| Source: | Code function: | 4_2_00403B79 | |
| Source: | Code function: | 4_2_004160CC | |
| Source: | Code function: | 4_2_00409163 | |
| Source: | Code function: | 4_2_00416919 | |
| Source: | Code function: | 4_2_0041B92F | |
| Source: | Code function: | 4_2_0041A136 | |
| Source: | Code function: | 4_2_004079A1 | |
| Source: | Code function: | 4_2_0041EAA3 | |
| Source: | Code function: | 4_2_00412B63 | |
| Source: | Code function: | 4_2_00420B08 | |
| Source: | Code function: | 4_2_00415BD8 | |
| Source: | Code function: | 4_2_0041AC13 | |
| Source: | Code function: | 4_2_0041D439 | |
| Source: | Code function: | 4_2_004164E4 | |
| Source: | Code function: | 4_2_00416D4E | |
| Source: | Code function: | 4_2_0041A6A1 | |
| Source: | Code function: | 4_2_020B3B50 | |
| Source: | Code function: | 4_2_020B7830 | |
| Source: | Code function: | 4_2_020B3E70 | |
| Source: | Code function: | 4_2_020B1C10 | |
| Source: | Code function: | 4_2_020B3C90 | |
| Source: | Code function: | 4_2_020B64F0 | |
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Metadefender: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_020B8830 | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 4_2_020B4BF0 | |
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 2_2_00406888 | |
| Source: | Code function: | 2_2_0040F154 | |
| Source: | Code function: | 2_2_020B5E11 | |
| Source: | Code function: | 2_2_020B5EC1 | |
| Source: | Code function: | 2_2_020B5F01 | |
| Source: | Code function: | 2_2_020B5F51 | |
| Source: | Code function: | 2_2_020B5C41 | |
| Source: | Code function: | 2_2_020B5C71 | |
| Source: | Code function: | 2_2_020B5CB1 | |
| Source: | Code function: | 2_2_020B5CF1 | |
| Source: | Code function: | 2_2_020B5D31 | |
| Source: | Code function: | 2_2_020B5D81 | |
| Source: | Code function: | 2_2_020B5DA1 | |
| Source: | Code function: | 4_2_00406888 | |
| Source: | Code function: | 4_2_0040F154 | |
| Source: | Code function: | 4_2_020B5E11 | |
| Source: | Code function: | 4_2_020B5EC1 | |
| Source: | Code function: | 4_2_020B5F01 | |
| Source: | Code function: | 4_2_020B5F51 | |
| Source: | Code function: | 4_2_020B5C41 | |
| Source: | Code function: | 4_2_020B5C71 | |
| Source: | Code function: | 4_2_020B5CB1 | |
| Source: | Code function: | 4_2_020B5CF1 | |
| Source: | Code function: | 4_2_020B5D31 | |
| Source: | Code function: | 4_2_020B5D81 | |
| Source: | Code function: | 4_2_020B5DA1 | |
| Source: | Code function: | 2_2_00401880 | |
Persistence and Installation Behavior: | |
|---|
| Drops executables to the windows directory (C:\Windows) and starts them | Show sources | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | PE file moved: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 2_2_00403B79 | |
Malware Analysis System Evasion: | |
|---|
| Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) | Show sources | ||
| Source: | Evasive API call chain: | graph_2-21718 | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_020B3890 | |
| Source: | Code function: | 4_2_020B3890 | |
| Source: | API call chain: | graph_2-21450 | ||
| Source: | API call chain: | graph_4-22365 | ||
| Source: | API call chain: | graph_4-21915 | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_00406A89 | |
| Source: | Code function: | 2_2_0040E3C3 | |
| Source: | Code function: | 2_2_00401880 | |
| Source: | Code function: | 2_2_0040408A | |
| Source: | Code function: | 2_2_020B3E70 | |
| Source: | Code function: | 2_2_020B4D60 | |
| Source: | Code function: | 4_2_020B3E70 | |
| Source: | Code function: | 4_2_020B4D60 | |
| Source: | Code function: | 4_2_02091030 | |
| Source: | Code function: | 2_2_00406769 | |
| Source: | Code function: | 2_2_0040679A | |
| Source: | Code function: | 4_2_00406769 | |
| Source: | Code function: | 4_2_0040679A | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 2_2_0041989E | |
| Source: | Code function: | 2_2_0041994B | |
| Source: | Code function: | 2_2_0040D16E | |
| Source: | Code function: | 2_2_0041119A | |
| Source: | Code function: | 2_2_004191AF | |
| Source: | Code function: | 2_2_00419A1F | |
| Source: | Code function: | 2_2_0041947F | |
| Source: | Code function: | 2_2_00419423 | |
| Source: | Code function: | 2_2_0040FC2A | |
| Source: | Code function: | 2_2_004194FC | |
| Source: | Code function: | 2_2_00410D5A | |
| Source: | Code function: | 2_2_0041957F | |
| Source: | Code function: | 2_2_0040FE0B | |
| Source: | Code function: | 2_2_0040FE91 | |
| Source: | Code function: | 2_2_00419774 | |
| Source: | Code function: | 2_2_00415723 | |
| Source: | Code function: | 2_2_004117D4 | |
| Source: | Code function: | 4_2_0041989E | |
| Source: | Code function: | 4_2_0041994B | |
| Source: | Code function: | 4_2_0040D16E | |
| Source: | Code function: | 4_2_0041119A | |
| Source: | Code function: | 4_2_004191AF | |
| Source: | Code function: | 4_2_00419A1F | |
| Source: | Code function: | 4_2_0041947F | |
| Source: | Code function: | 4_2_00419423 | |
| Source: | Code function: | 4_2_0040FC2A | |
| Source: | Code function: | 4_2_004194FC | |
| Source: | Code function: | 4_2_00410D5A | |
| Source: | Code function: | 4_2_0041957F | |
| Source: | Code function: | 4_2_0040FE0B | |
| Source: | Code function: | 4_2_0040FE91 | |
| Source: | Code function: | 4_2_00419774 | |
| Source: | Code function: | 4_2_00415723 | |
| Source: | Code function: | 4_2_004117D4 | |
| Source: | Code function: | 2_2_0041201C | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00406001 | |
| Source: | Code function: | 4_2_020B5300 | |
Lowering of HIPS / PFW / Operating System Security Settings: | |
|---|
| Changes security center settings (notifications, updates, antivirus, firewall) | Show sources | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation1 | Windows Service1 | Windows Service1 | Masquerading121 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
| Default Accounts | Native API11 | DLL Side-Loading1 | Process Injection2 | Disable or Modify Tools1 | LSASS Memory | Security Software Discovery61 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Application Shimming1 | DLL Side-Loading1 | Virtualization/Sandbox Evasion2 | Security Account Manager | Virtualization/Sandbox Evasion2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Application Shimming1 | Process Injection2 | NTDS | Process Discovery3 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Deobfuscate/Decode Files or Information1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Hidden Files and Directories1 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Obfuscated Files or Information2 | DCSync | System Information Discovery45 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | DLL Side-Loading1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | File Deletion1 | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 78% | Virustotal | Browse | ||
| 74% | Metadefender | Browse | ||
| 89% | ReversingLabs | Win32.Trojan.Emotet | ||
| 100% | Avira | TR/AD.Emotet.dbl | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1138861 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1138861 | Download File | ||
| 100% | Avira | HEUR/AGEN.1142428 | Download File | ||
| 100% | Avira | HEUR/AGEN.1142428 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138861 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1138861 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| low | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| low | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| low | ||
| false | high |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 126.126.139.26 | unknown | Japan | 17676 | GIGAINFRASoftbankBBCorpJP | true | |
| 192.210.217.94 | unknown | United States | 36352 | AS-COLOCROSSINGUS | true | |
| 223.17.215.76 | unknown | Hong Kong | 18116 | HGC-AS-APHGCGlobalCommunicationsLimitedHK | true | |
| 185.208.226.142 | unknown | Hungary | 43359 | TARHELYHU | true | |
| 14.241.182.160 | unknown | Viet Nam | 45899 | VNPT-AS-VNVNPTCorpVN | true | |
| 75.127.14.170 | unknown | United States | 36352 | AS-COLOCROSSINGUS | true | |
| 172.96.190.154 | unknown | Canada | 59253 | LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG | true | |
| 78.114.175.216 | unknown | France | 8228 | CEGETEL-ASFR | true | |
| 51.38.201.19 | unknown | France | 16276 | OVHFR | true | |
| 200.116.93.61 | unknown | Colombia | 13489 | EPMTelecomunicacionesSAESPCO | true | |
| 115.78.11.155 | unknown | Viet Nam | 7552 | VIETEL-AS-APViettelGroupVN | true | |
| 203.153.216.178 | unknown | Indonesia | 45291 | SURF-IDPTSurfindoNetworkID | true | |
| 190.191.171.72 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
| 220.147.247.145 | unknown | Japan | 2510 | INFOWEBFUJITSULIMITEDJP | true | |
| 143.95.101.72 | unknown | United States | 62729 | ASMALLORANGE1US | true | |
| 5.189.168.53 | unknown | Germany | 51167 | CONTABODE | true | |
| 113.156.82.32 | unknown | Japan | 2516 | KDDIKDDICORPORATIONJP | true | |
| 103.229.73.17 | unknown | Indonesia | 55660 | MWN-AS-IDPTMasterWebNetworkID | true | |
| 182.227.240.189 | unknown | Korea Republic of | 17858 | POWERVIS-AS-KRLGPOWERCOMMKR | true | |
| 178.33.167.120 | unknown | France | 16276 | OVHFR | true | |
| 162.144.42.60 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
| 190.190.15.20 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
| 95.216.205.155 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 37.187.100.220 | unknown | France | 16276 | OVHFR | true | |
| 41.212.89.128 | unknown | Kenya | 15399 | WANANCHI-KE | true | |
| 190.85.46.52 | unknown | Colombia | 14080 | TelmexColombiaSACO | true | |
| 120.51.34.254 | unknown | Japan | 2519 | VECTANTARTERIANetworksCorporationJP | true | |
| 187.189.66.200 | unknown | Mexico | 22884 | TOTALPLAYTELECOMUNICACIONESSADECVMX | true | |
| 88.247.58.26 | unknown | Turkey | 9121 | TTNETTR | true | |
| 103.93.220.182 | unknown | Philippines | 17639 | CONVERGE-ASConvergeICTSolutionsIncPH | true | |
| 181.95.133.104 | unknown | Argentina | 7303 | TelecomArgentinaSAAR | true | |
| 117.247.235.44 | unknown | India | 9829 | BSNL-NIBNationalInternetBackboneIN | true | |
| 138.201.45.2 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 37.205.9.252 | unknown | Czech Republic | 24971 | MASTER-ASCzechRepublicwwwmasterczCZ | true | |
| 190.194.12.132 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
| 186.20.52.237 | unknown | Chile | 6535 | TelmexServiciosEmpresarialesSACL | true | |
| 118.243.83.70 | unknown | Japan | 4685 | ASAHI-NETAsahiNetJP | true | |
| 103.80.51.61 | unknown | Thailand | 136023 | PTE-AS-APPTEGroupCoLtdTH | true | |
| 103.48.68.173 | unknown | India | 17754 | EXCELL-ASExcellmediaIN | true | |
| 185.86.148.68 | unknown | Latvia | 52173 | MAKONIXLV | true | |
| 103.133.66.57 | unknown | India | 138520 | LNSPL-AS-APLaluNetworkSolutionsPrivateLimitedIN | true | |
| 157.245.138.101 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 119.92.77.17 | unknown | Philippines | 9299 | IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH | true | |
| 46.105.131.68 | unknown | France | 16276 | OVHFR | true | |
| 172.105.78.244 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
| 37.46.129.215 | unknown | Russian Federation | 29182 | THEFIRST-ASRU | true | |
| 192.163.221.191 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
| 162.241.41.111 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
| 190.192.39.136 | unknown | Argentina | 10481 | TelecomArgentinaSAAR | true | |
| 45.177.120.37 | unknown | Brazil | 268987 | NETLIMITTELECOMBR | true | |
| 202.166.170.43 | unknown | Pakistan | 55501 | CONNECTEL-PK141-143MaulanaShaukatAliRoadPK | true | |
| 86.57.216.23 | unknown | Belarus | 6697 | BELPAK-ASBELPAKBY | true | |
| 113.161.148.81 | unknown | Viet Nam | 45899 | VNPT-AS-VNVNPTCorpVN | true | |
| 157.7.164.178 | unknown | Japan | 7506 | INTERQGMOInternetIncJP | true | |
| 116.202.10.123 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 192.241.220.183 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 115.176.16.221 | unknown | Japan | 2510 | INFOWEBFUJITSULIMITEDJP | true | |
| 198.57.203.63 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
| 46.32.229.152 | unknown | United Kingdom | 20738 | GD-EMEA-DC-LD5GB | true | |
| 167.71.227.113 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 54.38.143.245 | unknown | France | 16276 | OVHFR | true | |
| 77.74.78.80 | unknown | Russian Federation | 31261 | GARS-ASMoscowRussiaRU | true | |
| 49.243.9.118 | unknown | Japan | 10013 | FBDCFreeBitCoLtdJP | true | |
| 8.4.9.137 | unknown | United States | 3356 | LEVEL3US | true | |
| 60.125.114.64 | unknown | Japan | 17676 | GIGAINFRASoftbankBBCorpJP | true | |
| 113.160.248.110 | unknown | Viet Nam | 45899 | VNPT-AS-VNVNPTCorpVN | true | |
| 79.133.6.236 | unknown | Finland | 3238 | ALCOMFI | true | |
| 189.150.209.206 | unknown | Mexico | 8151 | UninetSAdeCVMX | true | |
| 58.27.215.3 | unknown | Pakistan | 38264 | WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK | true | |
| 185.80.172.199 | unknown | Azerbaijan | 39232 | UNINETAZ | true | |
| 74.208.173.91 | unknown | United States | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 41.185.29.128 | unknown | South Africa | 36943 | GridhostZA | true | |
| 223.135.30.189 | unknown | Japan | 2527 | SO-NETSo-netEntertainmentCorporationJP | true | |
| 139.59.61.215 | unknown | Singapore | 14061 | DIGITALOCEAN-ASNUS | true | |
| 91.75.75.46 | unknown | United Arab Emirates | 15802 | DU-AS1AE | true | |
| 50.116.78.109 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
| 128.106.187.110 | unknown | Singapore | 9506 | SINGTEL-FIBRESingtelFibreBroadbandSG | true | |
| 202.153.220.157 | unknown | Australia | 4764 | WIDEBAND-AS-APAussieBroadbandAU | true | |
| 139.59.12.63 | unknown | Singapore | 14061 | DIGITALOCEAN-ASNUS | true | |
| 115.79.195.246 | unknown | Viet Nam | 7552 | VIETEL-AS-APViettelGroupVN | true | |
| 185.142.236.163 | unknown | Netherlands | 174 | COGENT-174US | true | |
| 2.144.244.204 | unknown | Iran (ISLAMIC Republic Of) | 44244 | IRANCELL-ASIR | true | |
| 182.253.83.234 | unknown | Indonesia | 17451 | BIZNET-AS-APBIZNETNETWORKSID | true | |
| 179.5.118.12 | unknown | El Salvador | 14754 | TelguaGT | true | |
| 91.83.93.103 | unknown | Hungary | 12301 | INVITECHHU | true | |
| 195.201.56.70 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 36.91.44.183 | unknown | Indonesia | 17974 | TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID | true |
Private |
|---|
| IP |
|---|
| 127.0.0.1 |
General Information |
|---|
| Joe Sandbox Version: | 33.0.0 White Diamond |
| Analysis ID: | 492876 |
| Start date: | 29.09.2021 |
| Start time: | 04:13:11 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 27s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | RpcNs4.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 25 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal96.troj.evad.winEXE@16/5@0/88 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 04:14:16 | API Interceptor | |
| 04:15:32 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 126.126.139.26 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| 192.210.217.94 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| 223.17.215.76 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| 185.208.226.142 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse |
Domains |
|---|
| No context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| GIGAINFRASoftbankBBCorpJP | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| AS-COLOCROSSINGUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4096 |
| Entropy (8bit): | 0.5961753579683815 |
| Encrypted: | false |
| SSDEEP: | 6:bJtk1GaD0JOCEfMuaaD0JOCEfMKQmD7/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:boGaD0JcaaD0JwQQ7/tAg/0bjSQJ |
| MD5: | FEDBD07F059E293B1CD3A36CE0BF727A |
| SHA1: | C75214CD386425539B6F6CFD4F48F90753ECC8E7 |
| SHA-256: | 5F2FC139A11B5A3E93489883C7A89D0E8B1A4041C87A7ECCEC784845724B031F |
| SHA-512: | 2C6E4AAEA9EFB60D669ED1E420000D09300C46718D9C113DD7A3043703C0BAADFEB9768C78FC80CB5419A1CA845E5985045D452B90EF0FFFFBC0F252CCF70386 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 0.09679207472564298 |
| Encrypted: | false |
| SSDEEP: | 6:BOzzwl/+0XRIE11Y8TRXQlFHKrOzzwl/+0XRIE11Y8TRXQlFHK:K0+0XO4blQlFHKA0+0XO4blQlFHK |
| MD5: | CDEE6462BDFBADCE486062CB208FC2D9 |
| SHA1: | 8DB277B7CA8CCF9AFDA1AAB7A52FDA9FBAE4FC53 |
| SHA-256: | 7CFEB754B63AD2FB2518B163B7626B390B012D8A21773FE973F30E3923A7CC7A |
| SHA-512: | 73DA8F7A98AAB76E4955CB961CBC688C69FB07EF9FD59DCDFAC6A1F379515E7BA1FA601572CAD8400DF8D84E45B7320BC65A767C67A132C5DF53E61478565380 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8192 |
| Entropy (8bit): | 0.1120151278868993 |
| Encrypted: | false |
| SSDEEP: | 3:+G1Ev1oj8l/bJdAtiE1Tll:pQKj8t4np |
| MD5: | CEFA19C920301379F5EF73328CDDC635 |
| SHA1: | C2E331B44A1FD9E196F915D0E12208220B4D7A40 |
| SHA-256: | 3874419093305358718AEF8A3E11991C90376C705A62C9599D5F0FBCA8F9D678 |
| SHA-512: | 79A5FB2F15E7C11D28D6CFBB127C4F775AC64F5CFA409FD8E486995DAC171E7BFB870CC19D6BE84567619159BAEBC07E7B197C4C83611F384AE73C8911B14E39 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55 |
| Entropy (8bit): | 4.306461250274409 |
| Encrypted: | false |
| SSDEEP: | 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y |
| MD5: | DCA83F08D448911A14C22EBCACC5AD57 |
| SHA1: | 91270525521B7FE0D986DB19747F47D34B6318AD |
| SHA-256: | 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 |
| SHA-512: | 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 906 |
| Entropy (8bit): | 3.148114293486276 |
| Encrypted: | false |
| SSDEEP: | 12:58KRBubdpkoF1AG3rlsQlwAuXURk9+MlWlLehB4yAq7ejCEsQlwAuXUw:OaqdmuF3rlp+z+kWReH4yJ7MNp+Z |
| MD5: | 19E4C16502BE85E35AE649BCC464A2FC |
| SHA1: | 5F2C7E7EDDE9D2FB82173C8D2D475261962B6EC8 |
| SHA-256: | DF3C8E555F788FD5070E09BE94C3C9E6D1BEEF3F1B56AC5BE54F99EEB2DAA57D |
| SHA-512: | 04F1E4A94FA9351E3CE88A8DC62453D19FDCD211C61EC1518D40F97DEC3ACD6BE65A2BFABD8E1BA8B4E449F276C694DF8804AA5D75EFF04DD2585D351A2AACEB |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.227386311899768 |
| TrID: |
|
| File name: | RpcNs4.exe |
| File size: | 310784 |
| MD5: | 1ed37c4a225bbd35716cf241e14541a8 |
| SHA1: | 51caf718c3d85847e9f9246b291149a0a7afb698 |
| SHA256: | 8b504e796986fbae7d1bea49c95dfad222758cca5cada56472f40a0bde41e485 |
| SHA512: | fa54f2057b8e85c1a84307ee2325cda4393960ca81efe87e929dd5e19516e62604b9081d0964c23b2e8d97fc7a02d5b66a952dc0771a5249cf10074fa765a5e3 |
| SSDEEP: | 3072:sNzPwNwAtJKqgYLdcF7pGG7MjzQP3xswlVQN2Lxu2ntX8NUX7uFLuloc:sJPwNwAt/T2F7JcN8U2tM6iV8 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u.U.u.U.u.U.'.U.u.U.'8U.u.U.'.U.u.Uy.,U.u.U.u.U.u.U...U.u.U..;U.u.U.'<U.u.U.upU.u.U..9U.u.URich.u.U................PE..L.. |
File Icon |
|---|
 | |
| Icon Hash: | 317971b1b1b1b1b0 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x402aec |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
| Time Stamp: | 0x5F68E28E [Mon Sep 21 17:27:42 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 81f57b81eb6db8b252da01e9143dfb75 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| call 00007F532C740C35h |
| jmp 00007F532C73D725h |
| push 00000014h |
| push 00434230h |
| call 00007F532C741453h |
| call 00007F532C740FCFh |
| movzx esi, ax |
| push 00000002h |
| call 00007F532C740BC8h |
| pop ecx |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| je 00007F532C73D726h |
| xor ebx, ebx |
| jmp 00007F532C73D755h |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007F532C73D70Dh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007F532C73D6FFh |
| xor ebx, ebx |
| cmp dword ptr [eax+00400074h], 0Eh |
| jbe 00007F532C73D72Bh |
| cmp dword ptr [eax+004000E8h], ebx |
| setne bl |
| mov dword ptr [ebp-1Ch], ebx |
| call 00007F532C73EC50h |
| test eax, eax |
| jne 00007F532C73D72Ah |
| push 0000001Ch |
| call 00007F532C73D847h |
| pop ecx |
| call 00007F532C73EF13h |
| test eax, eax |
| jne 00007F532C73D72Ah |
| push 00000010h |
| call 00007F532C73D836h |
| pop ecx |
| call 00007F532C740C41h |
| and dword ptr [ebp-04h], 00000000h |
| call 00007F532C74052Ch |
| test eax, eax |
| jns 00007F532C73D72Ah |
| push 0000001Bh |
| call 00007F532C73D81Ch |
| pop ecx |
| call dword ptr [004390E8h] |
| mov dword ptr [00438C14h], eax |
| call 00007F532C740C5Ch |
| mov dword ptr [004369BCh], eax |
| call 00007F532C740819h |
| test eax, eax |
| jns 00007F532C73D72Ah |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x34b20 | 0x15c | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x392b4 | 0x50 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3a000 | 0x13d10 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4e000 | 0x1bc4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x323d8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x39000 | 0x2b4 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2a1d1 | 0x2a200 | False | 0.40440699184 | data | 5.8183204417 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2c000 | 0x8c7c | 0x8e00 | False | 0.263011663732 | data | 3.37323787881 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x35000 | 0x3c20 | 0x1a00 | False | 0.244891826923 | data | 2.84139335758 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .idata | 0x39000 | 0xfb9 | 0x1000 | False | 0.3642578125 | data | 4.6782022268 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x3a000 | 0x13d10 | 0x13e00 | False | 0.767614976415 | data | 6.94887089309 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x4e000 | 0x207f | 0x2200 | False | 0.650620404412 | data | 5.98371531894 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_BITMAP | 0x49378 | 0x1244 | data | English | United States |
| RT_ICON | 0x3a3b0 | 0x2e8 | data | English | United States |
| RT_ICON | 0x3a698 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_MENU | 0x49320 | 0x54 | data | English | United States |
| RT_STRING | 0x4a5c0 | 0xbc | data | English | United States |
| RT_GROUP_ICON | 0x3a7c0 | 0x22 | data | English | United States |
| RT_MANIFEST | 0x4a680 | 0x17d | XML 1.0 document text | English | United States |
| None | 0x3a7e8 | 0xeb33 | data | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetStringTypeW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapReAlloc, WriteConsoleW, OutputDebugStringW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, LoadLibraryExW, FreeLibrary, SetConsoleCtrlHandler, FatalAppExitA, LeaveCriticalSection, EnterCriticalSection, CreateSemaphoreW, GetModuleHandleW, GetTickCount, TlsFree, TlsSetValue, CloseHandle, LoadLibraryA, GetProcAddress, VirtualAlloc, HeapSize, GetLocalTime, HeapAlloc, RtlUnwind, GetCommandLineA, GetLastError, HeapFree, IsDebuggerPresent, IsProcessorFeaturePresent, EncodePointer, DecodePointer, RaiseException, ExitProcess, GetModuleHandleExW, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, SetLastError, GetCurrentThread, GetCurrentThreadId, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, CreateFileW |
| USER32.dll | LoadIconA, LoadCursorA, MessageBoxA, EndPaint, BeginPaint, UpdateWindow, TranslateAcceleratorA, LoadAcceleratorsA, ShowWindow, RegisterClassExA, PostQuitMessage, DispatchMessageA, TranslateMessage, GetMessageA, LoadStringA, LoadBitmapA, GetDesktopWindow, SetWindowLongA, GetWindowLongA, GetCursorPos, GetWindowRect, ReleaseDC, GetDC, TrackPopupMenu, GetSubMenu, CheckMenuItem, LoadMenuA, KillTimer, SetTimer, SetWindowPos, DestroyWindow, CreateWindowExA, DefWindowProcA |
| GDI32.dll | SelectObject, DeleteObject, DeleteDC, CreateCompatibleDC, BitBlt, StretchBlt |
Exports |
|---|
| Name | Ordinal | Address |
|---|---|---|
| lhxXfY9mIrDZ | 1 | 0x40103c |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 09/29/21-04:15:05.886157 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 108.167.150.86 | 192.168.2.5 | ||
| 09/29/21-04:15:08.898226 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 108.167.150.86 | 192.168.2.5 | ||
| 09/29/21-04:15:14.914137 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 108.167.150.86 | 192.168.2.5 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 29, 2021 04:14:34.579462051 CEST | 49736 | 80 | 192.168.2.5 | 190.191.171.72 |
| Sep 29, 2021 04:14:37.590918064 CEST | 49736 | 80 | 192.168.2.5 | 190.191.171.72 |
| Sep 29, 2021 04:14:43.591281891 CEST | 49736 | 80 | 192.168.2.5 | 190.191.171.72 |
| Sep 29, 2021 04:14:58.564569950 CEST | 49745 | 8080 | 192.168.2.5 | 5.189.168.53 |
| Sep 29, 2021 04:14:58.596065044 CEST | 8080 | 49745 | 5.189.168.53 | 192.168.2.5 |
| Sep 29, 2021 04:14:59.108776093 CEST | 49745 | 8080 | 192.168.2.5 | 5.189.168.53 |
| Sep 29, 2021 04:14:59.141755104 CEST | 8080 | 49745 | 5.189.168.53 | 192.168.2.5 |
| Sep 29, 2021 04:14:59.655216932 CEST | 49745 | 8080 | 192.168.2.5 | 5.189.168.53 |
| Sep 29, 2021 04:14:59.685148001 CEST | 8080 | 49745 | 5.189.168.53 | 192.168.2.5 |
| Sep 29, 2021 04:15:02.749850988 CEST | 49751 | 7080 | 192.168.2.5 | 162.241.41.111 |
| Sep 29, 2021 04:15:05.765048027 CEST | 49751 | 7080 | 192.168.2.5 | 162.241.41.111 |
| Sep 29, 2021 04:15:11.781199932 CEST | 49751 | 7080 | 192.168.2.5 | 162.241.41.111 |
| Sep 29, 2021 04:15:27.074985027 CEST | 49785 | 7080 | 192.168.2.5 | 190.85.46.52 |
| Sep 29, 2021 04:15:30.079667091 CEST | 49785 | 7080 | 192.168.2.5 | 190.85.46.52 |
| Sep 29, 2021 04:15:36.080301046 CEST | 49785 | 7080 | 192.168.2.5 | 190.85.46.52 |
| Sep 29, 2021 04:15:51.844423056 CEST | 49790 | 7080 | 192.168.2.5 | 37.205.9.252 |
| Sep 29, 2021 04:15:54.847382069 CEST | 49790 | 7080 | 192.168.2.5 | 37.205.9.252 |
| Sep 29, 2021 04:16:00.847948074 CEST | 49790 | 7080 | 192.168.2.5 | 37.205.9.252 |
| Sep 29, 2021 04:16:15.304163933 CEST | 49793 | 8080 | 192.168.2.5 | 172.96.190.154 |
| Sep 29, 2021 04:16:15.472785950 CEST | 8080 | 49793 | 172.96.190.154 | 192.168.2.5 |
| Sep 29, 2021 04:16:15.974430084 CEST | 49793 | 8080 | 192.168.2.5 | 172.96.190.154 |
| Sep 29, 2021 04:16:16.143085957 CEST | 8080 | 49793 | 172.96.190.154 | 192.168.2.5 |
| Sep 29, 2021 04:16:16.646538019 CEST | 49793 | 8080 | 192.168.2.5 | 172.96.190.154 |
| Sep 29, 2021 04:16:16.815198898 CEST | 8080 | 49793 | 172.96.190.154 | 192.168.2.5 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 29, 2021 04:14:05.641190052 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:14:05.662507057 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:14:19.959433079 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:14:19.976883888 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:14:37.067980051 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:14:37.104115963 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:14:56.899835110 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:14:56.932769060 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:15:12.343552113 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:15:12.354193926 CEST | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:15:12.374015093 CEST | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:15:12.379074097 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:15:15.998997927 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:15:16.018075943 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:15:27.754755020 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:15:27.780180931 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:15:28.400073051 CEST | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:15:28.419282913 CEST | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:15:50.121165037 CEST | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:15:50.153857946 CEST | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
| Sep 29, 2021 04:15:51.985894918 CEST | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
| Sep 29, 2021 04:15:52.013561010 CEST | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 04:14:12 |
| Start date: | 29/09/2021 |
| Path: | C:\Users\user\Desktop\RpcNs4.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 310784 bytes |
| MD5 hash: | 1ED37C4A225BBD35716CF241E14541A8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:14:14 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\SysWOW64\rasphone\networkitemfactory.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 310784 bytes |
| MD5 hash: | 1ED37C4A225BBD35716CF241E14541A8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:14:16 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:14:20 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:14:26 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:14:27 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:14:28 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:14:29 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:14:30 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\SgrmBroker.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee970000 |
| File size: | 163336 bytes |
| MD5 hash: | D3170A3F3A9626597EEE1888686E3EA6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:14:30 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 04:14:36 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 04:14:46 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff797770000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 04:15:31 |
| Start date: | 29/09/2021 |
| Path: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff71de40000 |
| File size: | 455656 bytes |
| MD5 hash: | A267555174BFA53844371226F482B86B |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 04:15:32 |
| Start date: | 29/09/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7ecfc0000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
Disassembly |
|---|
Code Analysis |
|---|
Execution Graph |
|---|
| Execution Coverage: | 2.6% |
| Dynamic/Decrypted Code Coverage: | 53.1% |
| Signature Coverage: | 15.8% |
| Total number of Nodes: | 424 |
| Total number of Limit Nodes: | 38 |
Graph
Executed Functions |
|---|
Function 020B3890, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401880, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68libraryloaderCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 95% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402000, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 122windowlibrarymemoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 83% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B3060, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402190, Relevance: 4.6, APIs: 3, Instructions: 109COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 98% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B4AE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 67% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B8060, Relevance: 3.2, APIs: 2, Instructions: 187fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B5C10, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B8330, Relevance: 1.7, APIs: 1, Instructions: 160fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B3650, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B4220, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 020B64F0, Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 665COMMONCrypto
Download Yara Rule
| C-Code - Quality: 79% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041989E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 59% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 74% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406769, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 66% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040408A, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00416919, Relevance: .3, Instructions: 345COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00416D4E, Relevance: .3, Instructions: 341COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004164E4, Relevance: .3, Instructions: 331COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004160CC, Relevance: .3, Instructions: 323COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B8830, Relevance: .2, Instructions: 164COMMON
Download Yara Rule
| C-Code - Quality: 65% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B4D60, Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401460, Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 231windowtimeCOMMON
Download Yara Rule
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 77% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00413C56, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 131COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 84% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C80, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 84% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004030AC, Relevance: 10.6, APIs: 7, Instructions: 84COMMON
Download Yara Rule
| C-Code - Quality: 71% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040DCE3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004047D4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 23% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401B00, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31windowregistryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 95% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 89% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401260, Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C101, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041349B, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004013C0, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
Download Yara Rule
| C-Code - Quality: 27% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004017C0, Relevance: 6.0, APIs: 4, Instructions: 41timeCOMMON
Download Yara Rule
| C-Code - Quality: 40% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 4.1% |
| Dynamic/Decrypted Code Coverage: | 63.2% |
| Signature Coverage: | 4.1% |
| Total number of Nodes: | 538 |
| Total number of Limit Nodes: | 76 |
Graph
Executed Functions |
|---|
Function 02091030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B3890, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B4BF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B2580, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 252encryptionCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 56% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B5300, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B2240, Relevance: 1.5, Strings: 1, Instructions: 224COMMON
Download Yara Rule
| C-Code - Quality: 60% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 95% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402000, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 122windowlibrarymemoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 83% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B2BA0, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 287networkCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 76% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401880, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68libraryloaderCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B3060, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402190, Relevance: 4.6, APIs: 3, Instructions: 109COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 98% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B9C40, Relevance: 4.6, APIs: 3, Instructions: 95stringCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 79% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 68% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B5B30, Relevance: 3.1, APIs: 2, Instructions: 74memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B99E0, Relevance: 1.7, APIs: 1, Instructions: 164COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B8330, Relevance: 1.7, APIs: 1, Instructions: 160fileCOMMON
Download Yara Rule
| C-Code - Quality: 66% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02091D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B9D90, Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B4620, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020927B0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02091820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 0041989E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020B1F60, Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401460, Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 231windowtimeCOMMON
Download Yara Rule
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 77% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00413C56, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 131COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 84% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C80, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 84% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020914A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 69% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004030AC, Relevance: 10.6, APIs: 7, Instructions: 84COMMON
Download Yara Rule
| C-Code - Quality: 71% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040DCE3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004047D4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 23% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401B00, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31windowregistryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 95% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 89% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 020921A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401260, Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C101, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041349B, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004013C0, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
Download Yara Rule
| C-Code - Quality: 27% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004017C0, Relevance: 6.0, APIs: 4, Instructions: 41timeCOMMON
Download Yara Rule
| C-Code - Quality: 40% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02092430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |