Windows Analysis Report rfxJzZjiWv.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Lokibot |
---|
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
JoeSecurity_Lokibot | Yara detected Lokibot | Joe Security | ||
Loki_1 | Loki Payload | kevoreilly |
| |
Lokibot | detect Lokibot in memory | JPCERT/CC Incident Response Group |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
JoeSecurity_Lokibot | Yara detected Lokibot | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
Click to see the 3 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
JoeSecurity_Lokibot | Yara detected Lokibot | Joe Security | ||
Loki_1 | Loki Payload | kevoreilly |
| |
Lokibot | detect Lokibot in memory | JPCERT/CC Incident Response Group |
| |
Click to see the 6 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00403D74 |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | Code function: | 0_2_0040648B |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_0040549C | |
Source: | Code function: | 0_2_004029D4 |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Code function: | 0_2_0040650A |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 0_2_0040434D |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Data Obfuscation: |
---|
Yara detected aPLib compressed binary | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_00402AD4 | |
Source: | Code function: | 0_2_00402AFC |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Code function: | 0_2_00403D74 |
Source: | Thread delayed: | Jump to behavior |
Source: | Code function: | 0_2_00402B7C |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 0_2_0040317B |
Source: | Process queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00406069 |
Stealing of Sensitive Information: |
---|
Yara detected Lokibot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to steal Mail credentials (via file / registry access) | Show sources |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to steal Mail credentials (via file registry) | Show sources |
Source: | Code function: | 0_2_0040D069 | |
Source: | Code function: | 0_2_0040D069 |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Access Token Manipulation1 | Masquerading1 | OS Credential Dumping2 | Security Software Discovery2 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion21 | Credentials in Registry2 | Virtualization/Sandbox Evasion21 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Access Token Manipulation1 | Security Account Manager | Account Discovery1 | SMB/Windows Admin Shares | Data from Local System2 | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Deobfuscate/Decode Files or Information1 | NTDS | System Owner/User Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol112 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
88% | Virustotal | Browse | ||
88% | Metadefender | Browse | ||
96% | ReversingLabs | Win32.Trojan.LokiBot | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
11% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
5% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
naourl.com | 212.32.237.90 | true | true |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 534005 |
Start date: | 04.12.2021 |
Start time: | 23:39:35 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 2m 44s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | rfxJzZjiWv.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@1/2@5/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
23:40:27 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
212.32.237.90 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
LEASEWEB-NL-AMS-01NetherlandsNL | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\rfxJzZjiWv.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\rfxJzZjiWv.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 46 |
Entropy (8bit): | 1.0424600748477153 |
Encrypted: | false |
SSDEEP: | 3:/lbq:4 |
MD5: | 8CB7B7F28464C3FCBAE8A10C46204572 |
SHA1: | 767FE80969EC2E67F54CC1B6D383C76E7859E2DE |
SHA-256: | ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96 |
SHA-512: | 9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.05714066527445 |
TrID: |
|
File name: | rfxJzZjiWv.exe |
File size: | 106496 |
MD5: | 8ed7e6b478cf0c00934bb42e3bdf5e20 |
SHA1: | ceb70c6dc5a85a64cc7a47e0ec12936f2d5e57db |
SHA256: | 4395224e257fe5659011fb90649c89d295e80123d7622d6cdb5b09371573e1aa |
SHA512: | db4f78f56df60bcc906588546d0bb55b7ff9ec483484a6d70f891bb33fc84339cf1ee77973f785f1f71d6b1eb8090449078bdc8ededb70a41c094cfa0b5affee |
SSDEEP: | 1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqdIzmd:nSHIG6mQwGmfOQd8YhY0/EgUG |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.....................K.K.............=2......................................=2......=2......Rich............PE..L.....lW... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4139de |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x576C0885 [Thu Jun 23 16:04:21 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 0239fd611af3d0e9b0c46c5837c80e09 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
push ecx |
and dword ptr [ebp-04h], 00000000h |
lea eax, dword ptr [ebp-04h] |
push esi |
push edi |
push eax |
call 00007F8788837F79h |
push eax |
call 00007F8788837F56h |
xor esi, esi |
mov edi, eax |
pop ecx |
pop ecx |
cmp dword ptr [ebp-04h], esi |
jle 00007F8788838136h |
push 004188BCh |
push dword ptr [edi+esi*4] |
call 00007F878882A605h |
pop ecx |
pop ecx |
test eax, eax |
je 00007F878883811Dh |
push 00002710h |
call 00007F878882AEBAh |
pop ecx |
inc esi |
cmp esi, dword ptr [ebp-04h] |
jl 00007F87888380EEh |
push 00000000h |
call 00007F8788837F4Eh |
push 00000000h |
call 00007F8788838262h |
pop ecx |
pop edi |
xor eax, eax |
pop esi |
mov esp, ebp |
pop ebp |
retn 0010h |
push ebp |
mov ebp, esp |
xor eax, eax |
push eax |
push eax |
push E567384Dh |
push eax |
call 00007F87888278A9h |
push dword ptr [ebp+08h] |
call eax |
pop ebp |
ret |
push ebp |
mov ebp, esp |
push esi |
mov esi, dword ptr [ebp+08h] |
test esi, esi |
je 00007F8788838174h |
push esi |
call 00007F878882A3D0h |
pop ecx |
test eax, eax |
je 00007F8788838169h |
push esi |
call 00007F878882840Ch |
pop ecx |
test eax, eax |
je 00007F878883815Eh |
mov eax, dword ptr [0049FDECh] |
cmp dword ptr [ebp+10h], 00000000h |
cmovne eax, dword ptr [ebp+10h] |
push eax |
push dword ptr [0049FDE8h] |
call 00007F8788829E04h |
push dword ptr [ebp+0Ch] |
push dword ptr [0049FDE8h] |
call 00007F8788829DF6h |
push 00000000h |
push 00000000h |
push esi |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18ed0 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x15000 | 0x5c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x136f5 | 0x13800 | False | 0.568509615385 | data | 6.49204829439 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x15000 | 0x4060 | 0x4200 | False | 0.370087594697 | data | 4.26890991196 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1a000 | 0x85e24 | 0x200 | False | 0.12890625 | data | 0.946496689201 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.x | 0xa0000 | 0x2000 | 0x2000 | False | 0.0181884765625 | data | 0.198253121373 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
WS2_32.dll | getaddrinfo, freeaddrinfo, closesocket, WSAStartup, socket, send, recv, connect |
KERNEL32.dll | GetProcessHeap, HeapFree, HeapAlloc, SetLastError, GetLastError |
ole32.dll | CoCreateInstance, CoInitialize, CoUninitialize |
OLEAUT32.dll | VariantInit, SysFreeString, SysAllocString |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
12/04/21-23:40:25.169299 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:25.169299 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:25.169299 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:25.169299 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:26.584318 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:26.584318 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:26.584318 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:26.584318 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:27.790426 | TCP | 2024313 | ET TROJAN LokiBot Request for C2 Commands Detected M1 | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:27.790426 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:27.790426 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:27.790426 | TCP | 2024318 | ET TROJAN LokiBot Request for C2 Commands Detected M2 | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:28.827279 | TCP | 2024313 | ET TROJAN LokiBot Request for C2 Commands Detected M1 | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:28.827279 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:28.827279 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:28.827279 | TCP | 2024318 | ET TROJAN LokiBot Request for C2 Commands Detected M2 | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:29.848169 | TCP | 2024313 | ET TROJAN LokiBot Request for C2 Commands Detected M1 | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:29.848169 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:29.848169 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
12/04/21-23:40:29.848169 | TCP | 2024318 | ET TROJAN LokiBot Request for C2 Commands Detected M2 | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 4, 2021 23:40:25.141088009 CET | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:25.166338921 CET | 80 | 49752 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:25.166424036 CET | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:25.169298887 CET | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:25.195113897 CET | 80 | 49752 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:25.195162058 CET | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:25.220299959 CET | 80 | 49752 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:25.426904917 CET | 80 | 49752 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:25.427032948 CET | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:25.427285910 CET | 80 | 49752 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:25.427331924 CET | 49752 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:25.452235937 CET | 80 | 49752 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:26.553580999 CET | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:26.579066038 CET | 80 | 49765 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:26.579268932 CET | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:26.584317923 CET | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:26.609769106 CET | 80 | 49765 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:26.609910011 CET | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:26.635215998 CET | 80 | 49765 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:26.847377062 CET | 80 | 49765 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:26.847559929 CET | 80 | 49765 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:26.847645998 CET | 49765 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:26.873150110 CET | 80 | 49765 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:27.761544943 CET | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:27.787653923 CET | 80 | 49766 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:27.787765980 CET | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:27.790426016 CET | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:27.815903902 CET | 80 | 49766 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:27.816095114 CET | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:27.827552080 CET | 80 | 49766 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:27.827702045 CET | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:27.827722073 CET | 80 | 49766 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:27.827779055 CET | 49766 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:27.853832006 CET | 80 | 49766 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:28.797764063 CET | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:28.823947906 CET | 80 | 49767 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:28.824559927 CET | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:28.827279091 CET | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:28.853244066 CET | 80 | 49767 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:28.856611013 CET | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:28.868113041 CET | 80 | 49767 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:28.868171930 CET | 80 | 49767 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:28.868345022 CET | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:28.868428946 CET | 49767 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:28.894344091 CET | 80 | 49767 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:29.819633961 CET | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:29.845372915 CET | 80 | 49768 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:29.845504045 CET | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:29.848169088 CET | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:29.873876095 CET | 80 | 49768 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:29.874062061 CET | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:29.886748075 CET | 80 | 49768 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:29.886892080 CET | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:29.887314081 CET | 80 | 49768 | 212.32.237.90 | 192.168.2.4 |
Dec 4, 2021 23:40:29.887382030 CET | 49768 | 80 | 192.168.2.4 | 212.32.237.90 |
Dec 4, 2021 23:40:29.912643909 CET | 80 | 49768 | 212.32.237.90 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 4, 2021 23:40:25.106108904 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 4, 2021 23:40:25.134881973 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Dec 4, 2021 23:40:26.530941963 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 4, 2021 23:40:26.550316095 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Dec 4, 2021 23:40:27.739684105 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 4, 2021 23:40:27.760241985 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Dec 4, 2021 23:40:28.773323059 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 4, 2021 23:40:28.793174028 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Dec 4, 2021 23:40:29.799994946 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Dec 4, 2021 23:40:29.817958117 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dec 4, 2021 23:40:25.106108904 CET | 192.168.2.4 | 8.8.8.8 | 0x905a | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 4, 2021 23:40:26.530941963 CET | 192.168.2.4 | 8.8.8.8 | 0x60da | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 4, 2021 23:40:27.739684105 CET | 192.168.2.4 | 8.8.8.8 | 0xd8e0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 4, 2021 23:40:28.773323059 CET | 192.168.2.4 | 8.8.8.8 | 0x48fa | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 4, 2021 23:40:29.799994946 CET | 192.168.2.4 | 8.8.8.8 | 0x402a | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dec 4, 2021 23:40:25.134881973 CET | 8.8.8.8 | 192.168.2.4 | 0x905a | No error (0) | 212.32.237.90 | A (IP address) | IN (0x0001) | ||
Dec 4, 2021 23:40:26.550316095 CET | 8.8.8.8 | 192.168.2.4 | 0x60da | No error (0) | 212.32.237.90 | A (IP address) | IN (0x0001) | ||
Dec 4, 2021 23:40:27.760241985 CET | 8.8.8.8 | 192.168.2.4 | 0xd8e0 | No error (0) | 212.32.237.90 | A (IP address) | IN (0x0001) | ||
Dec 4, 2021 23:40:28.793174028 CET | 8.8.8.8 | 192.168.2.4 | 0x48fa | No error (0) | 212.32.237.90 | A (IP address) | IN (0x0001) | ||
Dec 4, 2021 23:40:29.817958117 CET | 8.8.8.8 | 192.168.2.4 | 0x402a | No error (0) | 212.32.237.90 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49752 | 212.32.237.90 | 80 | C:\Users\user\Desktop\rfxJzZjiWv.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 4, 2021 23:40:25.169298887 CET | 540 | OUT | |
Dec 4, 2021 23:40:25.195162058 CET | 541 | OUT | |
Dec 4, 2021 23:40:25.426904917 CET | 667 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.4 | 49765 | 212.32.237.90 | 80 | C:\Users\user\Desktop\rfxJzZjiWv.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 4, 2021 23:40:26.584317923 CET | 1166 | OUT | |
Dec 4, 2021 23:40:26.609910011 CET | 1166 | OUT | |
Dec 4, 2021 23:40:26.847377062 CET | 1167 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.4 | 49766 | 212.32.237.90 | 80 | C:\Users\user\Desktop\rfxJzZjiWv.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 4, 2021 23:40:27.790426016 CET | 1168 | OUT | |
Dec 4, 2021 23:40:27.816095114 CET | 1168 | OUT | |
Dec 4, 2021 23:40:27.827552080 CET | 1168 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.4 | 49767 | 212.32.237.90 | 80 | C:\Users\user\Desktop\rfxJzZjiWv.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 4, 2021 23:40:28.827279091 CET | 1169 | OUT | |
Dec 4, 2021 23:40:28.856611013 CET | 1169 | OUT | |
Dec 4, 2021 23:40:28.868113041 CET | 1170 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.4 | 49768 | 212.32.237.90 | 80 | C:\Users\user\Desktop\rfxJzZjiWv.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 4, 2021 23:40:29.848169088 CET | 1171 | OUT | |
Dec 4, 2021 23:40:29.874062061 CET | 1171 | OUT | |
Dec 4, 2021 23:40:29.886748075 CET | 1171 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 23:40:22 |
Start date: | 04/12/2021 |
Path: | C:\Users\user\Desktop\rfxJzZjiWv.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 106496 bytes |
MD5 hash: | 8ED7E6B478CF0C00934BB42E3BDF5E20 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
C-Code - Quality: 85% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 78% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 64% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 75% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
C-Code - Quality: 74% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
C-Code - Quality: 79% |
|
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
C-Code - Quality: 34% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
C-Code - Quality: 40% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004058EA, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138COMMON
C-Code - Quality: 88% |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040549C, Relevance: .1, Instructions: 146COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004029D4, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 92% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040317B, Relevance: .0, Instructions: 46COMMON
C-Code - Quality: 90% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |