Play interactive tour
Edit tourWindows Analysis Report O53TFikPkp
Overview
General Information
| Sample Name: | O53TFikPkp (renamed file extension from none to exe) |
| Analysis ID: | 552998 |
| MD5: | be56d049ee926fbccec623695d12a5c6 |
| SHA1: | 1fa7ea2d0e348b7e1d79a7e6426e6f10376238e4 |
| SHA256: | 626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167 |
| Tags: | 32exetrojan |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "Username": "mailfilter247@yandex.com", "Password": "daddyhandsome@1234", "Host": "smtp.yandex.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 18 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 53 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | ReversingLabs: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Compliance: | |
|---|
| Detected unpacking (creates a PE file in dynamic memory) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_00405D7C | |
| Source: | Code function: | 1_2_004053AA | |
| Source: | Code function: | 1_2_00402630 | |
| Source: | Code function: | 2_2_00404A29 | |
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | Code function: | 1_2_00404F61 | |
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_00403225 | |
| Source: | Code function: | 1_2_0040604C | |
| Source: | Code function: | 1_2_00404772 | |
| Source: | Code function: | 2_2_0040A2A5 | |
| Source: | Code function: | 2_2_00464840 | |
| Source: | Code function: | 2_2_00464C78 | |
| Source: | Code function: | 2_2_00461DD8 | |
| Source: | Code function: | 2_2_0046EA60 | |
| Source: | Code function: | 2_2_0046AC20 | |
| Source: | Code function: | 2_2_00466CB0 | |
| Source: | Code function: | 2_2_0046C75F | |
| Source: | Code function: | 2_2_0046C7C0 | |
| Source: | Code function: | 2_2_00716138 | |
| Source: | Code function: | 2_2_0071F138 | |
| Source: | Code function: | 2_2_00715B01 | |
| Source: | Code function: | 2_2_0071D858 | |
| Source: | Code function: | 2_2_008CE200 | |
| Source: | Code function: | 2_2_008C04F6 | |
| Source: | Code function: | 2_2_008C8990 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_00402012 | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 1_2_00404275 | |
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Code function: | 2_2_00401489 | |
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation: | |
|---|
| Detected unpacking (creates a PE file in dynamic memory) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 1_2_72B2102E | |
| Source: | Code function: | 2_2_00401F29 | |
| Source: | Code function: | 2_2_0046984D | |
| Source: | Code function: | 2_2_0071B559 | |
| Source: | Code function: | 2_2_0071D39D | |
| Source: | Code function: | 2_2_0071D3A1 | |
| Source: | Code function: | 1_2_00405DA3 | |
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Moves itself to temp directory | Show sources | ||
| Source: | File moved: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_00405D7C | |
| Source: | Code function: | 1_2_004053AA | |
| Source: | Code function: | 1_2_00402630 | |
| Source: | Code function: | 2_2_00404A29 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | API call chain: | graph_1-3617 | ||
| Source: | API call chain: | graph_1-3613 | ||
| Source: | API call chain: | graph_2-54460 | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_0040446F | |
| Source: | Code function: | 1_2_00405DA3 | |
| Source: | Code function: | 2_2_004067FE | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 1_2_0019E906 | |
| Source: | Code function: | 1_2_0019E6F2 | |
| Source: | Code function: | 1_2_0019EA34 | |
| Source: | Code function: | 1_2_0019E9B7 | |
| Source: | Code function: | 1_2_0019E9F6 | |
| Source: | Code function: | 2_2_004035F1 | |
| Source: | Code function: | 2_2_0046B510 | |
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 2_2_00401E1D | |
| Source: | Code function: | 2_2_0040446F | |
| Source: | Code function: | 2_2_00401C88 | |
| Source: | Code function: | 2_2_00401F30 | |
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 2_2_0040208D | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00401B74 | |
| Source: | Code function: | 1_2_00405AA7 | |
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to steal Mail credentials (via file / registry access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | System Time Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
| Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Deobfuscate/Decode Files or Information1 | LSASS Memory | File and Directory Discovery2 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | System Information Discovery126 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing11 | NTDS | Query Registry1 | Distributed Component Object Model | Clipboard Data1 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading11 | LSA Secrets | Security Software Discovery231 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion131 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection112 | DCSync | Virtualization/Sandbox Evasion131 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 51% | Virustotal | Browse | ||
| 53% | ReversingLabs | Win32.Worm.SpyBot | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 41% | ReversingLabs | Win32.Trojan.SpyNoon |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| smtp.yandex.ru | 77.88.21.158 | true | false | high | |
| smtp.yandex.com | unknown | unknown | false | high |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false | high |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 77.88.21.158 | smtp.yandex.ru | Russian Federation | 13238 | YANDEXRU | false |
General Information |
|---|
| Joe Sandbox Version: | 34.0.0 Boulder Opal |
| Analysis ID: | 552998 |
| Start date: | 14.01.2022 |
| Start time: | 03:36:24 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 7m 7s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | O53TFikPkp (renamed file extension from none to exe) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/5@4/1 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 03:37:30 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 77.88.21.158 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| smtp.yandex.ru | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| YANDEXRU | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\O53TFikPkp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 292863 |
| Entropy (8bit): | 7.960756321339627 |
| Encrypted: | false |
| SSDEEP: | 6144:nG5d30duZbuUYgGsFxZZLt2lGPSgQF5P+tauUASi2/WNhBR20fJtq:Gr3WuZbuUYXsF7dklTNv6N7Rvfe |
| MD5: | 836F7E06923775EBB7DA041B320352E7 |
| SHA1: | BAA947AC30331C0E38F17FD42E45D485E2BF1B93 |
| SHA-256: | 432EE7145FF38C9BA1538CD1B9A06B9C724623CEECF1EB55BDB32D2F5D3383D7 |
| SHA-512: | 92C969F43B9994CAC1F88FFF0E155A509D0D6B38F59AAD6F63BB23E0BC30901D8940B3B6A2ECDB15BDE8ECD91FB2FB09D4C1286E4950B808B5B3DB0DBF2039DD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\O53TFikPkp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 326482 |
| Entropy (8bit): | 7.78664277552046 |
| Encrypted: | false |
| SSDEEP: | 6144:XCrqG5d30duZbuUYgGsFxZZLt2lGPSgQF5P+tauUASi2/WNhBR20fJt:SNr3WuZbuUYXsF7dklTNv6N7Rvf |
| MD5: | 97A7BA9AF50642C7397AA0533D53206E |
| SHA1: | 67B6E642A98AD4E8BE87568EC0D7D3B3581D2EAA |
| SHA-256: | DBFAC0266262C8ADB6BDB311E4FCC3EFC41DA69AE0F8E07DA261022AB80214D9 |
| SHA-512: | CE1C41E77024A5DF6A01E7A1E0C9BB716354B51BAE874166159FB76ED9E4B3AD5E59859FB9E43DDBEBA34E192CD5F9A9D953332BE9539D39A8A3357F7F97A7F6 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\O53TFikPkp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 3.7803683556919934 |
| Encrypted: | false |
| SSDEEP: | 48:CnGI9I+Li4RxYtY8qxpnFbfGFN1RuqSd:iGyW4RxY2xpF49x |
| MD5: | 24E8067B956182DDEE35AB317DE624C6 |
| SHA1: | 37E4431822CA95FD5B26248A36C39FDF9F6B7A9D |
| SHA-256: | BA259C3BF51AE2B5CEAF843DD2E5CAE3865ACBA2F5E81115FA6D3F4BB1D3F392 |
| SHA-512: | 31CE4162321577E54FC48BE48131305F361C2CCFFAB2B5542DAF88B6F1D3ED66C75ADBFA60E758462A450E5DC1D0CF883B3B868F52577087C69DABF1B1A0D6B2 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\O53TFikPkp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5304 |
| Entropy (8bit): | 6.087454449151516 |
| Encrypted: | false |
| SSDEEP: | 96:g6P9SMp73nKbDsHM8u7ni6F4RI+3ZqYHRdML4O9xl12yq160N2D3PDz:g6P9NTnDs8ue6alhH3MkqYpJN2b |
| MD5: | D3D435ACB4C52B21856675D898614EF0 |
| SHA1: | 498FA98468A240DDF040804A4F952517B27EAF3A |
| SHA-256: | 7282D29AE2D2BBF420B65E435651A86778BD6F3170C34BBCE183D756FA7D4B31 |
| SHA-512: | 7E126163569E8921580B47D6015E324263737FE74E734398F15A4B4272A666E0DD0F8D116D08926ED31472098030FB189FDEB09EA5E998A50DC861EED57C7B96 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\O53TFikPkp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.7006690334145785 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ |
| MD5: | A7FE10DA330AD03BF22DC9AC76BBB3E4 |
| SHA1: | 1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803 |
| SHA-256: | 8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8 |
| SHA-512: | 1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.937396375196458 |
| TrID: |
|
| File name: | O53TFikPkp.exe |
| File size: | 271485 |
| MD5: | be56d049ee926fbccec623695d12a5c6 |
| SHA1: | 1fa7ea2d0e348b7e1d79a7e6426e6f10376238e4 |
| SHA256: | 626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167 |
| SHA512: | 571bf9c0c0ca1c70a71ff1c92bf8e0da04a27ee013097a770ad319165bab274f483adea5fc00dc78b4e1e88f10c3eb70eb64c338593360294cf4b8664eceb0f3 |
| SSDEEP: | 6144:owsJm3jpsSbMcpJxUNhZfbn5Svf7AkjdOFIP6:B3lTbvpJqNj5af7DjAFIi |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2..... |
File Icon |
|---|
 | |
| Icon Hash: | b2a88c96b2ca6a72 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x403225 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 099c0646ea7282d232219f8807883be0 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| sub esp, 00000180h |
| push ebx |
| push ebp |
| push esi |
| xor ebx, ebx |
| push edi |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 00409128h |
| xor esi, esi |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [00407030h] |
| push 00008001h |
| call dword ptr [004070B4h] |
| push ebx |
| call dword ptr [0040727Ch] |
| push 00000008h |
| mov dword ptr [00423F58h], eax |
| call 00007FAEB0CD1990h |
| mov dword ptr [00423EA4h], eax |
| push ebx |
| lea eax, dword ptr [esp+34h] |
| push 00000160h |
| push eax |
| push ebx |
| push 0041F450h |
| call dword ptr [00407158h] |
| push 004091B0h |
| push 004236A0h |
| call 00007FAEB0CD1647h |
| call dword ptr [004070B0h] |
| mov edi, 00429000h |
| push eax |
| push edi |
| call 00007FAEB0CD1635h |
| push ebx |
| call dword ptr [0040710Ch] |
| cmp byte ptr [00429000h], 00000022h |
| mov dword ptr [00423EA0h], eax |
| mov eax, edi |
| jne 00007FAEB0CCEE5Ch |
| mov byte ptr [esp+14h], 00000022h |
| mov eax, 00429001h |
| push dword ptr [esp+14h] |
| push eax |
| call 00007FAEB0CD1128h |
| push eax |
| call dword ptr [0040721Ch] |
| mov dword ptr [esp+1Ch], eax |
| jmp 00007FAEB0CCEEB5h |
| cmp cl, 00000020h |
| jne 00007FAEB0CCEE58h |
| inc eax |
| cmp byte ptr [eax], 00000020h |
| je 00007FAEB0CCEE4Ch |
| cmp byte ptr [eax], 00000022h |
| mov byte ptr [eax+eax+00h], 00000000h |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73a4 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2c000 | 0x900 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x28c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5976 | 0x5a00 | False | 0.668619791667 | data | 6.46680044621 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x1190 | 0x1200 | False | 0.444878472222 | data | 5.17796812871 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x1af98 | 0x400 | False | 0.55078125 | data | 4.68983486809 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .ndata | 0x24000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x2c000 | 0x900 | 0xa00 | False | 0.409375 | data | 3.94693169534 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x2c190 | 0x2e8 | data | English | United States |
| RT_DIALOG | 0x2c478 | 0x100 | data | English | United States |
| RT_DIALOG | 0x2c578 | 0x11c | data | English | United States |
| RT_DIALOG | 0x2c698 | 0x60 | data | English | United States |
| RT_GROUP_ICON | 0x2c6f8 | 0x14 | data | English | United States |
| RT_MANIFEST | 0x2c710 | 0x1eb | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA |
| USER32.dll | EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2022 03:39:12.640427113 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:12.702661991 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:12.702799082 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:12.969264984 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:12.969578981 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.031738043 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.031784058 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.032092094 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.094244957 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.144457102 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.169887066 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.233504057 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.233565092 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.233608961 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.233643055 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.233741045 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.233824015 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.283977985 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.346339941 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.394463062 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.554766893 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.617073059 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.622107983 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.684242964 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.685511112 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.758352041 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.759191990 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.828363895 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.828902006 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.896285057 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.896718979 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.958669901 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:13.961158991 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.961252928 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.961954117 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:13.962029934 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:14.023521900 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:14.023869038 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:14.301125050 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:14.347603083 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:15.345776081 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:15.408023119 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:15.408072948 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:15.408171892 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:15.470020056 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:15.524184942 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:15.696842909 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:15.749696970 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:15.750267029 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.042094946 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.042336941 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.096849918 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.096930027 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.097151041 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.149956942 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.151098967 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.208024979 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.208069086 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.208101988 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.208125114 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.208189964 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.208240986 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.210980892 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.264277935 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.268340111 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.321290970 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.322027922 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.374800920 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.375380993 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.445894003 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.446538925 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.511137962 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.511740923 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.566800117 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.567167044 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.620017052 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.622200012 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.622549057 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.623003006 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.623359919 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.623719931 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.623960972 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.624140978 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.624342918 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
| Jan 14, 2022 03:39:16.675165892 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.676017046 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.676315069 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.676707983 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:16.722557068 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:17.023792982 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 |
| Jan 14, 2022 03:39:17.066673994 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2022 03:39:12.476604939 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jan 14, 2022 03:39:12.493963957 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Jan 14, 2022 03:39:12.521090031 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jan 14, 2022 03:39:12.540709019 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Jan 14, 2022 03:39:15.646847010 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jan 14, 2022 03:39:15.666949987 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Jan 14, 2022 03:39:15.674953938 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jan 14, 2022 03:39:15.695369959 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jan 14, 2022 03:39:12.476604939 CET | 192.168.2.4 | 8.8.8.8 | 0x95e0 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jan 14, 2022 03:39:12.521090031 CET | 192.168.2.4 | 8.8.8.8 | 0xbd24 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jan 14, 2022 03:39:15.646847010 CET | 192.168.2.4 | 8.8.8.8 | 0x9b97 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jan 14, 2022 03:39:15.674953938 CET | 192.168.2.4 | 8.8.8.8 | 0x548e | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jan 14, 2022 03:39:12.493963957 CET | 8.8.8.8 | 192.168.2.4 | 0x95e0 | No error (0) | smtp.yandex.ru | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 14, 2022 03:39:12.493963957 CET | 8.8.8.8 | 192.168.2.4 | 0x95e0 | No error (0) | 77.88.21.158 | A (IP address) | IN (0x0001) | ||
| Jan 14, 2022 03:39:12.540709019 CET | 8.8.8.8 | 192.168.2.4 | 0xbd24 | No error (0) | smtp.yandex.ru | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 14, 2022 03:39:12.540709019 CET | 8.8.8.8 | 192.168.2.4 | 0xbd24 | No error (0) | 77.88.21.158 | A (IP address) | IN (0x0001) | ||
| Jan 14, 2022 03:39:15.666949987 CET | 8.8.8.8 | 192.168.2.4 | 0x9b97 | No error (0) | smtp.yandex.ru | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 14, 2022 03:39:15.666949987 CET | 8.8.8.8 | 192.168.2.4 | 0x9b97 | No error (0) | 77.88.21.158 | A (IP address) | IN (0x0001) | ||
| Jan 14, 2022 03:39:15.695369959 CET | 8.8.8.8 | 192.168.2.4 | 0x548e | No error (0) | smtp.yandex.ru | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 14, 2022 03:39:15.695369959 CET | 8.8.8.8 | 192.168.2.4 | 0x548e | No error (0) | 77.88.21.158 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jan 14, 2022 03:39:12.969264984 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 | 220 vla5-047c0c0d12a6.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642127952-QQ7GqpzHRI-dCPe5Bo9 |
| Jan 14, 2022 03:39:12.969578981 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 | EHLO 088753 |
| Jan 14, 2022 03:39:13.031784058 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 | 250-vla5-047c0c0d12a6.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES |
| Jan 14, 2022 03:39:13.032092094 CET | 49803 | 587 | 192.168.2.4 | 77.88.21.158 | STARTTLS |
| Jan 14, 2022 03:39:13.094244957 CET | 587 | 49803 | 77.88.21.158 | 192.168.2.4 | 220 Go ahead |
| Jan 14, 2022 03:39:16.042094946 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 | 220 myt5-cceafa914410.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642127956-YBrbW5xT92-dFPq8SOr |
| Jan 14, 2022 03:39:16.042336941 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 | EHLO 088753 |
| Jan 14, 2022 03:39:16.096930027 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 | 250-myt5-cceafa914410.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES |
| Jan 14, 2022 03:39:16.097151041 CET | 49807 | 587 | 192.168.2.4 | 77.88.21.158 | STARTTLS |
| Jan 14, 2022 03:39:16.149956942 CET | 587 | 49807 | 77.88.21.158 | 192.168.2.4 | 220 Go ahead |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 03:37:17 |
| Start date: | 14/01/2022 |
| Path: | C:\Users\user\Desktop\O53TFikPkp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 271485 bytes |
| MD5 hash: | BE56D049EE926FBCCEC623695D12A5C6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 03:37:18 |
| Start date: | 14/01/2022 |
| Path: | C:\Users\user\Desktop\O53TFikPkp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 271485 bytes |
| MD5 hash: | BE56D049EE926FBCCEC623695D12A5C6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Execution Graph |
|---|
| Execution Coverage: | 12% |
| Dynamic/Decrypted Code Coverage: | 6.1% |
| Signature Coverage: | 22.2% |
| Total number of Nodes: | 1335 |
| Total number of Limit Nodes: | 25 |
Graph
Executed Functions |
|---|
Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 82% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 94% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213stringregistrylibraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 96% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 96% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 94% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 57% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 76% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 84% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 99% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| C-Code - Quality: 69% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
Download Yara Rule
| C-Code - Quality: 95% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 97% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON
Download Yara Rule
| C-Code - Quality: 78% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195stringCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
Download Yara Rule
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0019E6F2, Relevance: .2, Instructions: 196COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0019E906, Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0019E9F6, Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0019EA34, Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0019E9B7, Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 83% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
Download Yara Rule
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 90% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
Download Yara Rule
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Download Yara Rule
| C-Code - Quality: 90% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 84% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
Download Yara Rule
| C-Code - Quality: 51% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| C-Code - Quality: 51% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
Download Yara Rule
| C-Code - Quality: 67% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 10.8% |
| Dynamic/Decrypted Code Coverage: | 66.2% |
| Signature Coverage: | 6.4% |
| Total number of Nodes: | 204 |
| Total number of Limit Nodes: | 19 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008CE200, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
Download Yara Rule
Control-flow Graph |
|---|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00710FFE, Relevance: 3.4, APIs: 2, Instructions: 437COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711043, Relevance: 3.4, APIs: 2, Instructions: 430COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711088, Relevance: 3.4, APIs: 2, Instructions: 423COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007110CD, Relevance: 3.4, APIs: 2, Instructions: 416COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711128, Relevance: 1.9, APIs: 1, Instructions: 405COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0071116D, Relevance: 1.9, APIs: 1, Instructions: 398COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007111B2, Relevance: 1.9, APIs: 1, Instructions: 391COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007111F7, Relevance: 1.9, APIs: 1, Instructions: 382COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711233, Relevance: 1.9, APIs: 1, Instructions: 377COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711278, Relevance: 1.9, APIs: 1, Instructions: 368COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007112B4, Relevance: 1.9, APIs: 1, Instructions: 363COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007112F9, Relevance: 1.9, APIs: 1, Instructions: 356COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711354, Relevance: 1.8, APIs: 1, Instructions: 345COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711399, Relevance: 1.8, APIs: 1, Instructions: 338COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007113DE, Relevance: 1.8, APIs: 1, Instructions: 331COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711426, Relevance: 1.8, APIs: 1, Instructions: 322COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711462, Relevance: 1.8, APIs: 1, Instructions: 317COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007114AA, Relevance: 1.8, APIs: 1, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007114F2, Relevance: 1.8, APIs: 1, Instructions: 301COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0071152E, Relevance: 1.8, APIs: 1, Instructions: 296COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711576, Relevance: 1.8, APIs: 1, Instructions: 287COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007115B2, Relevance: 1.8, APIs: 1, Instructions: 282COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007115FA, Relevance: 1.8, APIs: 1, Instructions: 275COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711642, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0071168A, Relevance: 1.8, APIs: 1, Instructions: 261COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007116D2, Relevance: 1.8, APIs: 1, Instructions: 254COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0071171A, Relevance: 1.7, APIs: 1, Instructions: 247COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711762, Relevance: 1.7, APIs: 1, Instructions: 240COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007117AA, Relevance: 1.7, APIs: 1, Instructions: 233COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007117F2, Relevance: 1.7, APIs: 1, Instructions: 226COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0071183A, Relevance: 1.7, APIs: 1, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711882, Relevance: 1.7, APIs: 1, Instructions: 210COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007118BE, Relevance: 1.7, APIs: 1, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711906, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0071194E, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711996, Relevance: 1.7, APIs: 1, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007119DE, Relevance: 1.7, APIs: 1, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00711A26, Relevance: 1.7, APIs: 1, Instructions: 170COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008C00F8, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008C01E0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
| C-Code - Quality: 74% |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 27% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
Download Yara Rule
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 95% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |