Edit tour
Windows
Analysis Report
zRZljp49Uz
Overview
General Information
| Sample Name: | zRZljp49Uz (renamed file extension from none to exe) |
| Analysis ID: | 650286 |
| MD5: | 0cfa58846e43dd67b6d9f29e97f6c53e |
| SHA1: | 19d9fbfd9b23d4bd435746a524443f1a962d42fa |
| SHA256: | 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03 |
| Tags: | exeRaccoonStealerRecordBreaker |
| Infos: | |
 | |
Detection
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Uses 32bit PE files
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Program does not show much activity (idle)
IP address seen in connection with other malware
Classification
- System is w10x64
zRZljp49Uz.exe (PID: 7056 cmdline: "C:\Users\ user\Deskt op\zRZljp4 9Uz.exe" MD5: 0CFA58846E43DD67B6D9F29E97F6C53E)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.551.195.166.18449746802036934 06/22/22-12:00:13.668134 |
| SID: | 2036934 |
| Source Port: | 49746 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.551.195.166.18449746802036882 06/22/22-12:00:13.668134 |
| SID: | 2036882 |
| Source Port: | 49746 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira URL Cloud: | ||
| Source: | Code function: | 0_2_00A41806 | |
| Source: | Code function: | 0_2_00A41726 | |
| Source: | Code function: | 0_2_00A417A1 | |
| Source: | Code function: | 0_2_00A4617D | |
| Source: | Code function: | 0_2_00A43244 | |
| Source: | Code function: | 0_2_00A427C6 | |
| Source: | Code function: | 0_2_00A42CC6 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00A41E26 | |
| Source: | Code function: | 0_2_00A4AF2C | |
| Source: | Code function: | 0_2_00A4643A | |
| Source: | Code function: | 0_2_00A41B13 | |
| Source: | Code function: | 0_2_00A4B29D | |
| Source: | Code function: | 0_2_00A43C9D | |
| Source: | Code function: | 0_2_00A439E5 | |
| Source: | Code function: | 0_2_00A49DEA | |
| Source: | Code function: | 0_2_00A45870 | |
| Source: | Code function: | 0_2_00A4197C | |
| Source: | Code function: | 0_2_00A46053 | |
| Source: | Code function: | 0_2_00A45D00 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Code function: | 0_2_00A479F3 | |
| Source: | Static PE information: | ||
| Source: | Code function: | ||
| Source: | Virustotal: | ||
| Source: | Metadefender: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00A4A2D7 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00A41000 | |
| Source: | Code function: | 0_2_00A41000 | |
| Source: | Check user administrative privileges: | graph_0-4226 | ||
| Source: | API coverage: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00A49188 | |
| Source: | Code function: | 0_2_00A41E26 | |
| Source: | Code function: | 0_2_00A4AF2C | |
| Source: | Code function: | 0_2_00A4643A | |
| Source: | Code function: | 0_2_00A41B13 | |
| Source: | Code function: | 0_2_00A4B29D | |
| Source: | Code function: | 0_2_00A43C9D | |
| Source: | Code function: | 0_2_00A439E5 | |
| Source: | Code function: | 0_2_00A49DEA | |
| Source: | Code function: | 0_2_00A45870 | |
| Source: | Code function: | 0_2_00A4197C | |
| Source: | Code function: | 0_2_00A46053 | |
| Source: | API call chain: | graph_0-3740 | ||
| Source: | Code function: | 0_2_00A45D00 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00A41000 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00A48F1D | |
| Source: | Code function: | 0_2_00A49188 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00A49055 | |
| Source: | Code function: | 0_2_00A4A798 | |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Native API | Path Interception | Path Interception | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 3 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 2 File and Directory Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 23 System Information Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 74% | Virustotal | Browse | ||
| 29% | Metadefender | Browse | ||
| 88% | ReversingLabs | Win32.Infostealer.Coins | ||
| 100% | Avira | HEUR/AGEN.1234185 |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1234185 | Download File | ||
| 100% | Avira | HEUR/AGEN.1234185 | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 4% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 51.195.166.184 | unknown | France | 16276 | OVHFR | true |
| Joe Sandbox Version: | 35.0.0 Citrine |
| Analysis ID: | 650286 |
| Start date and time: 22/06/202211:59:07 | 2022-06-22 11:59:07 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 2m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | zRZljp49Uz (renamed file extension from none to exe) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal72.winEXE@1/0@0/1 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
- Excluded IPs from analysis (whitelisted): 20.82.210.154
- Excluded domains from analysis (whitelisted): store-images.s-microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 51.195.166.184 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| OVHFR | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.3513101497739335 |
| TrID: |
|
| File name: | zRZljp49Uz.exe |
| File size: | 56832 |
| MD5: | 0cfa58846e43dd67b6d9f29e97f6c53e |
| SHA1: | 19d9fbfd9b23d4bd435746a524443f1a962d42fa |
| SHA256: | 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03 |
| SHA512: | 263bb15955a86788d3006f4d3fdeabe6fed1291b6c6e60471ffdb59626755a81d1ffbafc58fe13c0633cb67f3f1d9a3ec92046b6d85eba56e56cd1c252ea4ea0 |
| SSDEEP: | 1536:qzwshK8pUMGxo0xwwW9VemFMGfpbbVDzANyCa:wwshK8yMexbW9vJVDzANs |
| TLSH: | 1B4307814885EC73C15248B4278D752FDBDEDC022A20F1CBB736F7D746E618249AA39B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g~..............m.......m.......m..............#s......#s......Rich............................PE..L......b................... |
 | |
| Icon Hash: | 00828e8e8686b000 |
| Entrypoint: | 0x407486 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x628F8781 [Thu May 26 13:58:25 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 4ec5227a81c3e90d891321c143c67557 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 000000E4h |
| push ebx |
| push esi |
| push edi |
| call 00007F1420F4962Eh |
| call 00007F1420F4C65Fh |
| push 00000000h |
| call dword ptr [0040E068h] |
| and dword ptr [ebp-04h], 00000000h |
| mov esi, 0040D43Ch |
| mov ecx, esi |
| call 00007F1420F52BABh |
| mov dword ptr [ebp-10h], eax |
| mov ecx, 0040D460h |
| lea eax, dword ptr [ebp-04h] |
| push esi |
| push eax |
| call 00007F1420F52CD1h |
| lea edx, dword ptr [ebp-04h] |
| mov ecx, eax |
| call 00007F1420F49DFBh |
| mov ebx, 0040EC98h |
| push eax |
| mov ecx, ebx |
| call 00007F1420F50D2Eh |
| mov edi, eax |
| mov ecx, 0040D4A8h |
| lea eax, dword ptr [ebp-04h] |
| push esi |
| push eax |
| call 00007F1420F52CA9h |
| lea edx, dword ptr [ebp-04h] |
| mov ecx, eax |
| call 00007F1420F49DD3h |
| push eax |
| mov ecx, ebx |
| call 00007F1420F50D0Bh |
| mov esi, eax |
| mov ecx, 0040D4F0h |
| lea eax, dword ptr [ebp-04h] |
| push 0040D43Ch |
| push eax |
| call 00007F1420F52C82h |
| lea edx, dword ptr [ebp-04h] |
| mov ecx, eax |
| call 00007F1420F49DACh |
| push eax |
| mov ecx, ebx |
| call 00007F1420F50CE4h |
| mov dword ptr [ebp-34h], esi |
| mov ecx, 0040D538h |
| mov dword ptr [ebp-30h], eax |
| mov esi, 0040D43Ch |
| lea eax, dword ptr [ebp-04h] |
| mov dword ptr [ebp-38h], edi |
| push esi |
| push eax |
| call 00007F1420F52C53h |
| lea edx, dword ptr [ebp-04h] |
| mov ecx, eax |
| call 00007F1420F49D7Dh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd8bc | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x10000 | 0x148c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xd790 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x30 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xa615 | 0xa800 | False | 0.45175316220238093 | data | 6.037478061501936 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xc000 | 0x19ba | 0x1a00 | False | 0.5072115384615384 | data | 5.271640666045761 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xe000 | 0x14c0 | 0x200 | False | 0.03125 | ISO-8859 text, with no line terminators | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x10000 | 0x148c | 0x1600 | False | 0.7867542613636364 | data | 6.654962728887089 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | lstrcpynA, GetUserDefaultLCID, GetSystemInfo, LocalFree, FreeLibrary, GetProcAddress, LoadLibraryW |
| ADVAPI32.dll | GetUserNameW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.551.195.166.18449746802036934 06/22/22-12:00:13.668134 | TCP | 2036934 | ET TROJAN Win32/RecordBreaker CnC Checkin | 49746 | 80 | 192.168.2.5 | 51.195.166.184 |
| 192.168.2.551.195.166.18449746802036882 06/22/22-12:00:13.668134 | TCP | 2036882 | ET TROJAN Generic Stealer Config Download Request | 49746 | 80 | 192.168.2.5 | 51.195.166.184 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 22, 2022 12:00:13.637087107 CEST | 49746 | 80 | 192.168.2.5 | 51.195.166.184 |
| Jun 22, 2022 12:00:13.667448997 CEST | 80 | 49746 | 51.195.166.184 | 192.168.2.5 |
| Jun 22, 2022 12:00:13.667654037 CEST | 49746 | 80 | 192.168.2.5 | 51.195.166.184 |
| Jun 22, 2022 12:00:13.668133974 CEST | 49746 | 80 | 192.168.2.5 | 51.195.166.184 |
| Jun 22, 2022 12:00:13.698446035 CEST | 80 | 49746 | 51.195.166.184 | 192.168.2.5 |
| Jun 22, 2022 12:00:13.733907938 CEST | 80 | 49746 | 51.195.166.184 | 192.168.2.5 |
| Jun 22, 2022 12:00:13.734102011 CEST | 49746 | 80 | 192.168.2.5 | 51.195.166.184 |
| Jun 22, 2022 12:00:14.151949883 CEST | 49746 | 80 | 192.168.2.5 | 51.195.166.184 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49746 | 51.195.166.184 | 80 | C:\Users\user\Desktop\zRZljp49Uz.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Jun 22, 2022 12:00:13.668133974 CEST | 399 | OUT | |
| Jun 22, 2022 12:00:13.733907938 CEST | 400 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 12:00:10 |
| Start date: | 22/06/2022 |
| Path: | C:\Users\user\Desktop\zRZljp49Uz.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa40000 |
| File size: | 56832 bytes |
| MD5 hash: | 0CFA58846E43DD67B6D9F29E97F6C53E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
Execution Graph
| Execution Coverage: | 15.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 3.1% |
| Total number of Nodes: | 549 |
| Total number of Limit Nodes: | 1 |
Graph
Callgraph
Function 00A41000 Relevance: 219.3, APIs: 19, Strings: 106, Instructions: 509libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A479F3 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 232networkmemoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 27% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A41806 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryencryptionCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 27% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4A798 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A47486 Relevance: 72.2, APIs: 33, Strings: 8, Instructions: 440synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 36% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4A720 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 68% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4A323 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4A59A Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 28memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 58% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4839B Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 16memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 86% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4A5DB Relevance: 3.8, APIs: 3, Instructions: 38stringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 79% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A41E26 Relevance: 76.1, APIs: 37, Strings: 6, Instructions: 812stringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 51% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A427C6 Relevance: 47.7, APIs: 22, Strings: 5, Instructions: 419fileCOMMON
Download Yara Rule
| C-Code - Quality: 15% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A42CC6 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 440filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A43244 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 437fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 39% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4643A Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 321stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4B29D Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 275fileCOMMON
Download Yara Rule
| C-Code - Quality: 25% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A43C9D Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 255memoryCOMMON
Download Yara Rule
| C-Code - Quality: 41% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A439E5 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 223fileCOMMON
Download Yara Rule
| C-Code - Quality: 30% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 26% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 49% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A41B13 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A48F1D Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A46053 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
Download Yara Rule
| C-Code - Quality: 48% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A41726 Relevance: 4.6, APIs: 3, Instructions: 53COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A49055 Relevance: 4.5, APIs: 3, Instructions: 39timeCOMMON
Download Yara Rule
| C-Code - Quality: 62% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4A2D7 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A417A1 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A47C6B Relevance: 60.0, APIs: 28, Strings: 6, Instructions: 474networkstringfileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 50% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 36% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A46A3B Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 419fileCOMMON
Download Yara Rule
| C-Code - Quality: 19% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A470DE Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 315memoryCOMMON
Download Yara Rule
| C-Code - Quality: 51% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A49436 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 309registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A483CE Relevance: 31.7, APIs: 18, Strings: 3, Instructions: 247memoryCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 26% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A49A8E Relevance: 30.3, APIs: 24, Instructions: 303COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A46809 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 187filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A48996 Relevance: 18.4, APIs: 12, Instructions: 387fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A497BB Relevance: 16.5, APIs: 13, Instructions: 263COMMON
Download Yara Rule
| C-Code - Quality: 21% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 18% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A48218 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 134stringnetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A46F2A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145fileCOMMON
Download Yara Rule
| C-Code - Quality: 19% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4376E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 200fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4ACFE Relevance: 7.7, APIs: 6, Instructions: 190COMMON
Download Yara Rule
| C-Code - Quality: 21% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4A383 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 117memoryCOMMON
Download Yara Rule
| C-Code - Quality: 52% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A43FAB Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |