Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	789744
MD5:	56aa80bac2e533ee3332e29ed33a144c
SHA1:	72e9c9b07b5dbfe3a7fa8a2fb2f4df1526cc5a67
SHA256:	6d8503cf760a86e245dde67d8ba7e338806cb0eef0d94c1904cbf84ec9e4e96e
Tags:	NETexeMSIL
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 4860 cmdline: C:\Users\user\Desktop\file.exe MD5: 56AA80BAC2E533EE3332E29ED33A144C)

file.exe (PID: 5048 cmdline: C:\Users\user\Desktop\file.exe MD5: 56AA80BAC2E533EE3332E29ED33A144C)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 4860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 5048	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: file.exe PID: 5048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 69%
Source: file.exe	Virustotal: Detection: 71%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: 1.2.file.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.4:49695 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

May check the online IP address of the machine

Source: C:\Users\user\Desktop\file.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View

IP Address: 64.185.227.155 64.185.227.155

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.4:49696 -> 185.118.171.10:587

Source: global traffic

TCP traffic: 192.168.2.4:49696 -> 185.118.171.10:587

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695

Source: file.exe, 00000001.00000002.580691613.0000000006553000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.000000000654B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.550223240.0000000006558000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.0000000006546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: file.exe, 00000001.00000002.580557481.0000000006520000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.580691613.0000000006553000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.000000000654B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.550223240.0000000006558000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe, 00000001.00000002.580691613.0000000006553000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.000000000654B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.550223240.0000000006558000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.panservis.rs
Source: file.exe, 00000001.00000002.580557481.0000000006520000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.580691613.0000000006553000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.000000000654B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.550223240.0000000006558000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.0000000006546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://panservis.rs
Source: file.exe, 00000001.00000002.576651714.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000001.00000002.576651714.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: file.exe, 00000001.00000002.576651714.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: file.exe, 00000001.00000002.580691613.0000000006553000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.000000000654B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.550223240.0000000006558000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.4:49695 version: TLS 1.2

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028EC93C	0_2_028EC93C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028EF3D8	0_2_028EF3D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028EF3D6	0_2_028EF3D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05105408	0_2_05105408
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0510960A	0_2_0510960A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_05109DC0	1_2_05109DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0510C998	1_2_0510C998
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0510A9D8	1_2_0510A9D8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0510A108	1_2_0510A108
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_067F5228	1_2_067F5228
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_067FB7A8	1_2_067FB7A8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_067F61F8	1_2_067F61F8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_067F87B8	1_2_067F87B8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0699F498	1_2_0699F498
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0699A1F4	1_2_0699A1F4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0699EB18	1_2_0699EB18

Source: file.exe, 00000000.00000000.310854296.00000000007EA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDGCe.exeB vs file.exe
Source: file.exe, 00000000.00000002.324705992.0000000003D85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs file.exe
Source: file.exe, 00000000.00000002.324705992.0000000004069000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs file.exe
Source: file.exe, 00000000.00000002.332311683.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs file.exe
Source: file.exe, 00000000.00000002.320656667.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTigra.dll. vs file.exe
Source: file.exe, 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs file.exe
Source: file.exe, 00000001.00000002.575763583.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs file.exe
Source: file.exe, 00000001.00000002.575948942.0000000000D59000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameDGCe.exeB vs file.exe

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	ReversingLabs: Detection: 69%
Source: file.exe	Virustotal: Detection: 71%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@5/3

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.file.exe.740000.0.unpack, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_067FA44F push es; ret		1_2_067FA460
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_067FA0B4 pushad ; retf 06CCh		1_2_067FB5F5

Source: file.exe

Static PE information: 0xA0EB22FE [Wed Jul 21 06:34:38 2055 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.434153888262794

Source: C:\Users\user\Desktop\file.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4860, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: file.exe, 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\file.exe TID: 4624	Thread sleep time: -37665s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5336	Thread sleep count: 4415 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -99843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -99729s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -99610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -99488s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98445s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -98083s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 4415

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 37665	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 99843	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 99729	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 99488	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98670	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98445	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 98083	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: file.exe, 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: file.exe, 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: file.exe, 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: file.exe, 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0510F6F0 GetUserNameW,

1_2_0510F6F0

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5048, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5048, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5048, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Account Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	1 Credentials in Registry	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	13 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	211 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	69%	ReversingLabs	Win32.Trojan.Leonem
file.exe	71%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.file.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
panservis.rs	0%	Virustotal		Browse
mail.panservis.rs	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://mail.panservis.rs	0%	Virustotal		Browse
http://panservis.rs	0%	Virustotal		Browse
http://mail.panservis.rs	0%	Avira URL Cloud	safe
http://panservis.rs	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
panservis.rs	185.118.171.10	true	false	0%, Virustotal, Browse	unknown
api4.ipify.org	64.185.227.155	true	false		high
api.ipify.org	unknown	unknown	false		high
mail.panservis.rs	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	file.exe, 00000001.00000002.576651714.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	file.exe, 00000001.00000002.580691613.0000000006553000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.551500451.000000000654B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.550223240.0000000006558000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.panservis.rs	file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000001.00000002.576651714.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://panservis.rs	file.exe, 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.118.171.10	panservis.rs	Serbia		203877	ASTRATELEKOMRS	false
64.185.227.155	api4.ipify.org	United States		18450	WEBNXUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	789744
Start date and time:	2023-01-23 14:52:29 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@5/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 39 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:53:29	API Interceptor	20x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.118.171.10	4dxXH2RAM2.exe	Get hash	malicious	Browse
185.118.171.10	file.exe	Get hash	malicious	Browse
64.185.227.155	file.exe	Get hash	malicious	Browse	api.ipify.org/?format=wef
64.185.227.155	48PTRR4pVY.exe	Get hash	malicious	Browse	api.ipify.org/?format=qwd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api4.ipify.org	file.exe	Get hash	malicious	Browse	64.185.227.155
	message.html	Get hash	malicious	Browse	64.185.227.155
	NEW OFER LIST 2023_01_23.exe	Get hash	malicious	Browse	64.185.227.155
	profoma invoice.exe	Get hash	malicious	Browse	64.185.227.155
	KPCPU-231.exe	Get hash	malicious	Browse	64.185.227.155
	message.html	Get hash	malicious	Browse	64.185.227.155
	Pagamento jpg.exe	Get hash	malicious	Browse	64.185.227.155
	DHL Express Shipment Documents.exe	Get hash	malicious	Browse	64.185.227.155
	Orden de compra_PDF.GZ.exe	Get hash	malicious	Browse	64.185.227.155
	PI_NBI-2230123(MECH)_pdf.exe	Get hash	malicious	Browse	64.185.227.155
	SOA.exe	Get hash	malicious	Browse	64.185.227.155
	QUOTATION.exe	Get hash	malicious	Browse	64.185.227.155
	AWB 907853880911 PRE-ALRET.xls	Get hash	malicious	Browse	64.185.227.155
	Contract Analysis 20230119216.xls	Get hash	malicious	Browse	64.185.227.155
	Maerskline shipping Doc..exe	Get hash	malicious	Browse	64.185.227.155
	Halkbank_Ekstre_20230120_08.pdf.exe	Get hash	malicious	Browse	64.185.227.155
	5x4TtmkPxl.exe	Get hash	malicious	Browse	64.185.227.155
	e-dekont-20230120-.exe	Get hash	malicious	Browse	64.185.227.155
	DHL56789341SHIPMENT.exe	Get hash	malicious	Browse	64.185.227.155
	DHL Validation.exe	Get hash	malicious	Browse	64.185.227.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASTRATELEKOMRS	4dxXH2RAM2.exe	Get hash	malicious	Browse	185.118.171.10
	file.exe	Get hash	malicious	Browse	185.118.171.10
	eyjlIAxLom.elf	Get hash	malicious	Browse	109.94.117.186
	z8QWD02El3.elf	Get hash	malicious	Browse	85.202.112.208
	apep.x86	Get hash	malicious	Browse	109.94.117.187
	mkRkjGXjDJ	Get hash	malicious	Browse	62.241.1.210
	dark.arm6	Get hash	malicious	Browse	62.240.15.200
WEBNXUS	file.exe	Get hash	malicious	Browse	64.185.227.155
	message.html	Get hash	malicious	Browse	64.185.227.155
	NEW OFER LIST 2023_01_23.exe	Get hash	malicious	Browse	64.185.227.155
	profoma invoice.exe	Get hash	malicious	Browse	64.185.227.155
	KPCPU-231.exe	Get hash	malicious	Browse	64.185.227.155
	message.html	Get hash	malicious	Browse	64.185.227.155
	Pagamento jpg.exe	Get hash	malicious	Browse	64.185.227.155
	DHL Express Shipment Documents.exe	Get hash	malicious	Browse	64.185.227.155
	Orden de compra_PDF.GZ.exe	Get hash	malicious	Browse	64.185.227.155
	PI_NBI-2230123(MECH)_pdf.exe	Get hash	malicious	Browse	64.185.227.155
	https://file10.gofile.io/download/f64c8d71-6572-43c5-94ad-c5b224d8fbe6/Lucia%20Javorcekova.zip	Get hash	malicious	Browse	67.220.228.201
	SOA.exe	Get hash	malicious	Browse	64.185.227.155
	QUOTATION.exe	Get hash	malicious	Browse	64.185.227.155
	AWB 907853880911 PRE-ALRET.xls	Get hash	malicious	Browse	64.185.227.155
	Contract Analysis 20230119216.xls	Get hash	malicious	Browse	64.185.227.155
	Maerskline shipping Doc..exe	Get hash	malicious	Browse	64.185.227.155
	Halkbank_Ekstre_20230120_08.pdf.exe	Get hash	malicious	Browse	64.185.227.155
	e-dekont-20230120-.exe	Get hash	malicious	Browse	64.185.227.155
	DHL56789341SHIPMENT.exe	Get hash	malicious	Browse	64.185.227.155
	DHL Validation.exe	Get hash	malicious	Browse	64.185.227.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Browse	64.185.227.155
	Shipping Details_PDF.exe	Get hash	malicious	Browse	64.185.227.155
	NEW OFER LIST 2023_01_23.exe	Get hash	malicious	Browse	64.185.227.155
	ac36e4bd21762b111edf4758873dfb1697462e7b08f19.exe	Get hash	malicious	Browse	64.185.227.155
	shipping document PL&BL draft.exe	Get hash	malicious	Browse	64.185.227.155
	PO.exe	Get hash	malicious	Browse	64.185.227.155
	Purchase order.exe	Get hash	malicious	Browse	64.185.227.155
	profoma invoice.exe	Get hash	malicious	Browse	64.185.227.155
	KPCPU-231.exe	Get hash	malicious	Browse	64.185.227.155
	file.exe	Get hash	malicious	Browse	64.185.227.155
	Pagamento jpg.exe	Get hash	malicious	Browse	64.185.227.155
	DHL Express Shipment Documents.exe	Get hash	malicious	Browse	64.185.227.155
	Fatura_SUN2023000001661,pdf.exe	Get hash	malicious	Browse	64.185.227.155
	Orden de compra_PDF.GZ.exe	Get hash	malicious	Browse	64.185.227.155
	PI_NBI-2230123(MECH)_pdf.exe	Get hash	malicious	Browse	64.185.227.155
	Masters breakdown.exe	Get hash	malicious	Browse	64.185.227.155
	HEUR-Trojan.Win32.Crypt.gen-cd53d44c68b4b58f8.exe	Get hash	malicious	Browse	64.185.227.155
	file.exe	Get hash	malicious	Browse	64.185.227.155
	SOA.exe	Get hash	malicious	Browse	64.185.227.155
	file.exe	Get hash	malicious	Browse	64.185.227.155

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.427802610080807
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	683520
MD5:	56aa80bac2e533ee3332e29ed33a144c
SHA1:	72e9c9b07b5dbfe3a7fa8a2fb2f4df1526cc5a67
SHA256:	6d8503cf760a86e245dde67d8ba7e338806cb0eef0d94c1904cbf84ec9e4e96e
SHA512:	d115007801110a5a7918ee14433324c1613422d58be0a0218c0557d1347ce9424a5511b828c744371bc28ec719e4e83fffef76b08b7eaefe1292f30f132e74a5
SSDEEP:	12288:60mTl0nu0bmfMwrEHjPW8ObRYb/XTYD6t1JpRiD+coYx:tmTl03AQObRYbXTY67JR1Yx
TLSH:	FEE45A415A7B87E2E4F94E78163CA51827A51CD147ACA13EBD867DBE8CE730F0095B23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."................0..f............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4a849e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA0EB22FE [Wed Jul 21 06:34:38 2055 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa844c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa8430	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa64a4	0xa6600	False	0.7228264697595793	data	7.434153888262794	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x398	0x400	False	0.3828125	data	2.9191344780314394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xaa058	0x33c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2023 14:53:32.772443056 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:32.772521019 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:32.772697926 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:32.823849916 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:32.823899031 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:33.143074989 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:33.143163919 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:33.151318073 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:33.151354074 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:33.151798964 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:33.199031115 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:33.433315992 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:33.433403969 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:33.532294035 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:33.532406092 CET	443	49695	64.185.227.155	192.168.2.4
Jan 23, 2023 14:53:33.532484055 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:33.533828974 CET	49695	443	192.168.2.4	64.185.227.155
Jan 23, 2023 14:53:39.917479992 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:39.953246117 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:39.953380108 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.076312065 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.077370882 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.113017082 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.114219904 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.152295113 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.154000998 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.196729898 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.196804047 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.196855068 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.196897984 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.196983099 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.197041035 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.198914051 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.246535063 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.282092094 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.320163012 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.328334093 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.363831043 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.377609015 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.413551092 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.414155006 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.458043098 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.469099998 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.504760027 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.505122900 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.583677053 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.704057932 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.704616070 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.740060091 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.740117073 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.742136002 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.742223024 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.742269039 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.742314100 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:53:40.777635098 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.777672052 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.777945995 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.900851965 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:53:40.949641943 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:55:18.747687101 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:55:18.826915979 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:55:19.031011105 CET	587	49696	185.118.171.10	192.168.2.4
Jan 23, 2023 14:55:19.074013948 CET	49696	587	192.168.2.4	185.118.171.10
Jan 23, 2023 14:55:19.749358892 CET	49696	587	192.168.2.4	185.118.171.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2023 14:53:32.713038921 CET	56572	53	192.168.2.4	8.8.8.8
Jan 23, 2023 14:53:32.732079983 CET	53	56572	8.8.8.8	192.168.2.4
Jan 23, 2023 14:53:32.740856886 CET	50911	53	192.168.2.4	8.8.8.8
Jan 23, 2023 14:53:32.759876966 CET	53	50911	8.8.8.8	192.168.2.4
Jan 23, 2023 14:53:38.716109037 CET	59683	53	192.168.2.4	8.8.8.8
Jan 23, 2023 14:53:39.723031044 CET	59683	53	192.168.2.4	8.8.8.8
Jan 23, 2023 14:53:39.798808098 CET	53	59683	8.8.8.8	192.168.2.4
Jan 23, 2023 14:53:39.826925039 CET	53	59683	8.8.8.8	192.168.2.4
Jan 23, 2023 14:53:39.837939024 CET	64167	53	192.168.2.4	8.8.8.8
Jan 23, 2023 14:53:39.915606976 CET	53	64167	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 23, 2023 14:53:39.827115059 CET	192.168.2.4	8.8.8.8	d013	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 23, 2023 14:53:32.713038921 CET	192.168.2.4	8.8.8.8	0xbdb1	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:32.740856886 CET	192.168.2.4	8.8.8.8	0xda57	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:38.716109037 CET	192.168.2.4	8.8.8.8	0x231a	Standard query (0)	mail.panservis.rs	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:39.723031044 CET	192.168.2.4	8.8.8.8	0x231a	Standard query (0)	mail.panservis.rs	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:39.837939024 CET	192.168.2.4	8.8.8.8	0xbe40	Standard query (0)	mail.panservis.rs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 23, 2023 14:53:32.732079983 CET	8.8.8.8	192.168.2.4	0xbdb1	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2023 14:53:32.732079983 CET	8.8.8.8	192.168.2.4	0xbdb1	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:32.732079983 CET	8.8.8.8	192.168.2.4	0xbdb1	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:32.732079983 CET	8.8.8.8	192.168.2.4	0xbdb1	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:32.759876966 CET	8.8.8.8	192.168.2.4	0xda57	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2023 14:53:32.759876966 CET	8.8.8.8	192.168.2.4	0xda57	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:32.759876966 CET	8.8.8.8	192.168.2.4	0xda57	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:32.759876966 CET	8.8.8.8	192.168.2.4	0xda57	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:39.798808098 CET	8.8.8.8	192.168.2.4	0x231a	No error (0)	mail.panservis.rs	panservis.rs		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2023 14:53:39.798808098 CET	8.8.8.8	192.168.2.4	0x231a	No error (0)	panservis.rs		185.118.171.10	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:39.826925039 CET	8.8.8.8	192.168.2.4	0x231a	No error (0)	mail.panservis.rs	panservis.rs		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2023 14:53:39.826925039 CET	8.8.8.8	192.168.2.4	0x231a	No error (0)	panservis.rs		185.118.171.10	A (IP address)	IN (0x0001)	false
Jan 23, 2023 14:53:39.915606976 CET	8.8.8.8	192.168.2.4	0xbe40	No error (0)	mail.panservis.rs	panservis.rs		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2023 14:53:39.915606976 CET	8.8.8.8	192.168.2.4	0xbe40	No error (0)	panservis.rs		185.118.171.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	64.185.227.155	443	C:\Users\user\Desktop\file.exe

Timestamp	Direction	Data
2023-01-23 13:53:33 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2023-01-23 13:53:33 UTC	IN	HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Content-Length: 14 Content-Type: text/plain Date: Mon, 23 Jan 2023 13:53:33 GMT Vary: Origin Connection: close
2023-01-23 13:53:33 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 Data Ascii: 102.129.143.10

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 23, 2023 14:53:40.076312065 CET	587	49696	185.118.171.10	192.168.2.4	220-cp1.astratelekom.com ESMTP Exim 4.95 #2 Mon, 23 Jan 2023 14:53:40 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 23, 2023 14:53:40.077370882 CET	49696	587	192.168.2.4	185.118.171.10	EHLO 888683
Jan 23, 2023 14:53:40.113017082 CET	587	49696	185.118.171.10	192.168.2.4	250-cp1.astratelekom.com Hello 888683 [102.129.143.10] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 23, 2023 14:53:40.114219904 CET	49696	587	192.168.2.4	185.118.171.10	STARTTLS
Jan 23, 2023 14:53:40.152295113 CET	587	49696	185.118.171.10	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	14:53:26
Start date:	23/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x740000
File size:	683520 bytes
MD5 hash:	56AA80BAC2E533EE3332E29ED33A144C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.320656667.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	14:53:30
Start date:	23/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x910000
File size:	683520 bytes
MD5 hash:	56AA80BAC2E533EE3332E29ED33A144C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.576651714.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	116
Total number of Limit Nodes:	5

Executed Functions

Function 05105408 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.330935253.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9505c3a3c182d3b88b6f5bb95b75c0f610b83bcb1feb136b6628826e7331fe38
Instruction ID: 5b8b5036df18001dbc4ecf234be1a380c5c6c3869c1111449de5f6671c4b0cd7
Opcode Fuzzy Hash: 9505c3a3c182d3b88b6f5bb95b75c0f610b83bcb1feb136b6628826e7331fe38
Instruction Fuzzy Hash: BDE1F674E01219CFDB14DFA9C894B9DBBB2FF89300F2081A9D509AB355DB70A985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 028EA208 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028EA44E

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4a58e96e7d00e66be3c77f56fc4dd7d991d1c99ecea6ea89b3fd83aa79663993
Instruction ID: bb7a7267913d5fa89c4583f26b3cfd9cb48637a33e993316e174970b7598c7a2
Opcode Fuzzy Hash: 4a58e96e7d00e66be3c77f56fc4dd7d991d1c99ecea6ea89b3fd83aa79663993
Instruction Fuzzy Hash: 11713478A00B058FDB24DF6AC04075ABBF1BF89714F108A2AD45AD7B50DB75E806CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05100E38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05100F4A

Memory Dump Source

Source File: 00000000.00000002.330935253.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6d314caa4f640bc44703f4f1e474af43b4adad6a05bb3a1761b603ef2c150582
Instruction ID: 39441df130e99efb63af3e9237d912d1412630eecabf363b6d58c39c0eb99356
Opcode Fuzzy Hash: 6d314caa4f640bc44703f4f1e474af43b4adad6a05bb3a1761b603ef2c150582
Instruction Fuzzy Hash: 0341B2B1D00309DFDF14DF9AC884ADEBBB5BF48310F64812AE819AB250D7B49985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028E565C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028E5719

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 191fe031a25d7a1f887a304757cb3c4c71c638f9b7f9d823b880c59a7d654417
Instruction ID: bff3e86b7c3a9b6ce527a49790881ab2d80050fafbdc47de6302478ba6108d2f
Opcode Fuzzy Hash: 191fe031a25d7a1f887a304757cb3c4c71c638f9b7f9d823b880c59a7d654417
Instruction Fuzzy Hash: 6B41F3B5C00618CFDB24CFA9C885BCDBBB2BF49318F248059D409AB250DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028E4144 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028E5719

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 21d12d872bc42ab6c1b470544b7c6496179982c7efbfe61744763272fbca9218
Instruction ID: b665be03eba8cc8852e0123a6647d088e57e29bc892b99d65493bfa9271c5699
Opcode Fuzzy Hash: 21d12d872bc42ab6c1b470544b7c6496179982c7efbfe61744763272fbca9218
Instruction Fuzzy Hash: 4B41F2B5C0061CCBDB24DFA9C884B8EBBB6BF59318F648059D409AB251DB786946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 051033F0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 051034B1

Memory Dump Source

Source File: 00000000.00000002.330935253.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_file.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 60ffea8155876e6ea1f92ae874461c846b13bbf36956bef7b07dd7a87e5109d0
Instruction ID: 266e665b6dd502672d323b3b573c3d0b8d4a116fac698d3f17c7732ed5a30b41
Opcode Fuzzy Hash: 60ffea8155876e6ea1f92ae874461c846b13bbf36956bef7b07dd7a87e5109d0
Instruction Fuzzy Hash: 934136B4A003099FDB55CF99C488AAEBBF6FF88314F24C459D519AB361D374A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 028EAA4D Relevance: 1.6, APIs: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028EA4C9,00000800,00000000,00000000), ref: 028EAADA

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4653936e82250c5187ad3b2580a59a435f2c3eb375df8c72b7ffd026708dba28
Instruction ID: 37e8092c54317e4202947866ba6c76d3e3fec1113fd4cdc940bb71b8234d87b5
Opcode Fuzzy Hash: 4653936e82250c5187ad3b2580a59a435f2c3eb375df8c72b7ffd026708dba28
Instruction Fuzzy Hash: 5A219ABAC043498FDB00CFAAC5807DEBBF4EF59314F45815AD45AA7600D3789546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 028EC704 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028ECADE,?,?,?,?,?), ref: 028ECB9F

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 279b4038b6cc58ab2f758f3a0ac92652ef6294a2b8d9c0724096e844a224646a
Instruction ID: 651730a00fad327e3c524e1fa6f3d62ad5fd3b737fc96b8c0bdec8bcb7939c86
Opcode Fuzzy Hash: 279b4038b6cc58ab2f758f3a0ac92652ef6294a2b8d9c0724096e844a224646a
Instruction Fuzzy Hash: 2621E3B5D002089FDB10CFAAD584ADEBBF9EB58324F14845AE955A3310D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 028ECB11 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028ECADE,?,?,?,?,?), ref: 028ECB9F

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b7f6674bef3f793c750088d64432e398cb3b7af74edb288a5c4c3afdd9f0ae86
Instruction ID: cb01e11f7928939330fce373324df2ab213919bc72f355d50b0f0c255d05225f
Opcode Fuzzy Hash: b7f6674bef3f793c750088d64432e398cb3b7af74edb288a5c4c3afdd9f0ae86
Instruction Fuzzy Hash: 2321E4B9D002489FDB10CFAAD584ADEBFF5EB58324F14845AE954A3310D378A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 028E95E0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028EA4C9,00000800,00000000,00000000), ref: 028EAADA

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 25e9a3df395c115db54232ed52ff7906c2297acff0ac69d3221d4e3d775e6b8b
Instruction ID: 8cf32b25c8a86483b0abd07f272805805f4f9d1606408604a229edc2778fa31d
Opcode Fuzzy Hash: 25e9a3df395c115db54232ed52ff7906c2297acff0ac69d3221d4e3d775e6b8b
Instruction Fuzzy Hash: 091147BAD003088FCB14CF9AC544ADEFBF4EB48714F14801AE41AB7200C374A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 028EA3E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028EA44E

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f09620bea85fe6be3753a88c1f22e15db3b17704de366ba5af453f76d51117b7
Instruction ID: cda7265ccc516a03c98340cd6fbb67906df6f108cb1031491f3407b53ee9d916
Opcode Fuzzy Hash: f09620bea85fe6be3753a88c1f22e15db3b17704de366ba5af453f76d51117b7
Instruction Fuzzy Hash: AA1116B9D006098FCB10CF9AC544ADEFBF4EF88328F14C51AD819A7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05101078 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 051010DD

Memory Dump Source

Source File: 00000000.00000002.330935253.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_file.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0251cefe8494c1fca90f6576ed3195e9784f4e01824c2730d7302a39e16f6b9d
Instruction ID: 78dd0639a6211c709edd178b24956b41a58a0a785a54cc6367d30c1162fcea43
Opcode Fuzzy Hash: 0251cefe8494c1fca90f6576ed3195e9784f4e01824c2730d7302a39e16f6b9d
Instruction Fuzzy Hash: 4B1133B58002099FDB10DF9AD585BDEBBF8FB48324F20840AD955B7601C378AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05101080 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 051010DD

Memory Dump Source

Source File: 00000000.00000002.330935253.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_file.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5cdf6c504add5a4da341e3a80b54c81635f7a63108c4554ed89b52b710466482
Instruction ID: 5234f0af46f7901bc1e72ef3b7606de48eb9895fd8a25759c055ce46566c97a2
Opcode Fuzzy Hash: 5cdf6c504add5a4da341e3a80b54c81635f7a63108c4554ed89b52b710466482
Instruction Fuzzy Hash: B31103B58002499FDB10DF9AD584BDEBBF8FB48324F20841AD855A7640C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0284D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320115800.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb76b9baf2f0366cf7db2f376e23da514cff8ca655f76e818e6fb73170f237e8
Instruction ID: 2df8f5b54d4a218c3876d6093ca8090a4931851c24766ba1a603dce8f3e38050
Opcode Fuzzy Hash: fb76b9baf2f0366cf7db2f376e23da514cff8ca655f76e818e6fb73170f237e8
Instruction Fuzzy Hash: D5210A7D504248DFDB15DF14D9C0B26BF65FB8431CF24C569E9098B206CB3AD455CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0285D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320152718.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb5e2ef019b6f0616256f72f8c001a120a902bd89f880c5274a4319e188b9d3
Instruction ID: 183bc4a419c596ada77f910bbce600f07d260065645613b4f5615e3421c2eb0a
Opcode Fuzzy Hash: dcb5e2ef019b6f0616256f72f8c001a120a902bd89f880c5274a4319e188b9d3
Instruction Fuzzy Hash: B221D07D604244DFDB15DF14D9C0B26BBA5EF84328F24C569EC4A8B246C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0285D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320152718.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde47817b09c5b5a80f2ef6511deddc584b034a931b0d0430978bf45d3796360
Instruction ID: 72fc76a37f55e76b93ba336c9c2b85b4967b3e84cc867c71ca8ba36879592d85
Opcode Fuzzy Hash: dde47817b09c5b5a80f2ef6511deddc584b034a931b0d0430978bf45d3796360
Instruction Fuzzy Hash: F12192795093C08FDB12CF24D994B15BF71EF46214F28C6EADC498B657C33A940ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0284D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320115800.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: 1af549b2233a1d3d725c864458c8ed16e5f36e28151accb46270c52a26d28e1c
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: 3D11E67A504284DFCB12CF14D5C4B16BF72FB84328F24C6A9D8494B616C73AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0284D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320115800.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0786db1eef54b16480b834d04b5236189703aa34d3c5c160e7df8edd7aaa4
Instruction ID: 26a9e4511f30eac76e5bc614a61da665161c3248fcbec2740ca06b75f3460d5d
Opcode Fuzzy Hash: 06e0786db1eef54b16480b834d04b5236189703aa34d3c5c160e7df8edd7aaa4
Instruction Fuzzy Hash: 2F01F77D5043889BE7104A25CCC0B66FFD8EF40378F18C55AFD489B242DB789840CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0284D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320115800.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31365228ae55fd868c8ab6ce6611a9acdd35dec45d0590fe6c078336e2db64
Instruction ID: 65f11ac21bb28bb7b54f5c62e406c4660e0f226ddd6bd49342260bb9b008d020
Opcode Fuzzy Hash: 3b31365228ae55fd868c8ab6ce6611a9acdd35dec45d0590fe6c078336e2db64
Instruction Fuzzy Hash: 3AF0F67A4043889FE7108A16CCC4B62FFDCEB80378F18C55AED485F282D7789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0510960A Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.330935253.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fc971fe98503d1e108d802b09fdbd3d505996998c8d217320c2140a320d24d
Instruction ID: 80e5fe991fdca3520e6f2009ba2d575428e0e83601ae09079895ce940e023eb7
Opcode Fuzzy Hash: 91fc971fe98503d1e108d802b09fdbd3d505996998c8d217320c2140a320d24d
Instruction Fuzzy Hash: 8F126F35B04115CFCB18EF69C4A8E6DBBB2BF88760B159169E806DB3A2DB74DC01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 028EF3D8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2553b80d109fc485b901973bfd3c3e4dcdff9dc9c5abc94e5dc4c9f0ca2df2
Instruction ID: 9b2a185a520547e76a535cb81d26762e9d2f3db575c87ed650e1470249370850
Opcode Fuzzy Hash: cc2553b80d109fc485b901973bfd3c3e4dcdff9dc9c5abc94e5dc4c9f0ca2df2
Instruction Fuzzy Hash: 6F12B4F1E1274AEAD710CF65F8881893BB1F745328F906208D2616FAD1D7BC196ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 028EC93C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dae1a43efca9c7e2138629ec7be920fac3d0480b683e05b64716a5ba3a15df3
Instruction ID: f191d267c946991c1f1d81d152460d7a1cd5957fae809491ba868ac0272d4c06
Opcode Fuzzy Hash: 3dae1a43efca9c7e2138629ec7be920fac3d0480b683e05b64716a5ba3a15df3
Instruction Fuzzy Hash: AEA16E7AE002198FCF05DFA9C8445EDBBB2FF86304B15816AE906FB261DB35A955CF40

Uniqueness

Uniqueness Score: -1.00%

Function 028EF3D6 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320364252.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec847ef38a47cbac71301151cedc654c38e4c43482093ed279d08a51b497f54f
Instruction ID: e231cd87fac96327674267656c0440455af6177c517d0948a36eb616aee41701
Opcode Fuzzy Hash: ec847ef38a47cbac71301151cedc654c38e4c43482093ed279d08a51b497f54f
Instruction Fuzzy Hash: F0C126F1E1274AAAD710CF64F8881893BB1FB85328F506308D2616F6D1D7BC186ACF85

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: file.exePID: 5048, Parent PID: 4860COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.5%
Total number of Nodes:	196
Total number of Limit Nodes:	28

Executed Functions

Function 0510F6F0 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0510F82B

Memory Dump Source

Source File: 00000001.00000002.579785019.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5100000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0d8f6819eb761bef58cb898cfb8f1ca5e3cfdc514298fd5ad70cfd2318a0864e
Instruction ID: cf9f31ec9091bee5e08b4b2e74f08ffe2669f089e09cb70cb03482ad1f9a26c2
Opcode Fuzzy Hash: 0d8f6819eb761bef58cb898cfb8f1ca5e3cfdc514298fd5ad70cfd2318a0864e
Instruction Fuzzy Hash: 9D5127B4D002188FDB28CFA9C899BEDBBB1BF48314F14911AD815BB390D7B49845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0699E1D8 Relevance: 1.7, APIs: 1, Instructions: 208
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0699DCC1,00000800,00000000,00000000), ref: 0699E412

Memory Dump Source

Source File: 00000001.00000002.581088801.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6990000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 21fe15bbec4685179b70b17f1b366009594a071b0229fd80cc591a29a6783426
Instruction ID: cf09edee7b291ad015993b59b7015a22e0e1c1ef30e981a0aaf10be0e5af586c
Opcode Fuzzy Hash: 21fe15bbec4685179b70b17f1b366009594a071b0229fd80cc591a29a6783426
Instruction Fuzzy Hash: AA61A170E0020A8BDF64DBADD4807AEB7AAFF89714F604829D419E7791DB34D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 067FBB68 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.580998295.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dc936c8d17318f8a995d48e6b81c77f9c0740a6eb1497d2fbd98306a88b252
Instruction ID: 84985a87e5f10dfdaedca5341fea4f3ce3c75563bc2ca34d15920b15b1393bbd
Opcode Fuzzy Hash: 95dc936c8d17318f8a995d48e6b81c77f9c0740a6eb1497d2fbd98306a88b252
Instruction Fuzzy Hash: E6416871E103498FCB44CFBAC8546AEBFB5EF85310F14866AD508E7340DB389845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0510F6E4 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0510F82B

Memory Dump Source

Source File: 00000001.00000002.579785019.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5100000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 90206cbc6c032b43843df08fcd238f33f0f8c009cdce0c88141a87522d3e3a13
Instruction ID: 12f5b489122b17044f8d8380962883312d2f64d22d5e4fbd0d2b4c7b386e5c6e
Opcode Fuzzy Hash: 90206cbc6c032b43843df08fcd238f33f0f8c009cdce0c88141a87522d3e3a13
Instruction Fuzzy Hash: F65138B5D002188FDB28CFA9C885BEDBBB1BF48314F14811AD815BB390D7B49845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0510497C Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 051076F7

Memory Dump Source

Source File: 00000001.00000002.579785019.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5100000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e199d674affdd4280b9865eff09a5d88de89a46624f3abacda569a74d11b8a26
Instruction ID: 2f006acb32aac99cfb598becfdc3f0553760517f411837d355998275f14dae4b
Opcode Fuzzy Hash: e199d674affdd4280b9865eff09a5d88de89a46624f3abacda569a74d11b8a26
Instruction Fuzzy Hash: 894148B0D002599FDB14DFA9C9887AEBBF1FB48314F148129D815EB380D7B8A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05107605 Relevance: 1.6, APIs: 1, Instructions: 96
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 051076F7

Memory Dump Source

Source File: 00000001.00000002.579785019.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5100000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2617c7afc722377a75260f54ba858c5178e2251fb9d3ab966b936fdb8ab10853
Instruction ID: 6ec609751d8f97ae238edad498e8a33f00a3288769cd86c24edf2558d2385e9d
Opcode Fuzzy Hash: 2617c7afc722377a75260f54ba858c5178e2251fb9d3ab966b936fdb8ab10853
Instruction Fuzzy Hash: 8C4147B0D102599FDB14DFA9C9857AEBBF1FB48314F148129D815EB280D7B4A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06993B18 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06993946,?,?,?,?,?), ref: 06993BA7

Memory Dump Source

Source File: 00000001.00000002.581088801.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6990000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 01b17c318539db804e07fdfa09c05905f6c56f8a3fdea7838c6ad15a2109b437
Instruction ID: 487be5f4012855b39b09ef8d4286b87a9ba2c1231d6e897d20df46cf8b72722f
Opcode Fuzzy Hash: 01b17c318539db804e07fdfa09c05905f6c56f8a3fdea7838c6ad15a2109b437
Instruction Fuzzy Hash: 5A21E5B59002189FDB10CF9AD984ADEBFF9FF58324F24841AE954A3610D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06993524 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06993946,?,?,?,?,?), ref: 06993BA7

Memory Dump Source

Source File: 00000001.00000002.581088801.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6990000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5659c8d6fda0f7611d90ac338a76e16114c94769ee734809cc2c3ebff017a22d
Instruction ID: 576798c184be4ae3a41d02da61eb203ddd911d5db029e50738e1ce86373a6b76
Opcode Fuzzy Hash: 5659c8d6fda0f7611d90ac338a76e16114c94769ee734809cc2c3ebff017a22d
Instruction Fuzzy Hash: 002114B5D006089FDF50CF9AD884AEEBFF8EB48320F14845AE914A3710D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 067FBC38 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,067FBBBA), ref: 067FBCA7

Memory Dump Source

Source File: 00000001.00000002.580998295.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_file.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e0f2ec92ef27ea8a33dfcb3138d46e3590d9ff314387b0a8b68f6d0a08dba808
Instruction ID: 3e9874373ebbdfa1736e1fcfaafbec9579cc635ec4ed3b0a435955a1e9d4c465
Opcode Fuzzy Hash: e0f2ec92ef27ea8a33dfcb3138d46e3590d9ff314387b0a8b68f6d0a08dba808
Instruction Fuzzy Hash: 5F1144B1C006199BCB10CF9AC544BEEFBB8EF48320F10862AD818B7740D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0699E3A0 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0699DCC1,00000800,00000000,00000000), ref: 0699E412

Memory Dump Source

Source File: 00000001.00000002.581088801.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6990000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8aeb6fb5d984acbad3b6bf8d47aa14ee7279aa39a0b29fafa832377a6716a539
Instruction ID: 9269dd2ecd315ffeacfb94f9dedc24a6a851ad20030bfefc5ba02e6c32a3890a
Opcode Fuzzy Hash: 8aeb6fb5d984acbad3b6bf8d47aa14ee7279aa39a0b29fafa832377a6716a539
Instruction Fuzzy Hash: 491133B6C003499FCB10CFAAC844ADEFBF8EF58320F10852AE455A7640C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0699C5CC Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0699DCC1,00000800,00000000,00000000), ref: 0699E412

Memory Dump Source

Source File: 00000001.00000002.581088801.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6990000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e54060691e8229a70631be6a9a2a1e88dd33b89db938a87829561aeca6122627
Instruction ID: 4d21e517c4e443bb977b5e93a8f58bd6048c341db6d6ae8b4f13ad79dd853c40
Opcode Fuzzy Hash: e54060691e8229a70631be6a9a2a1e88dd33b89db938a87829561aeca6122627
Instruction Fuzzy Hash: 981103B6D002489FDF10CF9AC844ADEBBF8EF98324F10842AE415A7600C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067FA760 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,067FBBBA), ref: 067FBCA7

Memory Dump Source

Source File: 00000001.00000002.580998295.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_file.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 32c4dd029b3fe179ecbe317d7dba968dfa07ce87489b284f943f9435ff02684b
Instruction ID: 3cc06dc1ebf50a3529ead4dabb6d71734d67327266d6992d544160e3476d93ff
Opcode Fuzzy Hash: 32c4dd029b3fe179ecbe317d7dba968dfa07ce87489b284f943f9435ff02684b
Instruction Fuzzy Hash: E71103B1C006199BCB10CF9AC544BEEFBB8EB48724F14826AD918B7740D778A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0699D4E9 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0699D1FB), ref: 0699D556

Memory Dump Source

Source File: 00000001.00000002.581088801.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6990000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 912bdd8a84078286bd8de9a8bdac04859ca7a77fa8e2c0f6f4f5938274d12f9b
Instruction ID: 62e66d45d86be9c1b642768d864fbcd575ac4b7da77ecb1c95d8a18faef1a7f0
Opcode Fuzzy Hash: 912bdd8a84078286bd8de9a8bdac04859ca7a77fa8e2c0f6f4f5938274d12f9b
Instruction Fuzzy Hash: FF1123B6C006498FCB10CF9AC484ADEFFF8EF48224F20851AD469B7600C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0699C504 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0699D1FB), ref: 0699D556

Memory Dump Source

Source File: 00000001.00000002.581088801.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6990000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7f5e33d9348435b1084691201b4ce622635b75a9bbe4005fdbbe45c1ed1b1349
Instruction ID: dda426c68bd3f031579c1f27d3fccaf7d59fa78df42a4cda5cd91ff5e99f4ca6
Opcode Fuzzy Hash: 7f5e33d9348435b1084691201b4ce622635b75a9bbe4005fdbbe45c1ed1b1349
Instruction Fuzzy Hash: 3D1104B5C006498FCB50DF9AC484BDEFBF8EF88228F10841AD419B7600D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0115D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.576439831.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_115d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765b9017249f55bb5d94cef45f4349c9de7d166d1be4b0edebc85faeb6e2f8bd
Instruction ID: e84fbd713cb7fa8f8ab4eb892c0ac13c05fbd3995ece86e7dd7c49749aa46535
Opcode Fuzzy Hash: 765b9017249f55bb5d94cef45f4349c9de7d166d1be4b0edebc85faeb6e2f8bd
Instruction Fuzzy Hash: F821E271500240DFDF4ACF98E9C0B16BF75FB88328F248569ED050A206C33AD845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0116D006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.576467853.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_116d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952b8f9a797a99b5ac0b61228da63828dd2e1a9bc9b8d36351a35e7d5f3d0f79
Instruction ID: dc3192c526853da42cb3fedbab88ceed8e6902a353b9eb535e89b2b8da85ee85
Opcode Fuzzy Hash: 952b8f9a797a99b5ac0b61228da63828dd2e1a9bc9b8d36351a35e7d5f3d0f79
Instruction Fuzzy Hash: 7F217E7150D3C09FCB078F24D990B11BF75AB46214F29C6DBD8848F2A7C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0116D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.576467853.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_116d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa98c31ce5f77a1c6b1f58f74f8d536ba6438463c4b7576ef5f3284a6aadc8b7
Instruction ID: 933eae9512bc921d103b60b0a4cef2aa260572fe5f3e28c51b88b21768907089
Opcode Fuzzy Hash: aa98c31ce5f77a1c6b1f58f74f8d536ba6438463c4b7576ef5f3284a6aadc8b7
Instruction Fuzzy Hash: 10213771604240DFDF19DF58E9C0B26BBA9FB84314F24C56DE8894B242C33BD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0115D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.576439831.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_115d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: affde2ace4d1396f46b3c31d7292253564b91e6db6fe1708bf648dc7a7cde0a7
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: 6D11B176504280DFDF16CF54D5C4B16BF72FB84328F2486A9DD490B616C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0115D819 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.576439831.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_115d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4077fcb5cf4c52d47fac899b6043385fe88f4ad1b29a08560493ac6ddb32e669
Instruction ID: 4eec7038c4046b42f98ef587bdb5682e47de0be725c4d735c00396764353d3f4
Opcode Fuzzy Hash: 4077fcb5cf4c52d47fac899b6043385fe88f4ad1b29a08560493ac6ddb32e669
Instruction Fuzzy Hash: F9012B71404380EAEB594A5AEC80766BF98DF45334F08C41EED1C5B286C379D440CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0115D818 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.576439831.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_115d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ad0b4f0bbd95227e9cded86b99fb3e828c1b0fa752d7c0100481e47ce59b5d
Instruction ID: bb589ab1a243f01d6f876d9f6ae7427efeed1f65d683b76443bb2e66918a5518
Opcode Fuzzy Hash: a7ad0b4f0bbd95227e9cded86b99fb3e828c1b0fa752d7c0100481e47ce59b5d
Instruction Fuzzy Hash: B3F0C271404384EAEB258A0ADC84B62FF98EB85334F18C45AED585B282C3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 028EA208 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 05100E38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 028E565C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 028E4144 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 051033F0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 028EAA4D Relevance: 1.6, APIs: 1, Instructions: 69
libraryCOMMON

Function 028EC704 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 028ECB11 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 028E95E0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 028EA3E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 05101078 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 05101080 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 0510F6F0 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Function 0699E1D8 Relevance: 1.7, APIs: 1, Instructions: 208
libraryCOMMON

Function 067FBB68 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Function 0510F6E4 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Function 0510497C Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Function 05107605 Relevance: 1.6, APIs: 1, Instructions: 96
libraryCOMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre