Edit tour

Windows Analysis Report
Recibo de pago Banreserva.exe

Overview

General Information

Sample Name:	Recibo de pago Banreserva.exe
Analysis ID:	799539
MD5:	963dc44ec86b6f0e667716a4eafb63b1
SHA1:	f487e173e2d8ef1c95d33fef82db94ddd2231e48
SHA256:	14fe82910c2f207c0d0af16adb78beb03b871289d92bfeb52e7d4814b075e126
Infos:

Detection

AveMaria

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AveMaria stealer

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Writes to foreign memory regions

Found stalling execution ending in API Sleep call

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Uses 32bit PE files

Yara signature match

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64native

Recibo de pago Banreserva.exe (PID: 3160 cmdline: C:\Users\user\Desktop\Recibo de pago Banreserva.exe MD5: 963DC44EC86B6F0E667716A4EAFB63B1)

msinfo32.exe (PID: 4648 cmdline: C:\windows\syswow64\msinfo32.exe MD5: 5C49B7B55D4AF40DB1047E08484D6656)

Recibo de pago Banreserva.exe (PID: 4700 cmdline: "C:\Users\user\Desktop\Recibo de pago Banreserva.exe" ooooooooooooooo MD5: 963DC44EC86B6F0E667716A4EAFB63B1)

msinfo32.exe (PID: 4244 cmdline: C:\windows\syswow64\msinfo32.exe MD5: 5C49B7B55D4AF40DB1047E08484D6656)

ZMQ.exe (PID: 2320 cmdline: "C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe" MD5: 963DC44EC86B6F0E667716A4EAFB63B1)

ZMQ.exe (PID: 1984 cmdline: "C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe" MD5: 963DC44EC86B6F0E667716A4EAFB63B1)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Recibo de pago Banreserva.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_Bandook	Detects Bandook backdoor	ditekshen	0x9a978:$s1: "%sLib\dpx.pyc" "%ws" "%ws" "%ws" "%ws" "%ws" 0x9b158:$s2: %s\usd\dv-%s.dat 0x9ae08:$s3: %sprd.dat 0x9b18c:$s4: %sfile\shell\open\command 0x9aaf4:$s5: explorer.exe , %s 0x9ab3c:$f1: CaptureScreen 0x9aba8:$f2: StartShell 0x9ab4c:$f3: ClearCred 0x9ac08:$f4: GrabFileFromDevice 0x9ac1c:$f5: PutFileOnDevice 0x9ac4c:$f6: ChromeInject 0x9aca0:$f7: StartFileMonitor 0x9ad44:$f8: DisableMouseCapture 0x9ac94:$f9: StealUSB 0x9ad94:$f10: DDOSON 0x9adac:$f11: InstallMac 0x9ab64:$f12: SendCam 0x9b8ac:$x1: RTC-TGUBP 0x9b9a0:$x2: AVE_MARIA
00000001.00000000.4755352355.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: msinfo32.exe PID: 4648	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.msinfo32.exe.13140000.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
6.2.msinfo32.exe.13140000.0.raw.unpack	MALWARE_Win_Bandook	Detects Bandook backdoor	ditekshen	0x9a978:$s1: "%sLib\dpx.pyc" "%ws" "%ws" "%ws" "%ws" "%ws" 0x9b158:$s2: %s\usd\dv-%s.dat 0x9ae08:$s3: %sprd.dat 0x9b18c:$s4: %sfile\shell\open\command 0x9aaf4:$s5: explorer.exe , %s 0x9ab3c:$f1: CaptureScreen 0x9aba8:$f2: StartShell 0x9ab4c:$f3: ClearCred 0x9ac08:$f4: GrabFileFromDevice 0x9ac1c:$f5: PutFileOnDevice 0x9ac4c:$f6: ChromeInject 0x9aca0:$f7: StartFileMonitor 0x9ad44:$f8: DisableMouseCapture 0x9ac94:$f9: StealUSB 0x9ad94:$f10: DDOSON 0x9adac:$f11: InstallMac 0x9ab64:$f12: SendCam 0x9b8ac:$x1: RTC-TGUBP 0x9b9a0:$x2: AVE_MARIA
1.0.Recibo de pago Banreserva.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Bandook TCP CnC Beacon Keep-Alive (Inbound) - Source IP: 83.97.20.141 - Destination IP: 192.168.11.20

Timestamp:	83.97.20.141192.168.11.207075498312848605 02/06/23-16:46:57.776260
SID:	2848605
Source Port:	7075
Destination Port:	49831
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Bandook TCP CnC Beacon - Source IP: 192.168.11.20 - Destination IP: 83.97.20.141

Timestamp:	192.168.11.2083.97.20.1414983170752810128 02/06/23-16:46:57.776688
SID:	2810128
Source Port:	49831
Destination Port:	7075
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Recibo de pago Banreserva.exe	Virustotal: Detection: 21%			Perma Link
Source: Recibo de pago Banreserva.exe	ReversingLabs: Detection: 33%

Yara detected AveMaria stealer

Source: Yara match	File source: 6.2.msinfo32.exe.13140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 4648, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Source: bomes.ru

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe

ReversingLabs: Detection: 33%

Source: Recibo de pago Banreserva.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2810128 ETPRO TROJAN Bandook TCP CnC Beacon 192.168.11.20:49831 -> 83.97.20.141:7075
Source: Traffic	Snort IDS: 2848605 ETPRO TROJAN Bandook TCP CnC Beacon Keep-Alive (Inbound) 83.97.20.141:7075 -> 192.168.11.20:49831

Source: global traffic

TCP traffic: 192.168.11.20:49831 -> 83.97.20.141:7075

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	String found in binary or memory: http://prototype.conio.net/
Source: msinfo32.exe, msinfo32.exe, 00000006.00000002.9810355535.00000000131FC000.00000040.00000400.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.9810355535.0000000013C25000.00000040.00000400.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://unclesow.com/flras/
Source: msinfo32.exe, 00000006.00000002.9810355535.0000000013C25000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://unclesow.com/flras/0WlhFQsDBjql9http://unclesow.com/flras/6/2/2023bomes.ruOPR0ZMQC:
Source: msinfo32.exe, 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://unclesow.com/flras/7075xpucoMG9PLhfbDOBhvcizZOfNCWo6AJR58dtAJWJodmzAFZWlhFQsDBjql9izTWLwt9W5V
Source: msinfo32.exe, 00000006.00000002.9810355535.00000000131FC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://unclesow.com/flras/Cdds0
Source: Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	String found in binary or memory: http://www.atozed.com
Source: Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	String found in binary or memory: http://www.wapforum.org/DTD/wml_1.1.xml
Source: Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	String found in binary or memory: http://www.wapforum.org/DTD/xhtml-mobile10.dtd
Source: msinfo32.exe, msinfo32.exe, 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: msinfo32.exe, 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/0.0.0.0%s~

Source: unknown

DNS traffic detected: queries for: bomes.ru

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 6.2.msinfo32.exe.13140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 4648, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.msinfo32.exe.13140000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Bandook backdoor Author: ditekshen
Source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Bandook backdoor Author: ditekshen

Source: Recibo de pago Banreserva.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 6.2.msinfo32.exe.13140000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Bandook author = ditekshen, description = Detects Bandook backdoor, clamav_sig = MALWARE.Win.Trojan.Bandook
Source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Bandook author = ditekshen, description = Detects Bandook backdoor, clamav_sig = MALWARE.Win.Trojan.Bandook

Source: Recibo de pago Banreserva.exe, 00000001.00000000.4757652001.0000000000807000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameViralNinjas8 vs Recibo de pago Banreserva.exe
Source: Recibo de pago Banreserva.exe, 00000001.00000000.4755352355.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Recibo de pago Banreserva.exe
Source: Recibo de pago Banreserva.exe	Binary or memory string: OriginalFilename vs Recibo de pago Banreserva.exe
Source: Recibo de pago Banreserva.exe	Binary or memory string: OriginalFilenameViralNinjas8 vs Recibo de pago Banreserva.exe

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Recibo de pago Banreserva.exe	Virustotal: Detection: 21%
Source: Recibo de pago Banreserva.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Recibo de pago Banreserva.exe C:\Users\user\Desktop\Recibo de pago Banreserva.exe
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe C:\windows\syswow64\msinfo32.exe
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Users\user\Desktop\Recibo de pago Banreserva.exe "C:\Users\user\Desktop\Recibo de pago Banreserva.exe" ooooooooooooooo
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe C:\windows\syswow64\msinfo32.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe "C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe "C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe"
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe C:\windows\syswow64\msinfo32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Users\user\Desktop\Recibo de pago Banreserva.exe "C:\Users\user\Desktop\Recibo de pago Banreserva.exe" ooooooooooooooo	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe C:\windows\syswow64\msinfo32.exe	Jump to behavior

Source: C:\Windows\SysWOW64\msinfo32.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dtAJWJodmzAFZ
Source: C:\Windows\SysWOW64\msinfo32.exe	Mutant created: \Sessions\1\BaseNamedObjects\xpucoMG

Source: C:\Windows\SysWOW64\msinfo32.exe

File created: C:\Users\user\AppData\Roaming\ZMQ

Jump to behavior

Source: Recibo de pago Banreserva.exe	String found in binary or memory: NATS-SEFI-ADD
Source: Recibo de pago Banreserva.exe	String found in binary or memory: NATS-DANO-ADD
Source: Recibo de pago Banreserva.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: Recibo de pago Banreserva.exe	String found in binary or memory: jp-ocr-b-add
Source: Recibo de pago Banreserva.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: Recibo de pago Banreserva.exe	String found in binary or memory: jp-ocr-hand-add
Source: Recibo de pago Banreserva.exe	String found in binary or memory: ISO_6937-2-add
Source: Recibo de pago Banreserva.exe	String found in binary or memory: <P>The IP/Address you used was %s.%s
Source: Recibo de pago Banreserva.exe	String found in binary or memory: Execute via &Default browser/Launch default browser and execute application.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@1/1

Source: Yara match	File source: Recibo de pago Banreserva.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Recibo de pago Banreserva.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.4755352355.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe, type: DROPPED

Source: Recibo de pago Banreserva.exe

Static file information: File size 4568064 > 1048576

Source: Recibo de pago Banreserva.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Recibo de pago Banreserva.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x17d400
Source: Recibo de pago Banreserva.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2b7400

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Code function: 1_2_0019CFCE push eax; iretd	1_2_0019CFE1
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Code function: 7_2_0019CFCE push eax; iretd	7_2_0019CFE1
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Code function: 10_2_0019CFCE push eax; iretd	10_2_0019CFE1
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Code function: 11_2_0019CFCE push eax; iretd	11_2_0019CFE1
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Code function: 11_2_0019DF28 pushfd ; ret	11_2_0019DF29

Source: C:\Windows\SysWOW64\msinfo32.exe

Code function: 6_2_13FF67C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

6_2_13FF67C0

Source: C:\Windows\SysWOW64\msinfo32.exe

File created: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\msinfo32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZMQ			Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZMQ			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\msinfo32.exe

Stalling execution: Execution stalls by calling Sleep

graph_6-84

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe TID: 2576	Thread sleep time: -230000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe TID: 364	Thread sleep time: -7700000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 376	Thread sleep time: -220000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe TID: 7772	Thread sleep count: 74 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe TID: 7772	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe TID: 6344	Thread sleep time: -7700000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 6464	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 6464	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe TID: 5972	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe TID: 2508	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msinfo32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msinfo32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Thread delayed: delay time: 7700000	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Thread delayed: delay time: 7700000	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Windows\SysWOW64\msinfo32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msinfo32.exe

API call chain: ExitProcess graph end node

graph_6-94

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Thread delayed: delay time: 7700000	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Thread delayed: delay time: 7700000	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS

Source: C:\Windows\SysWOW64\msinfo32.exe

Code function: 6_2_13FF67C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

6_2_13FF67C0

Source: C:\Windows\SysWOW64\msinfo32.exe

Code function: 6_2_13198A15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_13198A15

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory written: C:\Windows\SysWOW64\msinfo32.exe base: 13140000	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory written: C:\Windows\SysWOW64\msinfo32.exe base: 2EC5008	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory written: C:\Windows\SysWOW64\msinfo32.exe base: 13140000	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory written: C:\Windows\SysWOW64\msinfo32.exe base: 3136008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory allocated: C:\Windows\SysWOW64\msinfo32.exe base: 13140000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory allocated: C:\Windows\SysWOW64\msinfo32.exe base: 13140000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory written: C:\Windows\SysWOW64\msinfo32.exe base: 13140000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Memory written: C:\Windows\SysWOW64\msinfo32.exe base: 13140000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe C:\windows\syswow64\msinfo32.exe			Jump to behavior
Source: C:\Users\user\Desktop\Recibo de pago Banreserva.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe C:\windows\syswow64\msinfo32.exe			Jump to behavior

Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager"
Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerN
Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !PODDUW~!Program Manager~!0~!tB*
Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: msinfo32.exe, 00000006.00000002.9809543824.0000000003228000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.9809123695.000000000307C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: !PODDUW~!Program Manager~!0~!

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 6.2.msinfo32.exe.13140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 4648, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 6.2.msinfo32.exe.13140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 4648, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	312 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	312 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Recibo de pago Banreserva.exe	21%	Virustotal		Browse
Recibo de pago Banreserva.exe	33%	ReversingLabs	Win32.Trojan.InjectorX

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe	33%	ReversingLabs	Win32.Trojan.InjectorX

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
bomes.ru	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://unclesow.com/flras/Cdds0	0%	Avira URL Cloud	safe
http://www.wapforum.org/DTD/xhtml-mobile10.dtd	0%	Avira URL Cloud	safe
http://unclesow.com/flras/	0%	Avira URL Cloud	safe
http://www.wapforum.org/DTD/wml_1.1.xml	0%	Avira URL Cloud	safe
http://unclesow.com/flras/0WlhFQsDBjql9http://unclesow.com/flras/6/2/2023bomes.ruOPR0ZMQC:	0%	Avira URL Cloud	safe
http://www.wapforum.org/DTD/xhtml-mobile10.dtd	0%	Virustotal		Browse
http://www.wapforum.org/DTD/wml_1.1.xml	1%	Virustotal		Browse
http://prototype.conio.net/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bomes.ru	83.97.20.141	true	true	12%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	msinfo32.exe, msinfo32.exe, 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	false		high
http://unclesow.com/flras/Cdds0	msinfo32.exe, 00000006.00000002.9810355535.00000000131FC000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	false		high
http://www.atozed.com	Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	false		high
http://unclesow.com/flras/	msinfo32.exe, msinfo32.exe, 00000006.00000002.9810355535.00000000131FC000.00000040.00000400.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.9810355535.0000000013C25000.00000040.00000400.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wapforum.org/DTD/xhtml-mobile10.dtd	Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://unclesow.com/flras/0WlhFQsDBjql9http://unclesow.com/flras/6/2/2023bomes.ruOPR0ZMQC:	msinfo32.exe, 00000006.00000002.9810355535.0000000013C25000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.ipify.org/0.0.0.0%s~	msinfo32.exe, 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.wapforum.org/DTD/wml_1.1.xml	Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://prototype.conio.net/	Recibo de pago Banreserva.exe, ZMQ.exe.9.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
83.97.20.141	bomes.ru	Romania		9009	M247GB	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	799539
Start date and time:	2023-02-06 16:36:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Recibo de pago Banreserva.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/1@1/1
EGA Information:	Successful, ratio: 20%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, UserOOBEBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com
Execution Graph export aborted for target Recibo de pago Banreserva.exe, PID 3160 because there are no executed function
Execution Graph export aborted for target Recibo de pago Banreserva.exe, PID 4700 because there are no executed function
Execution Graph export aborted for target ZMQ.exe, PID 1984 because there are no executed function
Execution Graph export aborted for target ZMQ.exe, PID 2320 because there are no executed function

Simulations

Behavior and APIs

Time	Type	Description
16:45:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ZMQ C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe
16:45:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ZMQ C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
83.97.20.141	Confirmar Transferencia lista.exe	Get hash	malicious	Browse
	Xvq0c5WDmN.exe	Get hash	malicious	Browse
	Confirmar Transferencia lista.exe	Get hash	malicious	Browse
	FACTURA_EMITIDA_01.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bomes.ru	Confirmar Transferencia lista.exe	Get hash	malicious	Browse	83.97.20.141
	Xvq0c5WDmN.exe	Get hash	malicious	Browse	83.97.20.141
	Confirmar Transferencia lista.exe	Get hash	malicious	Browse	83.97.20.141
	FACTURA_EMITIDA_01.exe	Get hash	malicious	Browse	83.97.20.141

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	Confirmar Transferencia lista.exe	Get hash	malicious	Browse	83.97.20.141
	4iLDIlbK8X.elf	Get hash	malicious	Browse	45.86.28.81
	ptLoHDY5Sm.elf	Get hash	malicious	Browse	171.22.50.184
	fWikJEXL2p.elf	Get hash	malicious	Browse	185.254.185.80
	J3Za3c6EN2.elf	Get hash	malicious	Browse	193.32.99.113
	0167.pdf.scr	Get hash	malicious	Browse	188.72.124.143
	https://gardendalepain-my.sharepoint.com/:o:/p/jstewart/EtQfO_jHQrxAhnbaOs_LAhsBPkFdP6RBXK5r44uQe3sF6g?e=paOb5r	Get hash	malicious	Browse	193.29.104.84
	WQi2YD6hQR.elf	Get hash	malicious	Browse	168.80.46.16
	dGCnwOnxb1.elf	Get hash	malicious	Browse	193.29.104.151
	UU9joEtotW.elf	Get hash	malicious	Browse	173.211.86.152
	AVpGrgzqpb.elf	Get hash	malicious	Browse	185.94.197.129
	Xvq0c5WDmN.exe	Get hash	malicious	Browse	83.97.20.141
	a17hW45pFJ.vbs	Get hash	malicious	Browse	103.47.144.93
	Confirmar Transferencia lista.exe	Get hash	malicious	Browse	83.97.20.141
	PiuV0y8Fw8.elf	Get hash	malicious	Browse	38.203.241.110
	92A99F2DBC918D102F537652B42FC6FDBE25FF2E52A5E.exe	Get hash	malicious	Browse	206.123.132.35
	inslallStartx64.exe	Get hash	malicious	Browse	89.238.185.17
	05E9WsH93Q.elf	Get hash	malicious	Browse	185.144.83.46
	shipping document PL&BL draft.exe	Get hash	malicious	Browse	185.156.175.35
	SetupProgram_v3.8.6.exe	Get hash	malicious	Browse	89.238.170.246

Process:	C:\Windows\SysWOW64\msinfo32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4568064
Entropy (8bit):	6.7724325286819855
Encrypted:	false
SSDEEP:	49152:MxJPhRf0ewejGkahfiJWcSlAerZeWfEhiHECbFkt+aSj982TnUkcNVuV9zwu:MxTGeyk
MD5:	963DC44EC86B6F0E667716A4EAFB63B1
SHA1:	F487E173E2D8EF1C95D33FEF82DB94DDD2231E48
SHA-256:	14FE82910C2F207C0D0AF16ADB78BEB03B871289D92BFEB52E7D4814B075E126
SHA-512:	6300C982B38242C3D591410672D6872B2E80D675ACB421394B78B59F18E9E85C300E12E3BF7BDDC82EB6AA86A5DD998064232C90C0C5D164A4C6055DAB97CC2E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....I.c......................-.............. ....@...........................F..................@........................... ...0.......t+..................................................p.......................(..\|............................text...\|........................... ..`.itext..h/.......0.................. ..`.data....w... ...x..................@....bss.....}...............................idata...0... ...2..................@....tls....H....`...........................rdata.......p......................@..@.reloc..............................@..B.rsrc....t+......t+..@..............@..@..............F.......E.............@..@................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7724325286819855
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Recibo de pago Banreserva.exe
File size:	4568064
MD5:	963dc44ec86b6f0e667716a4eafb63b1
SHA1:	f487e173e2d8ef1c95d33fef82db94ddd2231e48
SHA256:	14fe82910c2f207c0d0af16adb78beb03b871289d92bfeb52e7d4814b075e126
SHA512:	6300c982b38242c3d591410672d6872b2e80d675acb421394b78b59f18e9e85c300e12e3bf7bddc82eb6aa86a5dd998064232c90c0c5d164a4c6055dab97cc2e
SSDEEP:	49152:MxJPhRf0ewejGkahfiJWcSlAerZeWfEhiHECbFkt+aSj982TnUkcNVuV9zwu:MxTGeyk
TLSH:	4926C021B7D0413AD03A36789FAAD28CAA3EBE108D35D51F36DC7A4E2F705412E557B2
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0000212129210100

Static PE Info

General

Entrypoint:	0x581da0
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x63DE49DA [Sat Feb 4 12:04:42 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	94098decd11011734bd0063060a1831a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 0057D93Ch
call 00007F333CA8355Ah
xor ecx, ecx
mov dl, 01h
mov eax, dword ptr [00457ED0h]
call 00007F333CAD6C74h
mov ebx, eax
mov edx, 00581F54h
mov eax, ebx
call 00007F333CAC126Eh
mov edx, 00000020h
mov eax, ebx
call 00007F333CAC0932h
xor eax, eax
push ebp
push 00581E87h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, dword ptr [00591D9Ch]
mov eax, dword ptr [eax+00000220h]
call 00007F333CBF86A8h
push 00000001h
push 00000002h
mov ecx, 00000002h
mov edx, 00000003h
mov eax, esi
mov ebx, dword ptr [eax]
call dword ptr [ebx+00000088h]
mov eax, dword ptr [00591D9Ch]
call 00007F333CBF92CEh
mov dl, 01h
mov eax, dword ptr [00591D94h]
mov ecx, dword ptr [eax]
call dword ptr [ecx-04h]
mov eax, dword ptr [esi+00000298h]
xor edx, edx
call 00007F333CB5AA91h
mov dl, 01h
mov ecx, dword ptr [eax]
call dword ptr [ecx-04h]
mov eax, esi
mov edx, dword ptr [eax]
call dword ptr [edx+00000080h]
mov eax, dword ptr [00591D98h]
mov edx, dword ptr [eax]
call dword ptr [edx-08h]
mov eax, dword ptr [00591D9Ch]
mov edx, dword ptr [eax]
call dword ptr [edx+000002A8h]
mov eax, dword ptr [00591D9Ch]
call 00007F333CB60497h
mov eax, dword ptr [0000009Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x192000	0x30aa	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b1000	0x2b7400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x198000	0x18b8c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x197000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1928f8	0x77c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17d27c	0x17d400	False	0.4251652151639344	data	6.351665925970968	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x17f000	0x2f68	0x3000	False	0.473876953125	data	6.102609159240764	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x182000	0x7794	0x7800	False	0.4427734375	data	4.976361652960001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18a000	0x7da8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x192000	0x30aa	0x3200	False	0.3078125	data	5.073229022966032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x196000	0x48	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x197000	0x18	0x200	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x198000	0x18b8c	0x18c00	False	0.5334300031565656	data	6.659400816187808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1b1000	0x2b7400	0x2b7400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ESD	0x1b3fa8	0x221aac	ASCII text, with very long lines (65536), with no line terminators	English	United States
UNICODEDATA	0x3d5a54	0x723f	data
UNICODEDATA	0x3dcc94	0x7ebd	data
UNICODEDATA	0x3e4b54	0x6a8	data
UNICODEDATA	0x3e51fc	0xaf7d	data
UNICODEDATA	0x3f017c	0xd3cf	data
UNICODEDATA	0x3fd54c	0x14c5	data
RT_CURSOR	0x3fea14	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x3feb48	0x134	data	English	United States
RT_CURSOR	0x3fec7c	0x134	data	English	United States
RT_CURSOR	0x3fedb0	0x134	data	English	United States
RT_CURSOR	0x3feee4	0x134	data	English	United States
RT_CURSOR	0x3ff018	0x134	data	English	United States
RT_CURSOR	0x3ff14c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States
RT_BITMAP	0x3ff280	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3ff450	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States
RT_BITMAP	0x3ff634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3ff804	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3ff9d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3ffba4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3ffd74	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3fff44	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x400114	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4002e4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4004b4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x400574	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x400654	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x400734	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x400814	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x4008d4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x400994	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x400a74	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x400b34	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x400c14	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States
RT_BITMAP	0x400cfc	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x400dbc	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_ICON	0x400e9c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640
RT_ICON	0x401184	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192
RT_ICON	0x4012ac	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688
RT_ICON	0x402154	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152
RT_ICON	0x4029fc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320
RT_ICON	0x402f64	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896
RT_ICON	0x40718c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600
RT_ICON	0x409734	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720
RT_ICON	0x40b19c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0x40c244	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400
RT_ICON	0x40cbcc	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680
RT_ICON	0x40d284	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_DIALOG	0x40d6ec	0x52	data
RT_DIALOG	0x40d740	0x52	data
RT_STRING	0x40d794	0x1f0	data
RT_STRING	0x40d984	0x49c	data
RT_STRING	0x40de20	0x4c0	data
RT_STRING	0x40e2e0	0x400	data
RT_STRING	0x40e6e0	0x230	data
RT_STRING	0x40e910	0x2cc	data
RT_STRING	0x40ebdc	0x1a4	AmigaOS bitmap font "i", fc_YSize 22016, 17920 elements, 2nd "r", 3rd
RT_STRING	0x40ed80	0x278	data
RT_STRING	0x40eff8	0x4f0	data
RT_STRING	0x40f4e8	0x464	AmigaOS bitmap font "P", fc_YSize 17408, 18944 elements, 2nd "t", 3rd "m"
RT_STRING	0x40f94c	0x300	data
RT_STRING	0x40fc4c	0x3e4	data
RT_STRING	0x410030	0x2e4	data
RT_STRING	0x410314	0x530	data
RT_STRING	0x410844	0x28c	data
RT_STRING	0x410ad0	0x3a0	data
RT_STRING	0x410e70	0x2e0	AmigaOS bitmap font "x", fc_YSize 27648, 17664 elements, 2nd " ", 3rd "w"
RT_STRING	0x411150	0x488	data
RT_STRING	0x4115d8	0x2b8	data
RT_STRING	0x411890	0x36c	data
RT_STRING	0x411bfc	0x360	data
RT_STRING	0x411f5c	0x1b8	data
RT_STRING	0x412114	0x5f0	data
RT_STRING	0x412704	0x5d8	data
RT_STRING	0x412cdc	0x3c8	data
RT_STRING	0x4130a4	0x410	data
RT_STRING	0x4134b4	0x604	data
RT_STRING	0x413ab8	0x86c	data
RT_STRING	0x414324	0x8bc	data
RT_STRING	0x414be0	0x7a8	data
RT_STRING	0x415388	0x850	data
RT_STRING	0x415bd8	0xa68	data
RT_STRING	0x416640	0x740	data
RT_STRING	0x416d80	0x25c	data
RT_STRING	0x416fdc	0x240	data
RT_STRING	0x41721c	0x120	data
RT_STRING	0x41733c	0x130	data
RT_STRING	0x41746c	0xe0	data
RT_STRING	0x41754c	0x2b4	data
RT_STRING	0x417800	0x9c	data
RT_STRING	0x41789c	0xec	data
RT_STRING	0x417988	0x1a4	data
RT_STRING	0x417b2c	0x430	data
RT_STRING	0x417f5c	0x384	data
RT_STRING	0x4182e0	0x338	data
RT_STRING	0x418618	0x324	data
RT_STRING	0x41893c	0x3ec	data
RT_STRING	0x418d28	0x170	data
RT_STRING	0x418e98	0xcc	data
RT_STRING	0x418f64	0x240	data
RT_STRING	0x4191a4	0x3cc	data
RT_STRING	0x419570	0x41c	data
RT_STRING	0x41998c	0x2ec	data
RT_STRING	0x419c78	0x308	data
RT_RCDATA	0x419f80	0x10	data
RT_RCDATA	0x419f90	0x1536	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
RT_RCDATA	0x41b4c8	0x359	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x41b824	0x12c	GIF image data, version 89a, 10 x 12
RT_RCDATA	0x41b950	0x129	GIF image data, version 89a, 10 x 12
RT_RCDATA	0x41ba7c	0x4c8	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41bf44	0x4b5	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41c3fc	0x42e	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41c82c	0x42e	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41cc5c	0x432	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41d090	0x434	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41d4c4	0x4da	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41d9a0	0x4c1	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41de64	0x449	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41e2b0	0x455	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41e708	0x4ce	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41ebd8	0x4b9	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41f094	0x32e	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41f3c4	0x30e	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41f6d4	0x444	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41fb18	0x44f	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x41ff68	0x4b5	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x420420	0x4ab	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x4208cc	0x480	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x420d4c	0x46a	GIF image data, version 89a, 24 x 24
RT_RCDATA	0x4211b8	0x672	HTML document, ASCII text, with CRLF, LF line terminators
RT_RCDATA	0x42182c	0xe34	GIF image data, version 89a, 105 x 141
RT_RCDATA	0x422660	0xa25	GIF image data, version 89a, 171 x 75
RT_RCDATA	0x423088	0x4b	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x4230d4	0x3f	GIF image data, version 89a, 12 x 16
RT_RCDATA	0x423114	0x6e	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423184	0x50	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x4231d4	0x6c	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423240	0x4f	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423290	0x6f	GIF image data, version 89a, 17 x 16
RT_RCDATA	0x423300	0x41	GIF image data, version 89a, 15 x 15
RT_RCDATA	0x423344	0x3c	GIF image data, version 89a, 16 x 12
RT_RCDATA	0x423380	0x69	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x4233ec	0x4d	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x42343c	0x71	GIF image data, version 89a, 16 x 17
RT_RCDATA	0x4234b0	0x69	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x42351c	0x4d	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x42356c	0x453	HTML document, ASCII text, with CRLF line terminators
RT_RCDATA	0x4239c0	0x36	GIF image data, version 89a, 1 x 1
RT_RCDATA	0x4239f8	0x91	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423a8c	0x82	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423b10	0x75	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423b88	0x9e	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423c28	0x7c	GIF image data, version 89a, 16 x 16
RT_RCDATA	0x423ca4	0x6528	ASCII text, with CRLF line terminators
RT_RCDATA	0x42a1cc	0xed2	HTML document, ASCII text, with CRLF line terminators
RT_RCDATA	0x42b0a0	0x5e71	ASCII text, with CRLF line terminators
RT_RCDATA	0x430f14	0x5bdc	ASCII text, with CRLF line terminators
RT_RCDATA	0x436af0	0x539	ASCII text, with CRLF line terminators
RT_RCDATA	0x43702c	0x1f8a	HTML document, ASCII text, with CRLF line terminators
RT_RCDATA	0x438fb8	0x1687	ASCII text, with CRLF line terminators
RT_RCDATA	0x43a640	0x17e1	ASCII text, with CRLF line terminators
RT_RCDATA	0x43be24	0x1ec5	ASCII text, with CRLF line terminators
RT_RCDATA	0x43dcec	0x100c	ISO-8859 text, with CRLF line terminators
RT_RCDATA	0x43ecf8	0xb6d	ASCII text, with CRLF line terminators
RT_RCDATA	0x43f868	0x348	ASCII text, with CRLF line terminators
RT_RCDATA	0x43fbb0	0x4ed	ASCII text, with CRLF line terminators
RT_RCDATA	0x4400a0	0x2408	ASCII text, with CRLF line terminators
RT_RCDATA	0x4424a8	0x1b42	ASCII text, with CRLF line terminators
RT_RCDATA	0x443fec	0xb955	ASCII text
RT_RCDATA	0x44f944	0x16003	ASCII text
RT_RCDATA	0x465948	0xd7b	ASCII text, with CRLF line terminators
RT_RCDATA	0x4666c4	0x72a	ASCII text, with CRLF line terminators
RT_RCDATA	0x466df0	0x117c	data
RT_GROUP_CURSOR	0x467f6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x467f80	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x467f94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x467fa8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x467fbc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x467fd0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x467fe4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x467ff8	0xae	data
RT_VERSION	0x4680a8	0x2f8	data

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, RemoveDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQuery, VirtualAlloc, TryEnterCriticalSection, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, SuspendThread, Sleep, SizeofResource, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReleaseSemaphore, ReadFile, RaiseException, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesExA, GetFileAttributesA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateSemaphoreA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringW, CompareStringA, CloseHandle
advapi32.dll	RevertToSelf, RegQueryValueExW, RegQueryValueExA, RegOpenKeyExW, RegOpenKeyExA, RegFlushKey, RegCloseKey, OpenThreadToken, ImpersonateLoggedOnUser
kernel32.dll	Sleep
ole32.dll	CoCreateGuid
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoUninitialize, CoInitialize
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
kernel32.dll	GetVersionExA
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, WSACancelAsyncRequest, WSAAsyncGetServByName, WSAAsyncGetHostByName, WSAAsyncSelect, getservbyname, gethostbyname, socket, send, recv, ntohs, listen, ioctlsocket, inet_addr, htons, connect, closesocket, bind

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
83.97.20.141192.168.11.207075498312848605 02/06/23-16:46:57.776260	TCP	2848605	ETPRO TROJAN Bandook TCP CnC Beacon Keep-Alive (Inbound)	7075	49831	83.97.20.141	192.168.11.20
192.168.11.2083.97.20.1414983170752810128 02/06/23-16:46:57.776688	TCP	2810128	ETPRO TROJAN Bandook TCP CnC Beacon	49831	7075	192.168.11.20	83.97.20.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 6, 2023 16:41:19.837397099 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:41:19.924129963 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:41:19.924459934 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:41:20.198875904 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:41:20.332488060 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:41:57.735222101 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:41:57.735691071 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:41:57.864624977 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:42:57.772366047 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:42:57.772639990 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:42:57.916038036 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:43:57.793998957 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:43:57.794434071 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:43:57.938997030 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:44:57.777468920 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:44:57.777970076 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:44:57.917399883 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:45:57.805488110 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:45:57.805847883 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:45:57.991475105 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:46:57.776259899 CET	7075	49831	83.97.20.141	192.168.11.20
Feb 6, 2023 16:46:57.776688099 CET	49831	7075	192.168.11.20	83.97.20.141
Feb 6, 2023 16:46:57.913367987 CET	7075	49831	83.97.20.141	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 6, 2023 16:41:19.664875031 CET	57541	53	192.168.11.20	1.1.1.1
Feb 6, 2023 16:41:19.825637102 CET	53	57541	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 6, 2023 16:41:19.664875031 CET	192.168.11.20	1.1.1.1	0x969b	Standard query (0)	bomes.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 6, 2023 16:41:19.825637102 CET	1.1.1.1	192.168.11.20	0x969b	No error (0)	bomes.ru		83.97.20.141	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	16:38:08
Start date:	06/02/2023
Path:	C:\Users\user\Desktop\Recibo de pago Banreserva.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Recibo de pago Banreserva.exe
Imagebase:	0x400000
File size:	4568064 bytes
MD5 hash:	963DC44EC86B6F0E667716A4EAFB63B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000000.4755352355.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	16:41:16
Start date:	06/02/2023
Path:	C:\Windows\SysWOW64\msinfo32.exe
Wow64 process (32bit):	true
Commandline:	C:\windows\syswow64\msinfo32.exe
Imagebase:	0x850000
File size:	338432 bytes
MD5 hash:	5C49B7B55D4AF40DB1047E08484D6656
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_Bandook, Description: Detects Bandook backdoor, Source: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, Author: ditekshen
Reputation:	moderate

Show Windows behavior

Target ID:	7
Start time:	16:41:16
Start date:	06/02/2023
Path:	C:\Users\user\Desktop\Recibo de pago Banreserva.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Recibo de pago Banreserva.exe" ooooooooooooooo
Imagebase:	0x400000
File size:	4568064 bytes
MD5 hash:	963DC44EC86B6F0E667716A4EAFB63B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	16:44:18
Start date:	06/02/2023
Path:	C:\Windows\SysWOW64\msinfo32.exe
Wow64 process (32bit):	true
Commandline:	C:\windows\syswow64\msinfo32.exe
Imagebase:	0x850000
File size:	338432 bytes
MD5 hash:	5C49B7B55D4AF40DB1047E08484D6656
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	10
Start time:	16:45:12
Start date:	06/02/2023
Path:	C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe"
Imagebase:	0x7ff75abb0000
File size:	4568064 bytes
MD5 hash:	963DC44EC86B6F0E667716A4EAFB63B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe, Author: Joe Security
Antivirus matches:	Detection: 33%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	16:45:21
Start date:	06/02/2023
Path:	C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe"
Imagebase:	0x400000
File size:	4568064 bytes
MD5 hash:	963DC44EC86B6F0E667716A4EAFB63B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	38.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	39.1%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 13FF67C0 Relevance: 7.7, APIs: 5, Instructions: 185
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 13FF6902
GetProcAddress.KERNEL32(?,13FF4FF9), ref: 13FF6920
ExitProcess.KERNEL32(?,13FF4FF9), ref: 13FF6931
VirtualProtect.KERNELBASE(13140000,00001000,00000004,?,057EBB00), ref: 13FF694E
VirtualProtect.KERNELBASE(13140000,00001000), ref: 13FF6963

Memory Dump Source

Source File: 00000006.00000002.9810355535.0000000013FF5000.00000040.00000400.00020000.00000000.sdmp, Offset: 13140000, based on PE: true

Associated: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13140000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 757dd17e5fa95604ecc7aac9eff2aaee55e9d3c2b88249dfadb35353dbfee004
Instruction ID: b6e887f9ca2b28ec712dfcb76cf18aff48946d11f876862bc2002a9101bb8aff
Opcode Fuzzy Hash: 757dd17e5fa95604ecc7aac9eff2aaee55e9d3c2b88249dfadb35353dbfee004
Instruction Fuzzy Hash: 4B51D0B3A557934AD3104AB89EC4650BBACEF0623472C073DDEE1973E5EFA55806C660

Uniqueness

Uniqueness Score: -1.00%

Function 1315CB10 Relevance: 3.0, APIs: 2, Instructions: 34
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastInputInfo.USER32(00000008), ref: 1315CB35
Sleep.KERNELBASE(00002710), ref: 1315CB68

Memory Dump Source

Source File: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, Offset: 13140000, based on PE: true

Associated: 00000006.00000002.9810355535.0000000013FF5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13140000_msinfo32.jbxd

Yara matches

Similarity

API ID: InfoInputLastSleep
String ID:
API String ID: 1162944863-0
Opcode ID: 5e52a0c89b3970dde6e70d80d26661b019d23b9d3f05a747ec48d91668530a39
Instruction ID: cd30dbacb1944860300b79b7ce794a3713a7d22bc7408253b9c1ec695d4b28ff
Opcode Fuzzy Hash: 5e52a0c89b3970dde6e70d80d26661b019d23b9d3f05a747ec48d91668530a39
Instruction Fuzzy Hash: 8CF0B436904128AFCB04FF6DD9C595ABFBCFB49364F440265E918D3284D734A854CBA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 13198A15 Relevance: 6.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,13198B34,131CEC68,00000017), ref: 13198A1A
UnhandledExceptionFilter.KERNEL32(?,?,13198B34,131CEC68,00000017), ref: 13198A23
GetCurrentProcess.KERNEL32(C0000409,?,13198B34,131CEC68,00000017), ref: 13198A2E
TerminateProcess.KERNEL32(00000000,?,13198B34,131CEC68,00000017), ref: 13198A35

Memory Dump Source

Source File: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, Offset: 13140000, based on PE: true

Associated: 00000006.00000002.9810355535.0000000013FF5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13140000_msinfo32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: efe9299d8c83840d8bcc812fe64f9a0cee132a5afa70b9ac625f1b7a0ad52663
Instruction ID: 487008f51e09d1bf93032ec30c68f8f048622ba8f0a6c57a6f067642269298dc
Opcode Fuzzy Hash: efe9299d8c83840d8bcc812fe64f9a0cee132a5afa70b9ac625f1b7a0ad52663
Instruction Fuzzy Hash: 3CD01231440224AFC7483BE1C9CCA4D3F68EB0466AF018000FF0981004DB3944108B79

Uniqueness

Uniqueness Score: -1.00%

Function 1314FA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,13BFDB78,?), ref: 1314FA57
RegQueryValueExA.ADVAPI32(?,13C260E0,00000000,00000000,?,00000200), ref: 1314FA7E

Strings

BLABLA, xrefs: 1314FA88

Memory Dump Source

Source File: 00000006.00000002.9810355535.0000000013140000.00000040.00000400.00020000.00000000.sdmp, Offset: 13140000, based on PE: true

Associated: 00000006.00000002.9810355535.0000000013FF5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13140000_msinfo32.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: BLABLA
API String ID: 4153817207-1676716149
Opcode ID: aef527a16c6fdcb4c7625d402229a13b9c052565a98cf6f7bcbf6e7f986acc8c
Instruction ID: e19a3eeec7759514f7a8bcf63f4a0077f9d851227abd78ad3a8c800c338f666f
Opcode Fuzzy Hash: aef527a16c6fdcb4c7625d402229a13b9c052565a98cf6f7bcbf6e7f986acc8c
Instruction Fuzzy Hash: 3C01A770600318BFD714EB90CD8CFE97BBCE704205FA041A5ED25E1147D775695CAB14

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Recibo de pago Banreserva.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\ZMQ\ZMQ.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Recibo de pago Banreserva.exe

Function 13FF67C0 Relevance: 7.7, APIs: 5, Instructions: 185
librarymemoryloaderCOMMON

Function 1315CB10 Relevance: 3.0, APIs: 2, Instructions: 34
sleepCOMMON

Function 13198A15 Relevance: 6.0, APIs: 4, Instructions: 12
COMMON

Function 1314FA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
registryCOMMON