Edit tour
Windows
Analysis Report
server.exe
Overview
General Information
| Sample Name: | server.exe |
| Analysis ID: | 826050 |
| MD5: | 0a7efdf643e54621fe9b9e5a29c06faf |
| SHA1: | 0db17d1fcb4464120a6f3b088693f7b370fd0153 |
| SHA256: | 8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe |
| Tags: | agenziaentrateexegoziisfbITAmefmiseursnif |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
server.exe (PID: 3396 cmdline: C:\Users\u ser\Deskto p\server.e xe MD5: 0A7EFDF643E54621FE9B9E5A29C06FAF)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Gozi, Ursnif | 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module. | No Attribution |
{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
| Windows_Trojan_Gozi_261f5ac5 | unknown | unknown |
| |
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
| Click to see the 27 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.562.173.142.5149699802033203 03/14/23-09:26:29.644541 |
| SID: | 2033203 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.562.173.142.5149699802033204 03/14/23-09:26:29.644541 |
| SID: | 2033204 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.594.103.183.15349700802033203 03/14/23-09:26:49.778257 |
| SID: | 2033203 |
| Source Port: | 49700 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.594.103.183.15349700802033204 03/14/23-09:26:49.778257 |
| SID: | 2033204 |
| Source Port: | 49700 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 0_2_00571508 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | ASN Name: | ||
| Source: | DNS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00571508 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00412E5E | |
| Source: | Code function: | 0_2_004129C9 | |
| Source: | Code function: | 0_2_004135CE | |
| Source: | Code function: | 0_2_004131FC | |
| Source: | Code function: | 0_2_004139B6 | |
| Source: | Code function: | 0_2_005716DF | |
| Source: | Code function: | 0_2_0057832C | |
| Source: | Code function: | 0_2_00571D8A | |
| Source: | Code function: | 0_2_0040110B | |
| Source: | Code function: | 0_2_00401459 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_0057421F | |
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_0057832B | |
| Source: | Code function: | 0_2_00577F39 | |
| Source: | Code function: | 0_2_00401000 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | ||
| Source: | Check user administrative privileges: | ||
| Source: | Evasive API call chain: | ||
| Source: | API call chain: | ||
Anti Debugging | |
|---|
| Source: | Debugger detection routine: | ||
| Source: | Code function: | 0_2_00401000 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_00410C7F | |
| Source: | Code function: | 0_2_004118DB | |
| Source: | Code function: | 0_2_004154FA | |
| Source: | Code function: | 0_2_0041089B | |
| Source: | Code function: | 0_2_00573BD3 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00401D68 | |
| Source: | Code function: | 0_2_004015B0 | |
| Source: | Code function: | 0_2_00573BD3 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Windows Management Instrumentation | Path Interception | Path Interception | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Data Encrypted for Impact |
| Default Accounts | 13 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 21 Software Packing | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 12 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 124 System Information Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 36% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1245293 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen7 | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| checklist.skype.com | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 62.173.142.51 | unknown | Russian Federation | 34300 | SPACENET-ASInternetServiceProviderRU | true | |
| 94.103.183.153 | unknown | Russian Federation | 197390 | RATELE-ASRU | true |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 826050 |
| Start date and time: | 2023-03-14 09:24:08 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 5m 41s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | server.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@1/0@1/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
- Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: server.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 62.173.142.51 | Get hash | malicious | Ursnif | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| SPACENET-ASInternetServiceProviderRU | Get hash | malicious | Ursnif | Browse |
| |
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.816297179835972 |
| TrID: |
|
| File name: | server.exe |
| File size: | 239104 |
| MD5: | 0a7efdf643e54621fe9b9e5a29c06faf |
| SHA1: | 0db17d1fcb4464120a6f3b088693f7b370fd0153 |
| SHA256: | 8cfad47521642927f7ab5f7401445393ab916fe2f67072b44cadfa89c11a40fe |
| SHA512: | 11ddf0f3a432ab56e0d02804e3191b9fda38f135f59aae35328c32ebd28ed73073d3e196906063fb105b73916e64c919ac45be2c32b09f1feef113a39571dcb3 |
| SSDEEP: | 3072:HlrxsoA0q2uvNzapNaCik4A5RIiUDzmk5lLLBqc8KrOdNcJWrJGHG/Ni:IoXqNN+pIV4RhUNnvrOI0rJSqN |
| TLSH: | 69348D1372D0A471E6724A31BE1BC2F4661FFCA58F5966E723986A2F1D711E1CE36302 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........aBL...L...L...#...\...#.../...E...G...L...:...#...a...#...M...#...M...RichL...........PE..L.....\b........................... |
 | |
| Icon Hash: | ba821212818aa292 |
| Entrypoint: | 0x409761 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x625CE5AC [Mon Apr 18 04:14:36 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | ae274c29ca15928cb1e23f2e712ba155 |
| Instruction |
|---|
| call 00007FC3FCE3223Eh |
| jmp 00007FC3FCE2BC5Eh |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| test eax, eax |
| je 00007FC3FCE2BDE4h |
| sub eax, 08h |
| cmp dword ptr [eax], 0000DDDDh |
| jne 00007FC3FCE2BDD9h |
| push eax |
| call 00007FC3FCE2B3F7h |
| pop ecx |
| pop ebp |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov esi, ecx |
| mov byte ptr [esi+0Ch], 00000000h |
| test eax, eax |
| jne 00007FC3FCE2BE35h |
| call 00007FC3FCE2EDADh |
| mov dword ptr [esi+08h], eax |
| mov ecx, dword ptr [eax+6Ch] |
| mov dword ptr [esi], ecx |
| mov ecx, dword ptr [eax+68h] |
| mov dword ptr [esi+04h], ecx |
| mov ecx, dword ptr [esi] |
| cmp ecx, dword ptr [0042D2A0h] |
| je 00007FC3FCE2BDE4h |
| mov ecx, dword ptr [0042D058h] |
| test dword ptr [eax+70h], ecx |
| jne 00007FC3FCE2BDD9h |
| call 00007FC3FCE32C18h |
| mov dword ptr [esi], eax |
| mov eax, dword ptr [esi+04h] |
| cmp eax, dword ptr [0042CF60h] |
| je 00007FC3FCE2BDE8h |
| mov eax, dword ptr [esi+08h] |
| mov ecx, dword ptr [0042D058h] |
| test dword ptr [eax+70h], ecx |
| jne 00007FC3FCE2BDDAh |
| call 00007FC3FCE32477h |
| mov dword ptr [esi+04h], eax |
| mov eax, dword ptr [esi+08h] |
| test byte ptr [eax+70h], 00000002h |
| jne 00007FC3FCE2BDE6h |
| or dword ptr [eax+70h], 02h |
| mov byte ptr [esi+0Ch], 00000001h |
| jmp 00007FC3FCE2BDDCh |
| mov ecx, dword ptr [eax] |
| mov dword ptr [esi], ecx |
| mov eax, dword ptr [eax+04h] |
| mov dword ptr [esi+04h], eax |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 10h |
| mov eax, dword ptr [0042C868h] |
| xor eax, ebp |
| mov dword ptr [ebp-04h], eax |
| mov edx, dword ptr [ebp+18h] |
| push ebx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18f6c | 0x78 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xab000 | 0xdd08 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4320 | 0x40 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1d4 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x18a14 | 0x18c00 | False | 0.5078914141414141 | data | 6.317088322579259 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x1a000 | 0x90de8 | 0x13800 | False | 0.9289988982371795 | data | 7.819882002254561 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xab000 | 0xdd08 | 0xde00 | False | 0.40874859234234234 | data | 4.401249226844183 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_CURSOR | 0xb6f48 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
| RT_CURSOR | 0xb7090 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
| RT_CURSOR | 0xb71c0 | 0xf0 | Device independent bitmap graphic, 24 x 48 x 1, image size 0 | ||
| RT_CURSOR | 0xb72b0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
| RT_ICON | 0xab5e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xab5e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xab5e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xabe88 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xabe88 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xabe88 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xacf58 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xacf58 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xacf58 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xad800 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xad800 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xad800 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xafda8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xafda8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xafda8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb0e80 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb0e80 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb0e80 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb1d28 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb1d28 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb1d28 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb23f0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb23f0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb23f0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb2958 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb2958 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb2958 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb4f00 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb4f00 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb4f00 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb5fa8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb5fa8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb5fa8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb6930 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb6930 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb6930 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Sweden |
| RT_STRING | 0xb85d8 | 0x3be | data | Sami Lappish | Finland |
| RT_STRING | 0xb85d8 | 0x3be | data | Sami Lappish | Norway |
| RT_STRING | 0xb85d8 | 0x3be | data | Sami Lappish | Sweden |
| RT_STRING | 0xb8998 | 0x36a | data | Sami Lappish | Finland |
| RT_STRING | 0xb8998 | 0x36a | data | Sami Lappish | Norway |
| RT_STRING | 0xb8998 | 0x36a | data | Sami Lappish | Sweden |
| RT_ACCELERATOR | 0xb6ea8 | 0x90 | data | Sami Lappish | Finland |
| RT_ACCELERATOR | 0xb6ea8 | 0x90 | data | Sami Lappish | Norway |
| RT_ACCELERATOR | 0xb6ea8 | 0x90 | data | Sami Lappish | Sweden |
| RT_ACCELERATOR | 0xb6e00 | 0xa8 | data | Sami Lappish | Finland |
| RT_ACCELERATOR | 0xb6e00 | 0xa8 | data | Sami Lappish | Norway |
| RT_ACCELERATOR | 0xb6e00 | 0xa8 | data | Sami Lappish | Sweden |
| RT_GROUP_CURSOR | 0xb7078 | 0x14 | data | ||
| RT_GROUP_CURSOR | 0xb8358 | 0x30 | data | ||
| RT_GROUP_ICON | 0xb0e50 | 0x30 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xb0e50 | 0x30 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xb0e50 | 0x30 | data | Sami Lappish | Sweden |
| RT_GROUP_ICON | 0xacf30 | 0x22 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xacf30 | 0x22 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xacf30 | 0x22 | data | Sami Lappish | Sweden |
| RT_GROUP_ICON | 0xb6d98 | 0x68 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xb6d98 | 0x68 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xb6d98 | 0x68 | data | Sami Lappish | Sweden |
| RT_VERSION | 0xb8388 | 0x24c | data | ||
| None | 0xb6f38 | 0xa | data | Sami Lappish | Finland |
| None | 0xb6f38 | 0xa | data | Sami Lappish | Norway |
| None | 0xb6f38 | 0xa | data | Sami Lappish | Sweden |
| DLL | Import |
|---|---|
| KERNEL32.dll | PulseEvent, ReadConsoleInputW, GetFirmwareEnvironmentVariableW, GetCPInfoExW, CreateEventW, CopyFileExA, GetProcAddress, GlobalAlloc, SetDefaultCommConfigA, OpenWaitableTimerW, GetFileAttributesW, EnumResourceTypesW, WriteFileGather, GetModuleHandleW, InterlockedCompareExchange, UnhandledExceptionFilter, LocalFlags, GlobalLock, GetConsoleAliasW, WritePrivateProfileSectionA, FindFirstVolumeMountPointA, SetLastError, SleepEx, AddAtomA, lstrcmpA, SetCalendarInfoA, GetSystemWindowsDirectoryA, EnumTimeFormatsW, GetSystemDirectoryW, AddAtomW, GetExitCodeThread, _llseek, FindNextFileW, CopyFileA, GetShortPathNameW, EnumCalendarInfoA, EnumCalendarInfoExA, AddRefActCtx, SetStdHandle, WriteConsoleW, GetCurrentThreadId, LoadLibraryA, CloseHandle, SetFilePointer, ReadFile, FlushFileBuffers, InterlockedIncrement, InterlockedDecrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetLastError, HeapFree, RtlUnwind, RaiseException, HeapReAlloc, HeapAlloc, MoveFileA, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, HeapCreate, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, LoadLibraryW, GetConsoleCP, GetConsoleMode, CreateFileW |
| USER32.dll | LoadMenuW |
| ADVAPI32.dll | LookupAccountSidW |
| SHELL32.dll | FindExecutableA |
| ole32.dll | CoGetInstanceFromFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Sami Lappish | Finland |  |
| Sami Lappish | Norway |  |
| Sami Lappish | Sweden |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.562.173.142.5149699802033203 03/14/23-09:26:29.644541 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49699 | 80 | 192.168.2.5 | 62.173.142.51 |
| 192.168.2.562.173.142.5149699802033204 03/14/23-09:26:29.644541 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49699 | 80 | 192.168.2.5 | 62.173.142.51 |
| 192.168.2.594.103.183.15349700802033203 03/14/23-09:26:49.778257 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49700 | 80 | 192.168.2.5 | 94.103.183.153 |
| 192.168.2.594.103.183.15349700802033204 03/14/23-09:26:49.778257 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49700 | 80 | 192.168.2.5 | 94.103.183.153 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 14, 2023 09:26:29.584574938 CET | 49699 | 80 | 192.168.2.5 | 62.173.142.51 |
| Mar 14, 2023 09:26:29.643666029 CET | 80 | 49699 | 62.173.142.51 | 192.168.2.5 |
| Mar 14, 2023 09:26:29.644541025 CET | 49699 | 80 | 192.168.2.5 | 62.173.142.51 |
| Mar 14, 2023 09:26:29.644541025 CET | 49699 | 80 | 192.168.2.5 | 62.173.142.51 |
| Mar 14, 2023 09:26:29.703452110 CET | 80 | 49699 | 62.173.142.51 | 192.168.2.5 |
| Mar 14, 2023 09:26:29.704418898 CET | 80 | 49699 | 62.173.142.51 | 192.168.2.5 |
| Mar 14, 2023 09:26:29.707236052 CET | 49699 | 80 | 192.168.2.5 | 62.173.142.51 |
| Mar 14, 2023 09:26:29.709264994 CET | 49699 | 80 | 192.168.2.5 | 62.173.142.51 |
| Mar 14, 2023 09:26:29.767951965 CET | 80 | 49699 | 62.173.142.51 | 192.168.2.5 |
| Mar 14, 2023 09:26:49.717030048 CET | 49700 | 80 | 192.168.2.5 | 94.103.183.153 |
| Mar 14, 2023 09:26:49.774355888 CET | 80 | 49700 | 94.103.183.153 | 192.168.2.5 |
| Mar 14, 2023 09:26:49.774482965 CET | 49700 | 80 | 192.168.2.5 | 94.103.183.153 |
| Mar 14, 2023 09:26:49.778256893 CET | 49700 | 80 | 192.168.2.5 | 94.103.183.153 |
| Mar 14, 2023 09:26:49.835562944 CET | 80 | 49700 | 94.103.183.153 | 192.168.2.5 |
| Mar 14, 2023 09:26:49.835630894 CET | 80 | 49700 | 94.103.183.153 | 192.168.2.5 |
| Mar 14, 2023 09:26:49.835694075 CET | 49700 | 80 | 192.168.2.5 | 94.103.183.153 |
| Mar 14, 2023 09:26:49.835808992 CET | 49700 | 80 | 192.168.2.5 | 94.103.183.153 |
| Mar 14, 2023 09:26:49.893590927 CET | 80 | 49700 | 94.103.183.153 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 14, 2023 09:25:09.418817997 CET | 50295 | 53 | 192.168.2.5 | 8.8.8.8 |
| Mar 14, 2023 09:25:09.443105936 CET | 53 | 50295 | 8.8.8.8 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 14, 2023 09:25:09.418817997 CET | 192.168.2.5 | 8.8.8.8 | 0x8256 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 14, 2023 09:25:09.443105936 CET | 8.8.8.8 | 192.168.2.5 | 0x8256 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49699 | 62.173.142.51 | 80 | C:\Users\user\Desktop\server.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Mar 14, 2023 09:26:29.644541025 CET | 105 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49700 | 94.103.183.153 | 80 | C:\Users\user\Desktop\server.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Mar 14, 2023 09:26:49.778256893 CET | 106 | OUT |
| Target ID: | 0 |
| Start time: | 09:25:01 |
| Start date: | 14/03/2023 |
| Path: | C:\Users\user\Desktop\server.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 239104 bytes |
| MD5 hash: | 0A7EFDF643E54621FE9B9E5A29C06FAF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0057421F Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 69% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00573BD3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00573CE0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 222memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00577FC5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00577B83 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126networkstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00576815 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 151timememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0057415A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72filetimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00575E40 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00575364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00572523 Relevance: 7.7, APIs: 5, Instructions: 161memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00577040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005751D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005761DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00574358 Relevance: 3.1, APIs: 2, Instructions: 104COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00576675 Relevance: 3.1, APIs: 2, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005733F1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0057472F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00575006 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00574BE7 Relevance: 1.6, APIs: 1, Instructions: 75networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410A56 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00572839 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70COMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00575063 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00571508 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00571D8A Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 258memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005716DF Relevance: 1.9, APIs: 1, Instructions: 611COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004139B6 Relevance: .4, Instructions: 355COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004135CE Relevance: .3, Instructions: 349COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004131FC Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00412E5E Relevance: .3, Instructions: 326COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0057832C Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00572B91 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 278memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005737DF Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 109librarymemoryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0057597D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00573FA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0057607C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00571340 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00574C94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005735D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005769E6 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00573230 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00575704 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00575157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00576392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00572058 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |