Edit tour
Windows
Analysis Report
server.exe
Overview
General Information
| Sample Name: | server.exe |
| Analysis ID: | 826072 |
| MD5: | 7936264575923f443302a9bb14688ab7 |
| SHA1: | ea7a8b4d250529b84bfdfb80785603cee4d07bf9 |
| SHA256: | 7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd |
| Tags: | agenziaentrateexegoziisfbITAmefmiseursnif |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Classification
- System is w10x64
server.exe (PID: 5184 cmdline: C:\Users\u ser\Deskto p\server.e xe MD5: 7936264575923F443302A9BB14688AB7)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Gozi, Ursnif | 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module. | No Attribution |
{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
| Windows_Trojan_Gozi_261f5ac5 | unknown | unknown |
| |
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 27 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.362.173.142.5149702802033203 03/14/23-10:06:33.670823 |
| SID: | 2033203 |
| Source Port: | 49702 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.394.103.183.15349703802033204 03/14/23-10:06:53.891804 |
| SID: | 2033204 |
| Source Port: | 49703 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.394.103.183.15349703802033203 03/14/23-10:06:53.891804 |
| SID: | 2033203 |
| Source Port: | 49703 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00412E5E | |
| Source: | Code function: | 0_2_004129C9 | |
| Source: | Code function: | 0_2_004135CE | |
| Source: | Code function: | 0_2_004131FC | |
| Source: | Code function: | 0_2_004139B6 | |
| Source: | Code function: | 0_2_0040110B | |
| Source: | Code function: | 0_2_00401459 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_004D1C58 | |
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_00401000 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-5374 | ||
| Source: | API call chain: | graph_0-5214 | ||
| Source: | API call chain: | graph_0-5366 | ||
Anti Debugging | |
|---|
| Source: | Debugger detection routine: | graph_0-5374 | ||
| Source: | Code function: | 0_2_004D092B | |
| Source: | Code function: | 0_2_004D0D90 | |
| Source: | Code function: | 0_2_00401000 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_00410C7F | |
| Source: | Code function: | 0_2_004118DB | |
| Source: | Code function: | 0_2_004154FA | |
| Source: | Code function: | 0_2_0041089B | |
| Source: | Code function: | 0_2_004D1C58 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00401D68 | |
| Source: | Code function: | 0_2_004015B0 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Windows Management Instrumentation | Path Interception | Path Interception | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 11 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 21 Software Packing | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 12 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 114 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 36% | ReversingLabs | Win32.Trojan.Generic | ||
| 51% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen7 | Download File | ||
| 100% | Avira | HEUR/AGEN.1245293 | Download File |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| windowsupdatebg.s.llnwi.net | 178.79.225.128 | true | false |
| unknown |
| checklist.skype.com | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 62.173.142.51 | unknown | Russian Federation | 34300 | SPACENET-ASInternetServiceProviderRU | true | |
| 94.103.183.153 | unknown | Russian Federation | 197390 | RATELE-ASRU | true |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 826072 |
| Start date and time: | 2023-03-14 10:04:09 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 6s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | server.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@1/0@1/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 209.197.3.8
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 62.173.142.51 | Get hash | malicious | Ursnif | Browse | ||
| Get hash | malicious | Ursnif | Browse | |||
| 94.103.183.153 | Get hash | malicious | Ursnif | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| windowsupdatebg.s.llnwi.net | Get hash | malicious | Ursnif | Browse |
| |
| Get hash | malicious | RHADAMANTHYS, lgoogLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| RATELE-ASRU | Get hash | malicious | Ursnif | Browse |
| |
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | Amadey, Raccoon Stealer v2, RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| SPACENET-ASInternetServiceProviderRU | Get hash | malicious | Ursnif | Browse |
| |
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.817599145811235 |
| TrID: |
|
| File name: | server.exe |
| File size: | 238592 |
| MD5: | 7936264575923f443302a9bb14688ab7 |
| SHA1: | ea7a8b4d250529b84bfdfb80785603cee4d07bf9 |
| SHA256: | 7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd |
| SHA512: | e23ea93f1afe1b99c1a8658d56892e53f2212529982764374b8b28d4da75abc93fe954b45bf4d2ae242817bab8d99b3bd67873b3d3433a8118a5fef7b2a572b6 |
| SSDEEP: | 3072:WArj/ix4q2x9pUPG2oOWk4hlwu3DfwT9tYNXhrDPU+ZhGc0Jgamu9A:7iWqspsG5Vplwu3D4T9tChrnEtFmu9 |
| TLSH: | 4A348E1273D06871E6324A35BF1BC6B8661EFCA58F5C6BEB23445A2F49711E2CE71341 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........aBL...L...L...#...\...#.../...E...G...L...:...#...a...#...M...#...M...RichL...........PE..L......b........................... |
 | |
| Icon Hash: | 9aa25a1085929292 |
| Entrypoint: | 0x409761 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x620D94EE [Thu Feb 17 00:21:02 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | ae274c29ca15928cb1e23f2e712ba155 |
| Instruction |
|---|
| call 00007FA230CC3BBEh |
| jmp 00007FA230CBD5DEh |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| test eax, eax |
| je 00007FA230CBD764h |
| sub eax, 08h |
| cmp dword ptr [eax], 0000DDDDh |
| jne 00007FA230CBD759h |
| push eax |
| call 00007FA230CBCD77h |
| pop ecx |
| pop ebp |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov esi, ecx |
| mov byte ptr [esi+0Ch], 00000000h |
| test eax, eax |
| jne 00007FA230CBD7B5h |
| call 00007FA230CC072Dh |
| mov dword ptr [esi+08h], eax |
| mov ecx, dword ptr [eax+6Ch] |
| mov dword ptr [esi], ecx |
| mov ecx, dword ptr [eax+68h] |
| mov dword ptr [esi+04h], ecx |
| mov ecx, dword ptr [esi] |
| cmp ecx, dword ptr [0042D170h] |
| je 00007FA230CBD764h |
| mov ecx, dword ptr [0042CF28h] |
| test dword ptr [eax+70h], ecx |
| jne 00007FA230CBD759h |
| call 00007FA230CC4598h |
| mov dword ptr [esi], eax |
| mov eax, dword ptr [esi+04h] |
| cmp eax, dword ptr [0042CE30h] |
| je 00007FA230CBD768h |
| mov eax, dword ptr [esi+08h] |
| mov ecx, dword ptr [0042CF28h] |
| test dword ptr [eax+70h], ecx |
| jne 00007FA230CBD75Ah |
| call 00007FA230CC3DF7h |
| mov dword ptr [esi+04h], eax |
| mov eax, dword ptr [esi+08h] |
| test byte ptr [eax+70h], 00000002h |
| jne 00007FA230CBD766h |
| or dword ptr [eax+70h], 02h |
| mov byte ptr [esi+0Ch], 00000001h |
| jmp 00007FA230CBD75Ch |
| mov ecx, dword ptr [eax] |
| mov dword ptr [esi], ecx |
| mov eax, dword ptr [eax+04h] |
| mov dword ptr [esi+04h], eax |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 10h |
| mov eax, dword ptr [0042C738h] |
| xor eax, ebp |
| mov dword ptr [ebp-04h], eax |
| mov edx, dword ptr [ebp+18h] |
| push ebx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18f6c | 0x78 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xab000 | 0xdd08 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4320 | 0x40 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1d4 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x18a14 | 0x18c00 | False | 0.5079210069444444 | data | 6.317732478321936 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x1a000 | 0x90ca8 | 0x13600 | False | 0.9317036290322581 | data | 7.8277138443363325 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xab000 | 0xdd08 | 0xde00 | False | 0.4094172297297297 | data | 4.405514301187481 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_CURSOR | 0xb6f48 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
| RT_CURSOR | 0xb7090 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
| RT_CURSOR | 0xb71c0 | 0xf0 | Device independent bitmap graphic, 24 x 48 x 1, image size 0 | ||
| RT_CURSOR | 0xb72b0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
| RT_ICON | 0xab5e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xab5e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xab5e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xabe88 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xabe88 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xabe88 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xacf58 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xacf58 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xacf58 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xad800 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xad800 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xad800 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xafda8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xafda8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xafda8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb0e80 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb0e80 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb0e80 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb1d28 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb1d28 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb1d28 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb23f0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb23f0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb23f0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb2958 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb2958 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb2958 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb4f00 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb4f00 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb4f00 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb5fa8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb5fa8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb5fa8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xb6930 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xb6930 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xb6930 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Sweden |
| RT_STRING | 0xb85d8 | 0x3be | data | Sami Lappish | Finland |
| RT_STRING | 0xb85d8 | 0x3be | data | Sami Lappish | Norway |
| RT_STRING | 0xb85d8 | 0x3be | data | Sami Lappish | Sweden |
| RT_STRING | 0xb8998 | 0x36a | data | Sami Lappish | Finland |
| RT_STRING | 0xb8998 | 0x36a | data | Sami Lappish | Norway |
| RT_STRING | 0xb8998 | 0x36a | data | Sami Lappish | Sweden |
| RT_ACCELERATOR | 0xb6ea8 | 0x90 | data | Sami Lappish | Finland |
| RT_ACCELERATOR | 0xb6ea8 | 0x90 | data | Sami Lappish | Norway |
| RT_ACCELERATOR | 0xb6ea8 | 0x90 | data | Sami Lappish | Sweden |
| RT_ACCELERATOR | 0xb6e00 | 0xa8 | data | Sami Lappish | Finland |
| RT_ACCELERATOR | 0xb6e00 | 0xa8 | data | Sami Lappish | Norway |
| RT_ACCELERATOR | 0xb6e00 | 0xa8 | data | Sami Lappish | Sweden |
| RT_GROUP_CURSOR | 0xb7078 | 0x14 | data | ||
| RT_GROUP_CURSOR | 0xb8358 | 0x30 | data | ||
| RT_GROUP_ICON | 0xb0e50 | 0x30 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xb0e50 | 0x30 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xb0e50 | 0x30 | data | Sami Lappish | Sweden |
| RT_GROUP_ICON | 0xacf30 | 0x22 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xacf30 | 0x22 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xacf30 | 0x22 | data | Sami Lappish | Sweden |
| RT_GROUP_ICON | 0xb6d98 | 0x68 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xb6d98 | 0x68 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xb6d98 | 0x68 | data | Sami Lappish | Sweden |
| RT_VERSION | 0xb8388 | 0x24c | data | ||
| None | 0xb6f38 | 0xa | data | Sami Lappish | Finland |
| None | 0xb6f38 | 0xa | data | Sami Lappish | Norway |
| None | 0xb6f38 | 0xa | data | Sami Lappish | Sweden |
| DLL | Import |
|---|---|
| KERNEL32.dll | PulseEvent, ReadConsoleInputW, GetFirmwareEnvironmentVariableW, GetCPInfoExW, CreateEventW, CopyFileExA, GetProcAddress, GlobalAlloc, SetDefaultCommConfigA, OpenWaitableTimerW, GetFileAttributesW, EnumResourceTypesW, WriteFileGather, GetModuleHandleW, InterlockedCompareExchange, UnhandledExceptionFilter, LocalFlags, GlobalLock, GetConsoleAliasW, WritePrivateProfileSectionA, FindFirstVolumeMountPointA, SetLastError, SleepEx, AddAtomA, lstrcmpA, SetCalendarInfoA, GetSystemWindowsDirectoryA, EnumTimeFormatsW, GetSystemDirectoryW, AddAtomW, GetExitCodeThread, _llseek, FindNextFileW, CopyFileA, GetShortPathNameW, EnumCalendarInfoA, EnumCalendarInfoExA, AddRefActCtx, SetStdHandle, WriteConsoleW, GetCurrentThreadId, LoadLibraryA, CloseHandle, SetFilePointer, ReadFile, FlushFileBuffers, InterlockedIncrement, InterlockedDecrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetLastError, HeapFree, RtlUnwind, RaiseException, HeapReAlloc, HeapAlloc, MoveFileA, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, HeapCreate, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, LoadLibraryW, GetConsoleCP, GetConsoleMode, CreateFileW |
| USER32.dll | LoadMenuW |
| ADVAPI32.dll | LookupAccountSidW |
| SHELL32.dll | FindExecutableA |
| ole32.dll | CoGetInstanceFromFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Sami Lappish | Finland |  |
| Sami Lappish | Norway |  |
| Sami Lappish | Sweden |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.362.173.142.5149702802033203 03/14/23-10:06:33.670823 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49702 | 80 | 192.168.2.3 | 62.173.142.51 |
| 192.168.2.394.103.183.15349703802033204 03/14/23-10:06:53.891804 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49703 | 80 | 192.168.2.3 | 94.103.183.153 |
| 192.168.2.394.103.183.15349703802033203 03/14/23-10:06:53.891804 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49703 | 80 | 192.168.2.3 | 94.103.183.153 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 14, 2023 10:06:33.606960058 CET | 49702 | 80 | 192.168.2.3 | 62.173.142.51 |
| Mar 14, 2023 10:06:33.666228056 CET | 80 | 49702 | 62.173.142.51 | 192.168.2.3 |
| Mar 14, 2023 10:06:33.670461893 CET | 49702 | 80 | 192.168.2.3 | 62.173.142.51 |
| Mar 14, 2023 10:06:33.670823097 CET | 49702 | 80 | 192.168.2.3 | 62.173.142.51 |
| Mar 14, 2023 10:06:33.729321957 CET | 80 | 49702 | 62.173.142.51 | 192.168.2.3 |
| Mar 14, 2023 10:06:33.729696035 CET | 80 | 49702 | 62.173.142.51 | 192.168.2.3 |
| Mar 14, 2023 10:06:33.729852915 CET | 49702 | 80 | 192.168.2.3 | 62.173.142.51 |
| Mar 14, 2023 10:06:33.734627962 CET | 49702 | 80 | 192.168.2.3 | 62.173.142.51 |
| Mar 14, 2023 10:06:33.793221951 CET | 80 | 49702 | 62.173.142.51 | 192.168.2.3 |
| Mar 14, 2023 10:06:53.833755970 CET | 49703 | 80 | 192.168.2.3 | 94.103.183.153 |
| Mar 14, 2023 10:06:53.891120911 CET | 80 | 49703 | 94.103.183.153 | 192.168.2.3 |
| Mar 14, 2023 10:06:53.891333103 CET | 49703 | 80 | 192.168.2.3 | 94.103.183.153 |
| Mar 14, 2023 10:06:53.891803980 CET | 49703 | 80 | 192.168.2.3 | 94.103.183.153 |
| Mar 14, 2023 10:06:53.949707985 CET | 80 | 49703 | 94.103.183.153 | 192.168.2.3 |
| Mar 14, 2023 10:06:53.949903965 CET | 80 | 49703 | 94.103.183.153 | 192.168.2.3 |
| Mar 14, 2023 10:06:53.950078011 CET | 49703 | 80 | 192.168.2.3 | 94.103.183.153 |
| Mar 14, 2023 10:06:53.950314999 CET | 49703 | 80 | 192.168.2.3 | 94.103.183.153 |
| Mar 14, 2023 10:06:54.007416964 CET | 80 | 49703 | 94.103.183.153 | 192.168.2.3 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 14, 2023 10:05:13.437261105 CET | 49977 | 53 | 192.168.2.3 | 8.8.8.8 |
| Mar 14, 2023 10:05:13.466011047 CET | 53 | 49977 | 8.8.8.8 | 192.168.2.3 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 14, 2023 10:05:13.437261105 CET | 192.168.2.3 | 8.8.8.8 | 0x2188 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 14, 2023 10:04:54.697774887 CET | 8.8.8.8 | 192.168.2.3 | 0x96e7 | No error (0) | 178.79.225.128 | A (IP address) | IN (0x0001) | false | ||
| Mar 14, 2023 10:04:54.792893887 CET | 8.8.8.8 | 192.168.2.3 | 0xdf37 | No error (0) | 95.140.230.128 | A (IP address) | IN (0x0001) | false | ||
| Mar 14, 2023 10:04:54.792893887 CET | 8.8.8.8 | 192.168.2.3 | 0xdf37 | No error (0) | 178.79.225.0 | A (IP address) | IN (0x0001) | false | ||
| Mar 14, 2023 10:04:54.953008890 CET | 8.8.8.8 | 192.168.2.3 | 0x8e9e | No error (0) | 95.140.230.128 | A (IP address) | IN (0x0001) | false | ||
| Mar 14, 2023 10:04:54.953008890 CET | 8.8.8.8 | 192.168.2.3 | 0x8e9e | No error (0) | 178.79.225.128 | A (IP address) | IN (0x0001) | false | ||
| Mar 14, 2023 10:05:13.466011047 CET | 8.8.8.8 | 192.168.2.3 | 0x2188 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49702 | 62.173.142.51 | 80 | C:\Users\user\Desktop\server.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Mar 14, 2023 10:06:33.670823097 CET | 146 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49703 | 94.103.183.153 | 80 | C:\Users\user\Desktop\server.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Mar 14, 2023 10:06:53.891803980 CET | 148 | OUT |
| Target ID: | 0 |
| Start time: | 10:05:01 |
| Start date: | 14/03/2023 |
| Path: | C:\Users\user\Desktop\server.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 238592 bytes |
| MD5 hash: | 7936264575923F443302A9BB14688AB7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
Execution Graph
| Execution Coverage: | 7.1% |
| Dynamic/Decrypted Code Coverage: | 98.4% |
| Signature Coverage: | 31.6% |
| Total number of Nodes: | 253 |
| Total number of Limit Nodes: | 16 |
Graph
Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 69% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 72% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D0005 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 87% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410A56 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70COMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D1C58 Relevance: 21.2, APIs: 14, Instructions: 160threadsleepnativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004139B6 Relevance: .4, Instructions: 355COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004135CE Relevance: .3, Instructions: 349COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004131FC Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00412E5E Relevance: .3, Instructions: 326COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D0D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D2048 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004D1FCF Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |