Edit tour
Windows
Analysis Report
server.exe
Overview
General Information
| Sample Name: | server.exe |
| Analysis ID: | 830504 |
| MD5: | 7e7372ed34c76cbeca4461bd6dbbfe62 |
| SHA1: | 5825f7a6272108b061a557171da9b8ef6b780028 |
| SHA256: | 0fa7c98d793b8c71d6ba29bde4fd449e497b246f92ab30403330fae3d8cb6ffd |
| Tags: | agenziaentrateexegoziisfbITAmefmiseursnif |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
server.exe (PID: 1668 cmdline: C:\Users\u ser\Deskto p\server.e xe MD5: 7E7372ED34C76CBECA4461BD6DBBFE62)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Gozi, Ursnif | 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module. | No Attribution |
{"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
| Windows_Trojan_Gozi_261f5ac5 | unknown | unknown |
| |
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
| Click to see the 27 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.362.173.142.8149699802033204 03/20/23-12:55:03.486730 |
| SID: | 2033204 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.362.173.142.8149699802033203 03/20/23-12:55:03.486730 |
| SID: | 2033203 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 0_2_00791508 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00791508 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_007916DF | |
| Source: | Code function: | 0_2_0079832C | |
| Source: | Code function: | 0_2_00791D8A | |
| Source: | Code function: | 0_2_0040110B | |
| Source: | Code function: | 0_2_00401459 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_0079421F | |
| Source: | Code function: | 0_2_00798551 | |
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_007930D5 | |
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_00797F39 | |
| Source: | Code function: | 0_2_0079832B | |
| Source: | Code function: | 0_2_0082343F | |
| Source: | Code function: | 0_2_0081D998 | |
| Source: | Code function: | 0_2_008237C7 | |
| Source: | Code function: | 0_2_00822D65 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00401000 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Check user administrative privileges: | ||
| Source: | API call chain: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Debugger detection routine: | ||
| Source: | Code function: | 0_2_00401000 | |
| Source: | Code function: | 0_2_0081AE68 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_00793BD3 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_004015B0 | |
| Source: | Code function: | 0_2_00401D68 | |
| Source: | Code function: | 0_2_00793BD3 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Windows Management Instrumentation | Path Interception | Path Interception | 11 Virtualization/Sandbox Evasion | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Data Encrypted for Impact |
| Default Accounts | 12 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 21 Software Packing | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 12 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 Remote System Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 124 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 33% | ReversingLabs | |||
| 46% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1245293 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen7 | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 3% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| checklist.skype.com | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 62.173.142.81 | unknown | Russian Federation | 34300 | SPACENET-ASInternetServiceProviderRU | true |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 830504 |
| Start date and time: | 2023-03-20 12:52:20 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 5m 55s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 13 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | server.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
- Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 62.173.142.81 | Get hash | malicious | Ursnif | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| SPACENET-ASInternetServiceProviderRU | Get hash | malicious | Ursnif | Browse |
| |
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif, CryptOne | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.799237390766865 |
| TrID: |
|
| File name: | server.exe |
| File size: | 181248 |
| MD5: | 7e7372ed34c76cbeca4461bd6dbbfe62 |
| SHA1: | 5825f7a6272108b061a557171da9b8ef6b780028 |
| SHA256: | 0fa7c98d793b8c71d6ba29bde4fd449e497b246f92ab30403330fae3d8cb6ffd |
| SHA512: | 2548449b2e5e623600ab080a8213df3164bee0fa9e4690a31c8aac45f856fb7a786dbfc5150202757fe3512ad0d25afc8f635ba67ab08f778c51a9ebb461e284 |
| SSDEEP: | 3072:iN5tPqqyTcVsXaHJNM1NjtJMD1U85En8d/LZM:MlqJPaHihCm85En81Z |
| TLSH: | 2C049EC3A3907865F0158A368E2EC1F4670DF9D2CE59AB66E3186F2F48BC1A2D563711 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.Q.f.Q.f.Q...Q.f.Q..4Q.f.Q...Q.f.Q..9Q.f.Q.f.Q.f.Q...Q.f.Q..0Q.f.Q..7Q.f.QRich.f.Q........PE..L....b.b................... |
 | |
| Icon Hash: | 9a821a4a8592a282 |
| Entrypoint: | 0x402f31 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x62DB62AE [Sat Jul 23 02:53:34 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 2bf4bd16bd9a3948cc472dde1e8c8ccd |
| Instruction |
|---|
| call 00007FF65CB75C00h |
| jmp 00007FF65CB7322Eh |
| mov eax, 0040D008h |
| ret |
| mov eax, dword ptr [0049D540h] |
| push esi |
| push 00000014h |
| pop esi |
| test eax, eax |
| jne 00007FF65CB733A9h |
| mov eax, 00000200h |
| jmp 00007FF65CB733A8h |
| cmp eax, esi |
| jnl 00007FF65CB733A9h |
| mov eax, esi |
| mov dword ptr [0049D540h], eax |
| push 00000004h |
| push eax |
| call 00007FF65CB75CAEh |
| pop ecx |
| pop ecx |
| mov dword ptr [0049C520h], eax |
| test eax, eax |
| jne 00007FF65CB733C0h |
| push 00000004h |
| push esi |
| mov dword ptr [0049D540h], esi |
| call 00007FF65CB75C95h |
| pop ecx |
| pop ecx |
| mov dword ptr [0049C520h], eax |
| test eax, eax |
| jne 00007FF65CB733A7h |
| push 0000001Ah |
| pop eax |
| pop esi |
| ret |
| xor edx, edx |
| mov ecx, 0040D008h |
| jmp 00007FF65CB733A7h |
| mov eax, dword ptr [0049C520h] |
| mov dword ptr [edx+eax], ecx |
| add ecx, 20h |
| add edx, 04h |
| cmp ecx, 0040D288h |
| jl 00007FF65CB7338Ch |
| push FFFFFFFEh |
| pop esi |
| xor edx, edx |
| mov ecx, 0040D018h |
| push edi |
| mov eax, edx |
| sar eax, 05h |
| mov eax, dword ptr [0049C420h+eax*4] |
| mov edi, edx |
| and edi, 1Fh |
| shl edi, 06h |
| mov eax, dword ptr [edi+eax] |
| cmp eax, FFFFFFFFh |
| je 00007FF65CB733AAh |
| cmp eax, esi |
| je 00007FF65CB733A6h |
| test eax, eax |
| jne 00007FF65CB733A4h |
| mov dword ptr [ecx], esi |
| add ecx, 20h |
| inc edx |
| cmp ecx, 0040D078h |
| jl 00007FF65CB73370h |
| pop edi |
| xor eax, eax |
| pop esi |
| ret |
| call 00007FF65CB739B6h |
| cmp byte ptr [00000000h], 00000000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb84c | 0x3c | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9f000 | 0xdaf0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2b08 | 0x40 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x19c | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xb1ae | 0xb200 | False | 0.5147033005617978 | data | 6.020837660539205 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0xd000 | 0x9054c | 0x13000 | False | 0.9465589021381579 | data | 7.853280851360385 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .xesof | 0x9e000 | 0x96 | 0x200 | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x9f000 | 0xdaf0 | 0xdc00 | False | 0.41329900568181815 | data | 4.474423213582852 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0xab598 | 0x2 | data | ||
| TONIZITOHOWAPEVUMOBEM | 0xaaea0 | 0x598 | ASCII text, with very long lines (1432), with no line terminators | Sami Lappish | Finland |
| TONIZITOHOWAPEVUMOBEM | 0xaaea0 | 0x598 | ASCII text, with very long lines (1432), with no line terminators | Sami Lappish | Norway |
| TONIZITOHOWAPEVUMOBEM | 0xaaea0 | 0x598 | ASCII text, with very long lines (1432), with no line terminators | Sami Lappish | Sweden |
| RT_CURSOR | 0xab5a0 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
| RT_CURSOR | 0xab6d0 | 0xf0 | Device independent bitmap graphic, 24 x 48 x 1, image size 0 | ||
| RT_CURSOR | 0xab7c0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
| RT_ICON | 0x9f680 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0x9f680 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0x9f680 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0x9ff28 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0x9ff28 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0x9ff28 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa0ff8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa0ff8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa0ff8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa18a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa18a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa18a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa3e48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa3e48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa3e48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa4f20 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa4f20 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa4f20 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa5dc8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa5dc8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa5dc8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa6490 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa6490 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa6490 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa69f8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa69f8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa69f8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xa8fa0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xa8fa0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xa8fa0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xaa048 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xaa048 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xaa048 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ICON | 0xaa9d0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Finland |
| RT_ICON | 0xaa9d0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Norway |
| RT_ICON | 0xaa9d0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Sami Lappish | Sweden |
| RT_ACCELERATOR | 0xab4e0 | 0x78 | data | Sami Lappish | Finland |
| RT_ACCELERATOR | 0xab4e0 | 0x78 | data | Sami Lappish | Norway |
| RT_ACCELERATOR | 0xab4e0 | 0x78 | data | Sami Lappish | Sweden |
| RT_ACCELERATOR | 0xab438 | 0xa8 | data | Sami Lappish | Finland |
| RT_ACCELERATOR | 0xab438 | 0xa8 | data | Sami Lappish | Norway |
| RT_ACCELERATOR | 0xab438 | 0xa8 | data | Sami Lappish | Sweden |
| RT_GROUP_CURSOR | 0xac868 | 0x30 | data | ||
| RT_GROUP_ICON | 0xa4ef0 | 0x30 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xa4ef0 | 0x30 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xa4ef0 | 0x30 | data | Sami Lappish | Sweden |
| RT_GROUP_ICON | 0xa0fd0 | 0x22 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xa0fd0 | 0x22 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xa0fd0 | 0x22 | data | Sami Lappish | Sweden |
| RT_GROUP_ICON | 0xaae38 | 0x68 | data | Sami Lappish | Finland |
| RT_GROUP_ICON | 0xaae38 | 0x68 | data | Sami Lappish | Norway |
| RT_GROUP_ICON | 0xaae38 | 0x68 | data | Sami Lappish | Sweden |
| RT_VERSION | 0xac898 | 0x258 | data | ||
| None | 0xab558 | 0xa | data | Sami Lappish | Finland |
| None | 0xab558 | 0xa | data | Sami Lappish | Norway |
| None | 0xab558 | 0xa | data | Sami Lappish | Sweden |
| None | 0xab568 | 0xa | data | Sami Lappish | Finland |
| None | 0xab568 | 0xa | data | Sami Lappish | Norway |
| None | 0xab568 | 0xa | data | Sami Lappish | Sweden |
| None | 0xab578 | 0xa | data | Sami Lappish | Finland |
| None | 0xab578 | 0xa | data | Sami Lappish | Norway |
| None | 0xab578 | 0xa | data | Sami Lappish | Sweden |
| None | 0xab588 | 0xa | data | Sami Lappish | Finland |
| None | 0xab588 | 0xa | data | Sami Lappish | Norway |
| None | 0xab588 | 0xa | data | Sami Lappish | Sweden |
| DLL | Import |
|---|---|
| KERNEL32.dll | PulseEvent, SetDefaultCommConfigA, FindFirstFileW, EnumCalendarInfoA, CopyFileExW, GetConsoleAliasExesA, _llseek, BuildCommDCBAndTimeoutsA, GetConsoleAliasA, GetCurrentProcess, InterlockedCompareExchange, GetWindowsDirectoryA, EnumTimeFormatsA, WriteFileGather, EnumResourceTypesA, ActivateActCtx, GetFirmwareEnvironmentVariableA, LoadLibraryW, Sleep, ReadConsoleInputA, LeaveCriticalSection, GetFileAttributesW, WritePrivateProfileSectionW, TerminateProcess, IsDBCSLeadByte, lstrcmpW, GlobalUnlock, RaiseException, SetCurrentDirectoryA, SetLastError, GetProcAddress, GlobalGetAtomNameA, OpenWaitableTimerA, LocalAlloc, FindFirstVolumeMountPointW, AddAtomA, FindNextFileA, GetModuleHandleA, GetCPInfoExA, SetCalendarInfoA, DeleteFileW, EnumCalendarInfoExA, LocalFree, GetLastError, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, EnterCriticalSection, SetFilePointer, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, GetModuleHandleW, ExitProcess, WriteFile, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapFree, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, WriteConsoleW, MultiByteToWideChar, IsProcessorFeaturePresent, LCMapStringW, GetStringTypeW, HeapSize, CloseHandle, CreateFileW |
| USER32.dll | LoadMenuA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Sami Lappish | Finland |  |
| Sami Lappish | Norway |  |
| Sami Lappish | Sweden |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.362.173.142.8149699802033204 03/20/23-12:55:03.486730 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49699 | 80 | 192.168.2.3 | 62.173.142.81 |
| 192.168.2.362.173.142.8149699802033203 03/20/23-12:55:03.486730 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49699 | 80 | 192.168.2.3 | 62.173.142.81 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 20, 2023 12:55:03.422652960 CET | 49699 | 80 | 192.168.2.3 | 62.173.142.81 |
| Mar 20, 2023 12:55:03.486253023 CET | 80 | 49699 | 62.173.142.81 | 192.168.2.3 |
| Mar 20, 2023 12:55:03.486366034 CET | 49699 | 80 | 192.168.2.3 | 62.173.142.81 |
| Mar 20, 2023 12:55:03.486730099 CET | 49699 | 80 | 192.168.2.3 | 62.173.142.81 |
| Mar 20, 2023 12:55:03.549804926 CET | 80 | 49699 | 62.173.142.81 | 192.168.2.3 |
| Mar 20, 2023 12:55:03.550898075 CET | 80 | 49699 | 62.173.142.81 | 192.168.2.3 |
| Mar 20, 2023 12:55:03.551032066 CET | 49699 | 80 | 192.168.2.3 | 62.173.142.81 |
| Mar 20, 2023 12:55:03.553265095 CET | 49699 | 80 | 192.168.2.3 | 62.173.142.81 |
| Mar 20, 2023 12:55:03.616254091 CET | 80 | 49699 | 62.173.142.81 | 192.168.2.3 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 20, 2023 12:53:43.233784914 CET | 62704 | 53 | 192.168.2.3 | 8.8.8.8 |
| Mar 20, 2023 12:53:43.259754896 CET | 53 | 62704 | 8.8.8.8 | 192.168.2.3 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 20, 2023 12:53:43.233784914 CET | 192.168.2.3 | 8.8.8.8 | 0xcfa8 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 20, 2023 12:53:43.259754896 CET | 8.8.8.8 | 192.168.2.3 | 0xcfa8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49699 | 62.173.142.81 | 80 | C:\Users\user\Desktop\server.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Mar 20, 2023 12:55:03.486730099 CET | 336 | OUT |
| Target ID: | 0 |
| Start time: | 12:53:17 |
| Start date: | 20/03/2023 |
| Path: | C:\Users\user\Desktop\server.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 181248 bytes |
| MD5 hash: | 7E7372ED34C76CBECA4461BD6DBBFE62 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 50% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 96% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0079421F Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 38% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 69% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 69% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 92% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00797FC5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 51% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 83% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 74% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00795E40 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00796675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007951D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00792523 Relevance: 7.7, APIs: 5, Instructions: 161memoryCOMMON
Download Yara Rule
| C-Code - Quality: 59% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00797040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
Download Yara Rule
| C-Code - Quality: 22% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00794358 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 50% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00795251 Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007912C6 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
Download Yara Rule
| C-Code - Quality: 47% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0079790B Relevance: 3.1, APIs: 2, Instructions: 112COMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0081B58B Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0079472F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00795006 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00792839 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| C-Code - Quality: 34% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007961DA Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70COMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0081B24A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007933F1 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00795063 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007930D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41processCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007916DF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 611COMMONCrypto
Download Yara Rule
| C-Code - Quality: 49% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00798551 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0079832C Relevance: .1, Instructions: 77COMMONCrypto
Download Yara Rule
| C-Code - Quality: 71% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0081AE68 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 76% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 43% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007937DF Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 73% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00793FA5 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00793A63 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00791340 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007954D8 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00794C94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167stringCOMMON
Download Yara Rule
| C-Code - Quality: 88% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00795704 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98synchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 46% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0079597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00794781 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0079454F Relevance: 6.1, APIs: 4, Instructions: 112COMMON
Download Yara Rule
| C-Code - Quality: 39% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007969E6 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
Download Yara Rule
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00797843 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00793230 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 37% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00792058 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00795DE4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00797563 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |