Edit tour

Windows Analysis Report
UtfPLaHG.exe

Overview

General Information

Sample name:	UtfPLaHG.exe
Analysis ID:	1432606
MD5:	6a44a61f22c1f94581fe84ce077c8bc3
SHA1:	0af9823081a8ac7dab63fdbc1c4360508f5ed074
SHA256:	5ef1ff8185f56af614f482d00c32b2112483b0e7900b282fb28200dbe8b0cb87
Tags:	exenjRat
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Machine Learning detection for sample

Modifies the windows firewall

Sigma detected: Potentially Suspicious Malware Callback Communication

Uses dynamic DNS services

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

UtfPLaHG.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\UtfPLaHG.exe" MD5: 6A44A61F22C1F94581FE84CE077C8BC3)

netsh.exe (PID: 7156 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\UtfPLaHG.exe" "UtfPLaHG.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "asero23.ddns.net", "Port": "5552", "Version": "0.7d", "Campaign ID": "MyBot", "Install Name": "WindowsServices.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
UtfPLaHG.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
UtfPLaHG.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d74:$a2: SEE_MASK_NOZONECHECKS 0x4e70:$a3: Download ERROR 0x4d36:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cc8:$a5: netsh firewall delete allowedprogram "
UtfPLaHG.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d36:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e8e:$s3: Executed As 0x4e70:$s6: Download ERROR
UtfPLaHG.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da4:$a1: netsh firewall add allowedprogram 0x4d74:$a2: SEE_MASK_NOZONECHECKS 0x501e:$b1: [TAP] 0x4d36:$c3: cmd.exe /c ping
UtfPLaHG.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d74:$reg: SEE_MASK_NOZONECHECKS 0x4e4c:$msg: Execute ERROR 0x4ea8:$msg: Execute ERROR 0x4d36:$ping: cmd.exe /c ping 0 -n 2 & del
UtfPLaHG.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cc8:$s1: netsh firewall delete allowedprogram 0x4da4:$s2: netsh firewall add allowedprogram 0x4d36:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4c:$s4: Execute ERROR 0x4ea8:$s4: Execute ERROR 0x4e70:$s5: Download ERROR 0x4fd4:$s6: [kl]
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3a9a:$a1: get_Registry 0x4b74:$a2: SEE_MASK_NOZONECHECKS 0x4c70:$a3: Download ERROR 0x4b36:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4ac8:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4ba4:$a1: netsh firewall add allowedprogram 0x4b74:$a2: SEE_MASK_NOZONECHECKS 0x4e1e:$b1: [TAP] 0x4b36:$c3: cmd.exe /c ping
00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b74:$reg: SEE_MASK_NOZONECHECKS 0x4c4c:$msg: Execute ERROR 0x4ca8:$msg: Execute ERROR 0x4b36:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.4081592327.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: UtfPLaHG.exe PID: 7032	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.UtfPLaHG.exe.c90000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.UtfPLaHG.exe.c90000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d74:$a2: SEE_MASK_NOZONECHECKS 0x4e70:$a3: Download ERROR 0x4d36:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cc8:$a5: netsh firewall delete allowedprogram "
0.0.UtfPLaHG.exe.c90000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d36:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e8e:$s3: Executed As 0x4e70:$s6: Download ERROR
0.0.UtfPLaHG.exe.c90000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da4:$a1: netsh firewall add allowedprogram 0x4d74:$a2: SEE_MASK_NOZONECHECKS 0x501e:$b1: [TAP] 0x4d36:$c3: cmd.exe /c ping
0.0.UtfPLaHG.exe.c90000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d74:$reg: SEE_MASK_NOZONECHECKS 0x4e4c:$msg: Execute ERROR 0x4ea8:$msg: Execute ERROR 0x4d36:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.UtfPLaHG.exe.c90000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cc8:$s1: netsh firewall delete allowedprogram 0x4da4:$s2: netsh firewall add allowedprogram 0x4d36:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4c:$s4: Execute ERROR 0x4ea8:$s4: Execute ERROR 0x4e70:$s5: Download ERROR 0x4fd4:$s6: [kl]
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 178.128.228.252, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\UtfPLaHG.exe, Initiated: true, ProcessId: 7032, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UtfPLaHG.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "asero23.ddns.net", "Port": "5552", "Version": "0.7d", "Campaign ID": "MyBot", "Install Name": "WindowsServices.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for submitted file

Source: UtfPLaHG.exe	ReversingLabs: Detection: 92%
Source: UtfPLaHG.exe	Virustotal: Detection: 81%			Perma Link

Yara detected Njrat

Source: Yara match	File source: UtfPLaHG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4081592327.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UtfPLaHG.exe PID: 7032, type: MEMORYSTR

Machine Learning detection for sample

Source: UtfPLaHG.exe

Joe Sandbox ML: detected

Source: UtfPLaHG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\UtfPLaHG.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: UtfPLaHG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: asero23.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: asero23.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 178.128.228.252:5552

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: asero23.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: UtfPLaHG.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: UtfPLaHG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4081592327.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UtfPLaHG.exe PID: 7032, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Process Stats: CPU usage > 49%

Source: UtfPLaHG.exe, 00000000.00000002.4081103091.000000000140E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs UtfPLaHG.exe

Source: UtfPLaHG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: UtfPLaHG.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@4/1@4/1

Source: C:\Users\user\Desktop\UtfPLaHG.exe	Code function: 0_2_05561406 AdjustTokenPrivileges,		0_2_05561406
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Code function: 0_2_055613CF AdjustTokenPrivileges,		0_2_055613CF

Source: C:\Users\user\Desktop\UtfPLaHG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Mutant created: \Sessions\1\BaseNamedObjects\9128200b315d4a4c00056ef78bb90712

Source: UtfPLaHG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UtfPLaHG.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UtfPLaHG.exe	ReversingLabs: Detection: 92%
Source: UtfPLaHG.exe	Virustotal: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\UtfPLaHG.exe "C:\Users\user\Desktop\UtfPLaHG.exe"
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\UtfPLaHG.exe" "UtfPLaHG.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\UtfPLaHG.exe" "UtfPLaHG.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\UtfPLaHG.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: UtfPLaHG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\UtfPLaHG.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: UtfPLaHG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: UtfPLaHG.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\UtfPLaHG.exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Memory allocated: 1630000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UtfPLaHG.exe	Window / User API: threadDelayed 409	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Window / User API: threadDelayed 3499	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Window / User API: threadDelayed 5557	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe	Window / User API: foregroundWindowGot 1770	Jump to behavior

Source: C:\Users\user\Desktop\UtfPLaHG.exe TID: 7012	Thread sleep count: 409 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe TID: 7012	Thread sleep time: -409000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe TID: 6044	Thread sleep count: 3499 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe TID: 7012	Thread sleep count: 5557 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UtfPLaHG.exe TID: 7012	Thread sleep time: -5557000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: UtfPLaHG.exe, 00000000.00000002.4081103091.0000000001488000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: UtfPLaHG.exe, 00000000.00000002.4081103091.0000000001488000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000001.00000003.1705466615.00000000011F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: UtfPLaHG.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: UtfPLaHG.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: UtfPLaHG.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: UtfPLaHG.exe, 00000000.00000002.4081592327.000000000349D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: UtfPLaHG.exe, 00000000.00000002.4081592327.000000000349D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\UtfPLaHG.exe" "UtfPLaHG.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\UtfPLaHG.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\UtfPLaHG.exe" "UtfPLaHG.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: UtfPLaHG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4081592327.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UtfPLaHG.exe PID: 7032, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: UtfPLaHG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.UtfPLaHG.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4081592327.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UtfPLaHG.exe PID: 7032, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	2 Virtualization/Sandbox Evasion	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	31 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UtfPLaHG.exe	92%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
UtfPLaHG.exe	82%	Virustotal		Browse
UtfPLaHG.exe	100%	Avira	TR/Dropper.Gen7
UtfPLaHG.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
asero23.ddns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
asero23.ddns.net	178.128.228.252	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
asero23.ddns.net	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.128.228.252	asero23.ddns.net	Netherlands		14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432606
Start date and time:	2024-04-27 16:33:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UtfPLaHG.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@4/1@4/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 66 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:34:39	API Interceptor	1041541x Sleep call for process: UtfPLaHG.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	1B7E3FLOXC.elf	Get hash	malicious	Unknown	Browse	165.23.71.93
	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	104.236.0.129
	https://wall.page/jcw7sZ	Get hash	malicious	Unknown	Browse	159.89.38.40
	https://palmettoanimalclinic.aweb.page/p/0ac693e3-6f85-4fd6-86d7-f770e6e73d32	Get hash	malicious	Unknown	Browse	45.55.99.106
	http://www.superiorbillingsolutions.com	Get hash	malicious	Unknown	Browse	167.172.154.15
	https://gjyefv.degaris.com/	Get hash	malicious	HTMLPhisher	Browse	104.131.80.170
	https://mss.ehs2.com/?dilywvqc	Get hash	malicious	Unknown	Browse	157.245.93.173
	https://www.clktoro.com/feed/click/?t1=128&tid=859&uid=26&subid=remotescripps.org&id=62b00eca6d15ba41d06e054ec8234620:c5cc33c8f67a8e2157054b6a1a46513330d8d1b9ba254759e28d5e39682faf3a0c638282c2c64e9d5352d1ed667ebaaf8201abc8c47aea233add3225b515fb85693743b12c7509aae6fe6327275ef08dc3f481903563d1550be49405e93a390c41176fe292821b7d6098f34b28b9e7b3c1a327f168218dd37d959e1d8326a3dc7910042cd769fb91dfb171de393907f5870d1100482cb158754118b401727ac226cffc957846c78b0e9abcca8d32d5a6ad75dd1af64e7feee6f847ba1695ac8b9515c5fe28cc4005f0012c33f25f14967186986fa0130af2fc961a6ad412c9b4aa8c9bb8de73d1c785c14d432fe083fc1215c9564a8991d6fc9805ac127a42ffdfadf6dae0f2731324a242c43e3fceec3023a2155939fe1a27676e4a6a87cfc84b770a7bc9f80a549fd09cfb1ad645853bdfb1b7639d71e11035e1789b964e38c91352f7c5a319e5df29671022a79d04	Get hash	malicious	Unknown	Browse	142.93.240.225
	z55NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	178.128.15.164
	http://relevanteduofficelogin.relevantedu.xyz	Get hash	malicious	HTMLPhisher	Browse	178.128.58.202

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.525839108348935
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	UtfPLaHG.exe
File size:	24'064 bytes
MD5:	6a44a61f22c1f94581fe84ce077c8bc3
SHA1:	0af9823081a8ac7dab63fdbc1c4360508f5ed074
SHA256:	5ef1ff8185f56af614f482d00c32b2112483b0e7900b282fb28200dbe8b0cb87
SHA512:	295777a065601060e88afdeda7316d2ae422d5e3d371f1fb9e5c9b3cd3d800536c9739104ddc9bd7185d3de3cc0131b28d8ae4fb403aae761b47460a277a5395
SSDEEP:	384:mQeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZARr:x5yBVd7Rpcnud
TLSH:	D8B2094E3FA98856C5AC1B74C6B5965003B491870413EE2FCCC954CBAFB3BD92D48AF9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,f.................V...........t... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40748e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x662CDCBA [Sat Apr 27 11:08:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7438	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5494	0x5600	0308d8b9b31be958f21ea2166cc7aeb2	False	0.4887354651162791	data	5.57259259197427	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x240	0x400	0243c9a7f8755f2c2b18037cdad6cc91	False	0.310546875	data	4.966081339698093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	8f9fb76ec87ec8b0a5110a8a33506bf3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x8058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 16:34:05.675024033 CEST	49730	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:06.685626030 CEST	49730	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:08.701191902 CEST	49730	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:12.717082024 CEST	49730	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:20.732357025 CEST	49730	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:29.985254049 CEST	49736	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:30.982383013 CEST	49736	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:32.982388973 CEST	49736	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:36.982400894 CEST	49736	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:44.982410908 CEST	49736	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:52.999284983 CEST	49738	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:53.998127937 CEST	49738	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:34:56.013648987 CEST	49738	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:00.029382944 CEST	49738	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:08.045067072 CEST	49738	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:16.155612946 CEST	49739	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:17.232426882 CEST	49739	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:19.317573071 CEST	49739	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:23.438004017 CEST	49739	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:31.451226950 CEST	49739	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:39.471399069 CEST	49740	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:40.482481956 CEST	49740	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:42.482549906 CEST	49740	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:46.482480049 CEST	49740	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:35:54.529367924 CEST	49740	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:03.237730026 CEST	49741	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:04.341888905 CEST	49741	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:06.341896057 CEST	49741	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:10.341974974 CEST	49741	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:18.498162031 CEST	49741	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:27.018549919 CEST	49742	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:28.185679913 CEST	49742	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:30.186269045 CEST	49742	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:34.293962002 CEST	49742	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:42.295161963 CEST	49742	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:50.312205076 CEST	49743	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:51.326428890 CEST	49743	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:53.342051983 CEST	49743	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:36:57.357589960 CEST	49743	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:05.420119047 CEST	49743	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:13.438548088 CEST	49744	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:14.623248100 CEST	49744	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:16.623243093 CEST	49744	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:20.623352051 CEST	49744	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:28.623250961 CEST	49744	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:36.738691092 CEST	49745	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:37.748370886 CEST	49745	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:39.763901949 CEST	49745	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:43.779573917 CEST	49745	5552	192.168.2.4	178.128.228.252
Apr 27, 2024 16:37:51.920165062 CEST	49745	5552	192.168.2.4	178.128.228.252

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 16:34:05.574491024 CEST	61286	53	192.168.2.4	1.1.1.1
Apr 27, 2024 16:34:05.668378115 CEST	53	61286	1.1.1.1	192.168.2.4
Apr 27, 2024 16:35:16.061522007 CEST	49582	53	192.168.2.4	1.1.1.1
Apr 27, 2024 16:35:16.154577017 CEST	53	49582	1.1.1.1	192.168.2.4
Apr 27, 2024 16:36:26.922049999 CEST	50381	53	192.168.2.4	1.1.1.1
Apr 27, 2024 16:36:27.014946938 CEST	53	50381	1.1.1.1	192.168.2.4
Apr 27, 2024 16:37:36.643188000 CEST	55104	53	192.168.2.4	1.1.1.1
Apr 27, 2024 16:37:36.735157967 CEST	53	55104	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2024 16:34:05.574491024 CEST	192.168.2.4	1.1.1.1	0x12e1	Standard query (0)	asero23.ddns.net	A (IP address)	IN (0x0001)	false
Apr 27, 2024 16:35:16.061522007 CEST	192.168.2.4	1.1.1.1	0x9418	Standard query (0)	asero23.ddns.net	A (IP address)	IN (0x0001)	false
Apr 27, 2024 16:36:26.922049999 CEST	192.168.2.4	1.1.1.1	0xfaa9	Standard query (0)	asero23.ddns.net	A (IP address)	IN (0x0001)	false
Apr 27, 2024 16:37:36.643188000 CEST	192.168.2.4	1.1.1.1	0x21d	Standard query (0)	asero23.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 27, 2024 16:34:05.668378115 CEST	1.1.1.1	192.168.2.4	0x12e1	No error (0)	asero23.ddns.net	178.128.228.252	A (IP address)	IN (0x0001)	false
Apr 27, 2024 16:35:16.154577017 CEST	1.1.1.1	192.168.2.4	0x9418	No error (0)	asero23.ddns.net	178.128.228.252	A (IP address)	IN (0x0001)	false
Apr 27, 2024 16:36:27.014946938 CEST	1.1.1.1	192.168.2.4	0xfaa9	No error (0)	asero23.ddns.net	178.128.228.252	A (IP address)	IN (0x0001)	false
Apr 27, 2024 16:37:36.735157967 CEST	1.1.1.1	192.168.2.4	0x21d	No error (0)	asero23.ddns.net	178.128.228.252	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:33:52
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\UtfPLaHG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UtfPLaHG.exe"
Imagebase:	0xc90000
File size:	24'064 bytes
MD5 hash:	6A44A61F22C1F94581FE84CE077C8BC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1616392139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4081592327.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	16:34:00
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\UtfPLaHG.exe" "UtfPLaHG.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:34:01
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	114
Total number of Limit Nodes:	4

Executed Functions

Function 055613CF Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0556144F

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c28882dde3b8951e4c3d215428235319e4658bedadb4ff454fe6580767f4e932
Instruction ID: f64b21c5ebe99994027e69137e26f25ee4d471c817d2bb71eea6c0d5c4f58ed3
Opcode Fuzzy Hash: c28882dde3b8951e4c3d215428235319e4658bedadb4ff454fe6580767f4e932
Instruction Fuzzy Hash: FA21BC755097C0AFDB228F25DC40B62BFB8FF06310F08859AE9858B563D271E908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05561406 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0556144F

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: dade129bf1a09e23f09d45716c8f0030abad94ea6ce2e8838827e5690be16052
Instruction ID: c0326bbf1e2f59fc3073026bf25dacf86c2ee61de22d24120d3562316ee782ad
Opcode Fuzzy Hash: dade129bf1a09e23f09d45716c8f0030abad94ea6ce2e8838827e5690be16052
Instruction Fuzzy Hash: 9C119E31600A409FDB20CF55D884B76FBE8FF18220F08C96AED468B652D335E418DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01750B68 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01750B8F

Memory Dump Source

Source File: 00000000.00000002.4081460443.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_UtfPLaHG.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d153a1b2ddb1431fba14981ca148f5bfc4e580c9234c2d866292f022f9e69031
Instruction ID: 5ce2dadb252c8d8a588f3792b747a4b5ecc69cb75261aa78cbf3552607027492
Opcode Fuzzy Hash: d153a1b2ddb1431fba14981ca148f5bfc4e580c9234c2d866292f022f9e69031
Instruction Fuzzy Hash: 3A416C31A002058FCB48DF79C9846EDB7B6EF98304F148469E809DB399EB74DD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01750B58 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01750B8F

Memory Dump Source

Source File: 00000000.00000002.4081460443.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_UtfPLaHG.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: eba15ef734bb28f2e71d66180a51e97c179d612aa04f701b4944da2312f9ee8e
Instruction ID: 81606c833f8c2b489eed57b9b011fc6fa802c6699aa9cb6e7b7b24e147c4828d
Opcode Fuzzy Hash: eba15ef734bb28f2e71d66180a51e97c179d612aa04f701b4944da2312f9ee8e
Instruction Fuzzy Hash: BF414D31A013058FCB44DF79C9846ADB7B6EF99304F148469E809DB399EB74DD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0137BB7A Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0137BC39

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7f60a703fc017fa6bbf136dfa633203c63f235885640e28ba631b0822c05710c
Instruction ID: e1a44709375bb6d33e4f7cc17dac4da523a1ef0ef121ce46e73a436f299e50bf
Opcode Fuzzy Hash: 7f60a703fc017fa6bbf136dfa633203c63f235885640e28ba631b0822c05710c
Instruction Fuzzy Hash: D93182B1505380AFEB22CB65DC44BA2BFF8EF06314F08849EE9848B652D375A919D771

Uniqueness

Uniqueness Score: -1.00%

Function 0556197C Relevance: 1.6, APIs: 1, Instructions: 100
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05561A39

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 20d9f9a9c067bc2033c95ddb159f149dfa7bbc8ea4a9b3eda3037ef2c62d7764
Instruction ID: 091ba86226cbcbbbeb3d04b68d14d9b5a484d9f537f4b37e3b8e3dfd7b0b173f
Opcode Fuzzy Hash: 20d9f9a9c067bc2033c95ddb159f149dfa7bbc8ea4a9b3eda3037ef2c62d7764
Instruction Fuzzy Hash: A3318175504784AFEB218A65CC44FB7BBECFF09610F08859AF985CB652D320E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05560187 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0556024E

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5198b695c2c58c96eaa055e07731e1d891223bcb710e3f146672ce9682d5db5e
Instruction ID: df746c63c844872ec98cc8597aa27ca810eb3481e458e3f0b6ea93cb79cd15b7
Opcode Fuzzy Hash: 5198b695c2c58c96eaa055e07731e1d891223bcb710e3f146672ce9682d5db5e
Instruction Fuzzy Hash: 65316D6550E7C06FD3138B258C65A61BFB4EF47610B0E85CBD8C48B6A3D229A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0137A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0137A879

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 05489fce5e43dd4a1b86f32393d2a7fdd3a512354aa9d9ef38d28714af40b7ef
Instruction ID: 2b57bd4309a3f5fd26c88842e47b321735b27e7f974cdeea9f847ea3a47c3e70
Opcode Fuzzy Hash: 05489fce5e43dd4a1b86f32393d2a7fdd3a512354aa9d9ef38d28714af40b7ef
Instruction Fuzzy Hash: 033195715083846FE7228B65DC45FA7BFE8EF06314F08849AE984CB653D264A54DC771

Uniqueness

Uniqueness Score: -1.00%

Function 05560FBC Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05561083

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: a8afd98cb59b45b459f68b2f2bb9093281015478b45882ae7872c9a72c6347bb
Instruction ID: 426ce0fe1947b80a17d7ae9e428a112ebc566f817262ae53ff36cea24f7dc8e1
Opcode Fuzzy Hash: a8afd98cb59b45b459f68b2f2bb9093281015478b45882ae7872c9a72c6347bb
Instruction Fuzzy Hash: 1031A2B1504344AFEB21CB51DD84FA6FBACEF04314F04489AFA489B691D375A94CCB71

Uniqueness

Uniqueness Score: -1.00%

Function 05561A81 Relevance: 1.6, APIs: 1, Instructions: 92
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 05561B46

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1a34ae75a49bc10293d700ee60fb96dbf0ba3fbc005365d235569359b18fa478
Instruction ID: d464264c80089fdf326c08c1a264f22012041a3fa886ab16cababac500ee4d8a
Opcode Fuzzy Hash: 1a34ae75a49bc10293d700ee60fb96dbf0ba3fbc005365d235569359b18fa478
Instruction Fuzzy Hash: FA319E7150D3C05FD7038B758C65A66BFB4EF47610F0D85CBD8848F6A3D624A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05560EB4 Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 05560F51

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: ff8cee1564f875148e34a2e4a3fec72ac553298f957273680538dba6b63beee5
Instruction ID: 090ab9c2aa6b2add7d8a265120f00a23c2183cf42c01c31e34f153b6ef4ac23f
Opcode Fuzzy Hash: ff8cee1564f875148e34a2e4a3fec72ac553298f957273680538dba6b63beee5
Instruction Fuzzy Hash: 7031E5725097806FDB228F61DC44FA6BFB8EF46320F0884DAE8848F5A3D2659949C771

Uniqueness

Uniqueness Score: -1.00%

Function 055607B0 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05560847

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 848e9b112c6cd2fb8c50d589a1dc1203391cdb3b2573e11941fd6cfe100229d8
Instruction ID: 430eb03f3db577d815b321b05219a4273f4524e88e52b11fa1c5891cf6821d84
Opcode Fuzzy Hash: 848e9b112c6cd2fb8c50d589a1dc1203391cdb3b2573e11941fd6cfe100229d8
Instruction Fuzzy Hash: BA319371504384AFEB21CB65DC45FA7BFE8FF45210F0884AAE944DB692D324A958CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0137A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0137A6B9

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 20bdf3da7e65d19f7cfcaf5e9b1b6083a5c379a571444f90cb131237b617aef1
Instruction ID: b76ca510ac5c418ab75d17f6443a4dd1bac35248954c8bf881c34e6bd5f3063d
Opcode Fuzzy Hash: 20bdf3da7e65d19f7cfcaf5e9b1b6083a5c379a571444f90cb131237b617aef1
Instruction Fuzzy Hash: F33193B15093846FE722CB65DC85B96FFF8EF06214F08849AE984CF292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0556199E Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05561A39

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2843197833fe2c1695df8e5b7006d2d2eb1472f92f199681f3c61163269687bb
Instruction ID: 12d7690c20701f6701173550cbbe4ce10663ef4362494f1fd1aa79a6473969a6
Opcode Fuzzy Hash: 2843197833fe2c1695df8e5b7006d2d2eb1472f92f199681f3c61163269687bb
Instruction Fuzzy Hash: 79219E76500744AFEB21CE65CD44FB7BBECFF18214F08895AE945C7A52D330E548CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137A8C1 Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0137A97D

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: c2de550eba5a1b7e4b02c5a5a00345feea0deed487fd4050bfae4c729562a2df
Instruction ID: 76fff42ddb9d336e1f694046b12e0b9cb4422a42cf8dba73862c34bf6f40a2ec
Opcode Fuzzy Hash: c2de550eba5a1b7e4b02c5a5a00345feea0deed487fd4050bfae4c729562a2df
Instruction Fuzzy Hash: C431F471404384AFEB228F61DC44FA6FFB8EF06314F08849EE9848B593D275A44CCB61

Uniqueness

Uniqueness Score: -1.00%

Function 0137A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0137A40C

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 97fd881cf79ca441bde2e3c7a1a21216065250743bd62383098b6905c98f2b8f
Instruction ID: b4d79fd38c6cac89404a8933afee9c863ad020f2994c89fcfa4d23bd1677fabb
Opcode Fuzzy Hash: 97fd881cf79ca441bde2e3c7a1a21216065250743bd62383098b6905c98f2b8f
Instruction Fuzzy Hash: E631B171508780AFE722CF15CC84F96BFF8EF06214F08849AE945DB292D364E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05560FDE Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05561083

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 9233b452c90b2dc5a26d6af045a91dcc450cbe0755e58791baf3498e11058c29
Instruction ID: b7eb009d7a236b6b3e79ece78f9b941329bd041506c102b07089a5051e588475
Opcode Fuzzy Hash: 9233b452c90b2dc5a26d6af045a91dcc450cbe0755e58791baf3498e11058c29
Instruction Fuzzy Hash: DB21BC71500244AFEB21DB61CD84FBAF7ACEF08324F04885AFA489B681D375A54CCBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0137BC90 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0137BD25

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 80b46b11f9fde9b3c3e0c061577a2f8c964e711255aa940c84d0a68ecb308092
Instruction ID: 7a4ad5c436d95806ddcde667cf438c21c98be6393d271b972ea098aa0c8d0d87
Opcode Fuzzy Hash: 80b46b11f9fde9b3c3e0c061577a2f8c964e711255aa940c84d0a68ecb308092
Instruction Fuzzy Hash: 642106754097806FD7128B21DC80BA2BFBCEF47324F0880D6E9848B2A3D2649909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05561551 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 055615D8

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 7fbaa44203e026c2865cee563a2c67a2e0999dd2176510a88461410e5678dab9
Instruction ID: dbd0b64fbfaa7f9792965c4d988b46f4a00038599547b48cc75b3ac8023447ef
Opcode Fuzzy Hash: 7fbaa44203e026c2865cee563a2c67a2e0999dd2176510a88461410e5678dab9
Instruction Fuzzy Hash: FE21C1715093806FEB12CB25DC85FA6BFB8EF46314F0884DAE984CF692D264A948C771

Uniqueness

Uniqueness Score: -1.00%

Function 0556027A Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05560306

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 7ca1f404cffc901cdcf55db9cf9402333d76259a54262852dc3f0d359d6cf559
Instruction ID: 4fe86f2ba1e2b1bddedbda102a63084d7c7db5da547b44a490ad8679e3dadcc8
Opcode Fuzzy Hash: 7ca1f404cffc901cdcf55db9cf9402333d76259a54262852dc3f0d359d6cf559
Instruction Fuzzy Hash: F821B171505380AFE722CF51DC44FA6FFF8EF05210F08889EE9858B6A2C375A558CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05560966 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 055609FA

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: ba7a28dd078aaed94ff911ecba84a30f70e415e5de8a2a766fdce0614ce561ea
Instruction ID: 76664de1d7e82b661e175ec703d62abea8af18a0dbbbb45098ce2e7df655eeb5
Opcode Fuzzy Hash: ba7a28dd078aaed94ff911ecba84a30f70e415e5de8a2a766fdce0614ce561ea
Instruction Fuzzy Hash: C221EF71405380AFE722CF51DC44FA6FBF8EF09220F08849EE9848B692D375A548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0137A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0137A4F8

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 687fd21ce5ac8ed7b723ca47063979401fc564f7333e29dcdfe2988ad1ac2f87
Instruction ID: 3b303b422f8378804d5c4b7323e7ef858c8f93862af841b12977cb4a2618b43e
Opcode Fuzzy Hash: 687fd21ce5ac8ed7b723ca47063979401fc564f7333e29dcdfe2988ad1ac2f87
Instruction Fuzzy Hash: 1A21A4B2504380AFD7228F55DC44FA7BFB8EF46224F08849AE985DB692D364E448C771

Uniqueness

Uniqueness Score: -1.00%

Function 055607D6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05560847

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: cb534e6641295a9ba61354b65c5e319b4914ddede2e11d9cd81c6a4cec1a7bd0
Instruction ID: 5debf5a554c4fe1ca1fd76249223f23f02ce1b039fef1604be8028230fbd0f6b
Opcode Fuzzy Hash: cb534e6641295a9ba61354b65c5e319b4914ddede2e11d9cd81c6a4cec1a7bd0
Instruction Fuzzy Hash: 6221CF72600244AFEB20DF65DD45FAAFBACFF04214F04886AE945DB691D374E5488AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0137BBBA Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0137BC39

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3ea878c098e6d40085bee0c0fb9fa80b53473335cc222ea16bdf429e8620dbfc
Instruction ID: 5ead0bd8123c805194bfc50c90695c424aabb7b132273f9ab0cff1a5347a3120
Opcode Fuzzy Hash: 3ea878c098e6d40085bee0c0fb9fa80b53473335cc222ea16bdf429e8620dbfc
Instruction Fuzzy Hash: 6721DEB1500204AFEB21CF65CD84F66FBE8EF08214F04886DE9858B656D775E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055606CA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0556075C

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 63ace9ce405f8bd4fd639a3d6730020c3e3e565497f1b96ee1ad4a1a5117aa78
Instruction ID: f426acfbffee89c03047caad8f55e295ad56f6443d36d5daa7639a3bd94aeab6
Opcode Fuzzy Hash: 63ace9ce405f8bd4fd639a3d6730020c3e3e565497f1b96ee1ad4a1a5117aa78
Instruction Fuzzy Hash: A3219071504780AFD721CF51DC48FA6BBF8EF05210F08849AE9458B6A2D364E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0556124A Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 055612CE

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d1396bb5b7af1d77b633720f573c9f87357b973516aee1eb8d3f5f13cd6c0e1f
Instruction ID: 9f3ca22132828c5bcd7cf34a51f100e76205a00f5590800d543cb7db5411e9e0
Opcode Fuzzy Hash: d1396bb5b7af1d77b633720f573c9f87357b973516aee1eb8d3f5f13cd6c0e1f
Instruction Fuzzy Hash: 06218E726087C09FDB128B65DC55BA2BFF8AF06210F0D84EAD8C5CB663D224D808C761

Uniqueness

Uniqueness Score: -1.00%

Function 05560006 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 05560091

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a29cac2c52c82ee64aeaed7d124d420085293c667d4b2ecd58dc3975d2a52d67
Instruction ID: 87b4967d539af9e64a6fb261b38ee49ca7b6232771959777e3b7ccc21e4359d1
Opcode Fuzzy Hash: a29cac2c52c82ee64aeaed7d124d420085293c667d4b2ecd58dc3975d2a52d67
Instruction Fuzzy Hash: 7D21B671405380AFD722CF51DC44FA7BFB8EF46324F08849AE9849B592D275A558CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0137A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0137A879

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 64dcdc0ccc9a58b2b6872fe85826d6248d5776423cef5c2f9be506d6fed4459a
Instruction ID: 89ec01d59478c25623599d57b7e14ec3152e4ba636edd86c62132ade3e075363
Opcode Fuzzy Hash: 64dcdc0ccc9a58b2b6872fe85826d6248d5776423cef5c2f9be506d6fed4459a
Instruction Fuzzy Hash: 0F21D172500204AEE7319F55DD44FABFBECEF18314F08845AED458BA42D334E44D8AB2

Uniqueness

Uniqueness Score: -1.00%

Function 0556171F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0556179B

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 4d1e7e82c993d76617a3a7d811b23f9a1babb39e483ebb9bf71c7f8fa376b26f
Instruction ID: 6dadfbbd9893d2ed8bd8d87fff2af6acb59052530a5b329e671ee20bec02295c
Opcode Fuzzy Hash: 4d1e7e82c993d76617a3a7d811b23f9a1babb39e483ebb9bf71c7f8fa376b26f
Instruction Fuzzy Hash: 0D21D4715083806FD722CF61DC44FA7BFA8EF46210F08C4AAE944CB692D374A548CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0556163B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 055616B7

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 4d1e7e82c993d76617a3a7d811b23f9a1babb39e483ebb9bf71c7f8fa376b26f
Instruction ID: 69edb0dcf1f9148b9b26db3fa6c1960b5d2cff04c1b02f48134223d076d4c2d3
Opcode Fuzzy Hash: 4d1e7e82c993d76617a3a7d811b23f9a1babb39e483ebb9bf71c7f8fa376b26f
Instruction Fuzzy Hash: B921D4715083806FD722CF61DC44FA6BFA8EF45210F08C4AAE944CB692D374A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0137A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0137A6B9

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bf6ec0eda69c045688f2449af1a4ead0343c0598607ad63b01683921aaf846f4
Instruction ID: 7dd29e8d589d1591b884e57c748b0124bc3c912b5c0da1208a2d8345e62c50c1
Opcode Fuzzy Hash: bf6ec0eda69c045688f2449af1a4ead0343c0598607ad63b01683921aaf846f4
Instruction Fuzzy Hash: 7321D4716002449FE721CF65DD85FAAFBE8EF14224F088469E949CB742D375E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0137A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0137A40C

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 81a05518f3aef236c3cd21cec1b5ae06cbfd193e042fb410a5aed055691d011a
Instruction ID: 7015eaa4e143e6d39fb619b86c4fe465046f391a887f995e87dc6a8a4e00999a
Opcode Fuzzy Hash: 81a05518f3aef236c3cd21cec1b5ae06cbfd193e042fb410a5aed055691d011a
Instruction Fuzzy Hash: 8B21AE71600204AFE731CF15CC84FAAF7ECEF04614F08845AE9459B792D374E848CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0556029A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05560306

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 146cead8626b6e62618762b97a97dca6a17b897b2bfaab439a9e7ae057438c5e
Instruction ID: 498469c733a68537fa0b29b5d5c045e9cb117dbc861299b4416c48778650b9c0
Opcode Fuzzy Hash: 146cead8626b6e62618762b97a97dca6a17b897b2bfaab439a9e7ae057438c5e
Instruction Fuzzy Hash: 8621CF71500240AFEB21CF91DD44FA6FBE8EF08320F04885EE9458B691C375E458CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05560986 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 055609FA

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 9f0aa62a736210d5a771cb265c3761b3c5ba818e7e36096cfaacdcb90957c14d
Instruction ID: 60eeb7527bb10f45e86513a79586f298b303b6300eee4d0652c1a77b4c477e7d
Opcode Fuzzy Hash: 9f0aa62a736210d5a771cb265c3761b3c5ba818e7e36096cfaacdcb90957c14d
Instruction Fuzzy Hash: 7721F071400244AFEB21CF55DD88FA6FBE8EF18324F04845DE9458BB91D375E458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0556118E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0556120A

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: da16f3764c74c0f7927b13fe40927d139fe23cbd89750a9f21e503c58f3464a4
Instruction ID: 5f45d27afb48bc864e9399018abfa2040783f07f379019621fc256454a5efc6d
Opcode Fuzzy Hash: da16f3764c74c0f7927b13fe40927d139fe23cbd89750a9f21e503c58f3464a4
Instruction Fuzzy Hash: 07219F715087C4AFDB228F51DC44B62FFF4FF0A310F08859AE9858B662D335A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0137A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0137A780

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 40206830b1ea116c0ba3829500197fa9afe585c9dd91c124de571433ed2c5953
Instruction ID: 768ad0efc5559b11d8ec876cb8f3c33e99c59cbb754db991d232b82e214dbea7
Opcode Fuzzy Hash: 40206830b1ea116c0ba3829500197fa9afe585c9dd91c124de571433ed2c5953
Instruction Fuzzy Hash: F421E7B59043809FD712CF55EC85B52BFB4EF02324F0884ABED458B653D3759905DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137A902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0137A97D

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: b2ff38169e95e002e82bc14a77089c2d65db962467c6baf812b93a15813417c8
Instruction ID: 01ebe4cf377194a1ad360771f5ed2ef6b64658c938e00725861efb149dc815ae
Opcode Fuzzy Hash: b2ff38169e95e002e82bc14a77089c2d65db962467c6baf812b93a15813417c8
Instruction Fuzzy Hash: 9421D271500204AFEB318F51DC40FA6FBA8EF09314F08845AFE859AA91D375E558CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 055606EA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0556075C

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7ee3b96e0cafba25dae6ad591bda45c903046574d6f82b3adbb8af15a10252f3
Instruction ID: eec1af771b168f6ab18835e5c4008470608634704173acf9b88096b65380aa4b
Opcode Fuzzy Hash: 7ee3b96e0cafba25dae6ad591bda45c903046574d6f82b3adbb8af15a10252f3
Instruction Fuzzy Hash: 4A117275500644AFEB21CF55DC88FA6F7E8FF14610F08845AE9458B692D770E548CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0137A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0137A4F8

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1e9e0ec466ac60bc40123419523f170ad19649b04d1baba18bee6bdfc928558d
Instruction ID: 1849163cf0d815b0d6d2afc73c4b460bd4d17416d3e093ad90328a7d16fdb876
Opcode Fuzzy Hash: 1e9e0ec466ac60bc40123419523f170ad19649b04d1baba18bee6bdfc928558d
Instruction Fuzzy Hash: A711BEB2500604AFEB318F15DC44FABFBECEF14624F08845AED459BB82D375E4488AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05560EF2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 05560F51

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: e3b85b17bc904761dbe932a1cf0438ccbacd93bbfe9ed297f02f1c0f8c96b62a
Instruction ID: e75a9711ee351556111510c74eff610e3ccca88ecf6498e08c3b2b25b8b0958a
Opcode Fuzzy Hash: e3b85b17bc904761dbe932a1cf0438ccbacd93bbfe9ed297f02f1c0f8c96b62a
Instruction Fuzzy Hash: E811E671500240AFEB21CF51DC44FAAF7E8EF14310F04C86AE945CB691D374E5588BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0556165E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 055616B7

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 53426a3a05dbe9bcead0685a69860728da2a1d98ba1b28c825dfb6ef6ad48720
Instruction ID: 57c449bafbfda42ce9c1bb1ea93b3a4ad20c663aa76396459a25d590e965bc1f
Opcode Fuzzy Hash: 53426a3a05dbe9bcead0685a69860728da2a1d98ba1b28c825dfb6ef6ad48720
Instruction Fuzzy Hash: AA11BFB5500640AFEB21CF55DD84FBAB7A8EF14224F08846AE945CBA81D374A558CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05561742 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0556179B

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 53426a3a05dbe9bcead0685a69860728da2a1d98ba1b28c825dfb6ef6ad48720
Instruction ID: 42d14784d21f570b9e5f5f30f65244fbde38f1d9f13299bcc8a34201b8313056
Opcode Fuzzy Hash: 53426a3a05dbe9bcead0685a69860728da2a1d98ba1b28c825dfb6ef6ad48720
Instruction Fuzzy Hash: DF11BF71600640AFEB21CF55DC84FBAB7E8EF15224F08846AE945CB682D774A548CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 05561582 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 055615D8

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: d5767ebcba29ebbd324f9084da7857440b32ef4f6d41a22a5bd6341f9589459b
Instruction ID: b1f8fb87f62cbe2c5190c75e33c4371a3244f4b04c12d0f8f145e2068188814a
Opcode Fuzzy Hash: d5767ebcba29ebbd324f9084da7857440b32ef4f6d41a22a5bd6341f9589459b
Instruction Fuzzy Hash: 1511C171500640AFEB21CB15DD85FBAF7A8EF14224F08C46AE905DB681D674A548CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137B2DF Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137B34A

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 65030a7db6f632a695907c645d63c9471d8f96dabcf6ba2ce9bc5912550e582b
Instruction ID: a9364a5c62c585828cadc6d1f67400079ca3c274f4bd470d4c68032f2a9144bd
Opcode Fuzzy Hash: 65030a7db6f632a695907c645d63c9471d8f96dabcf6ba2ce9bc5912550e582b
Instruction Fuzzy Hash: 1F117F71409780AFDB228F55DC44B62FFF4EF4A320F08889AED858B662C275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05560032 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 05560091

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3381ebc72fcddd3549206e8513ca0458f5f88ed7159510a8438e3ab8f0dd8955
Instruction ID: c7e3d7701dc8c6eafa069b2518e7392e9b369463d110f4bea99f73a8f34adf42
Opcode Fuzzy Hash: 3381ebc72fcddd3549206e8513ca0458f5f88ed7159510a8438e3ab8f0dd8955
Instruction Fuzzy Hash: 5811C471500240AFEB21CF51DD44FA6FBE8EF14324F04885AE9459B691D375A5588BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05560626 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 055606A2

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: cdb5676cda000690bf0abbd46a0f8a61a75a2fcb01a57b1db8fb5ac3bbfdbb87
Instruction ID: 5069a9023f696c2313fa7ddf32d89934f91bbec31ef060a7c648af08599f13d2
Opcode Fuzzy Hash: cdb5676cda000690bf0abbd46a0f8a61a75a2fcb01a57b1db8fb5ac3bbfdbb87
Instruction Fuzzy Hash: E511B671909380AFD3118B16DC45F26FFB4EF86610F09819EE8449B792D325B959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0137ABC1 Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0137AC20

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c9044850b5d4d13ff14c413bfae77e369d3b7aab00aa31f1b4a76e9770bffeac
Instruction ID: 33586b228666c58b4db8bf46a09a8883115d04f9e997601a007803ef0048c76d
Opcode Fuzzy Hash: c9044850b5d4d13ff14c413bfae77e369d3b7aab00aa31f1b4a76e9770bffeac
Instruction Fuzzy Hash: 161182715093C0AFDB128F25DC44B66BFB4EF47210F0884DAED848F253D275A558CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137A2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0137A330

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2269bf70886b463732a498f166f3b37228c79c0e1a0223af44e0ae0a9955b3c
Instruction ID: 4352e1300f2fc50564576e190cd5b79d19fb4dc28da13a4c421c6253f3ac6496
Opcode Fuzzy Hash: a2269bf70886b463732a498f166f3b37228c79c0e1a0223af44e0ae0a9955b3c
Instruction Fuzzy Hash: 7E1173758093C4AFD7238B15DC44B66BFB4EF47624F0D80DAED848B263D265A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 05561286 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 055612CE

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e778ce3ef2c0929f6777f26385f8b8be6382b4e0e2cec3f65133dd6263e0b012
Instruction ID: b93c7f2f908fbd1365bbce475bab643a1a8916227e42063be50bb7ff9b0ba53b
Opcode Fuzzy Hash: e778ce3ef2c0929f6777f26385f8b8be6382b4e0e2cec3f65133dd6263e0b012
Instruction Fuzzy Hash: 5F118E71A046408FDB60CF6AD885B76FBE8FF15220F0884AADD49CB746D274E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0137BCD2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,21E48FE7,00000000,00000000,00000000,00000000), ref: 0137BD25

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e567a437124b0f16fb7adc0389a7d2432c0e81345d7a8a73aa0f8d48a5e87686
Instruction ID: a288fddbdbcfa09c546e4a9443a7e273427eac55f28af3cf9c0f1efaa7e83a09
Opcode Fuzzy Hash: e567a437124b0f16fb7adc0389a7d2432c0e81345d7a8a73aa0f8d48a5e87686
Instruction Fuzzy Hash: 6501C075500244AEE7218F15DC84BA6F7ACDF15628F18C0A6EE048BB96D378E4488AB2

Uniqueness

Uniqueness Score: -1.00%

Function 055611BE Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0556120A

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 9cb1c94c238fbb0c53bb041cb6c4bd854653ba26faed52cc22d3cd8fefc7a7b0
Instruction ID: 482225ade02e31c57a5a1551cb67bb46dd37fb71e17880698b5fb5baf74fd463
Opcode Fuzzy Hash: 9cb1c94c238fbb0c53bb041cb6c4bd854653ba26faed52cc22d3cd8fefc7a7b0
Instruction Fuzzy Hash: 95117C315006849FDB21CF96D884B76FBE5FF18310F0889AADD858B622D335E418CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05561AF6 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 05561B46

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 3fe9416e88b3417971caa319e1fb384815556a4388ad4a315f93701c7c5c3224
Instruction ID: 6b67d4f4ef25f625078fb45396ebac76cc2fa0dc341e6e7893ddff126d6d4835
Opcode Fuzzy Hash: 3fe9416e88b3417971caa319e1fb384815556a4388ad4a315f93701c7c5c3224
Instruction Fuzzy Hash: 1301B171A00200ABD310DF16DD85B76FBE8FB88B20F14812AED089BB41D731B965CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0137B306 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137B34A

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 39e1926ad9d4729928f4c383e34d7040f8f6b4c1be583246dc86c8adecb7d1b3
Instruction ID: 910fd7efe505fc7cc232e352f69927a850f3ae649a5ed03d68d8b70344c924ac
Opcode Fuzzy Hash: 39e1926ad9d4729928f4c383e34d7040f8f6b4c1be583246dc86c8adecb7d1b3
Instruction Fuzzy Hash: FD01A131400600DFEB218F55D884B66FBF4EF18324F08845ADD898A616C375E054DF61

Uniqueness

Uniqueness Score: -1.00%

Function 05560652 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 055606A2

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 18f7be93e892c8f15a33cd7d3ab752ca2f6a7ccf68c3dc2f72e0baefe8cb9291
Instruction ID: 072468769c76728a28fe67c6a9013a06dd68d21c9d7a628b1da24f5d4dc14d81
Opcode Fuzzy Hash: 18f7be93e892c8f15a33cd7d3ab752ca2f6a7ccf68c3dc2f72e0baefe8cb9291
Instruction Fuzzy Hash: 8801A271A00600ABD310DF16DD86B76FBE8FB88A20F148159ED089BB41D731F965CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 055601FE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0556024E

Memory Dump Source

Source File: 00000000.00000002.4082648999.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5560000_UtfPLaHG.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 323f29a8b5eec194cb35164b393ef183ab31e75afd86b31bd5ae588bbb045680
Instruction ID: c53c56788f583f198662013c0fb63b7e627a8de0a518402c52406dcdc7499652
Opcode Fuzzy Hash: 323f29a8b5eec194cb35164b393ef183ab31e75afd86b31bd5ae588bbb045680
Instruction Fuzzy Hash: A5018F71A00600ABD210DF16DD86B66FBE8FB88A20F14811AED089BB41D771B965CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0137A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0137A780

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 38fe789a34e67199cf91d6223cc181e4b655f8548f1b7ea3a0b850d9b7bdf696
Instruction ID: c7cd3779c619ed48a3850b31eb482e32a11a19e83f76d902d9bbb1841ab75ca3
Opcode Fuzzy Hash: 38fe789a34e67199cf91d6223cc181e4b655f8548f1b7ea3a0b850d9b7bdf696
Instruction Fuzzy Hash: CC01D4719042448FDB218F55D884769FBE8DF14224F08C4ABDD468F746D279E404CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137ABEE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0137AC20

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b31276d0ccd25fc6675a776ca4599601478ad490d98a7538822d4e05ad6415a6
Instruction ID: 538f93b44e380b44d5f55df9f6dfdb39c20e562af05611a0ec490c7bfc6bd6ad
Opcode Fuzzy Hash: b31276d0ccd25fc6675a776ca4599601478ad490d98a7538822d4e05ad6415a6
Instruction Fuzzy Hash: 9A01A2719042449FDB20CF15D884769FBE4DF14224F0CC4AADD48CF746D279E548CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0137A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0137A330

Memory Dump Source

Source File: 00000000.00000002.4080776060.000000000137A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137a000_UtfPLaHG.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2f1e604d5869bd9e0d989a0901f1aa819b78e8b2637e84860342e2e11ef0287f
Instruction ID: 2704bf3ea79ca90aac5277864680923f8e2ec8759ed3fb952a1de803108a3232
Opcode Fuzzy Hash: 2f1e604d5869bd9e0d989a0901f1aa819b78e8b2637e84860342e2e11ef0287f
Instruction Fuzzy Hash: 32F0AF35904244DFEB218F19D884B69FBE4EF19324F0CC09ADD494F752D3B9E448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 01980814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4081534381.0000000001980000.00000040.00000020.00020000.00000000.sdmp, Offset: 01980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1980000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81415fba8eadaa8f3f9c9d0d6fd123ebfee6842ab36a5f7b68b0f86497328ccb
Instruction ID: d7f06026880a8685ab1ef00264c234e2c20d4b323fca26cdd6e94b9683736c35
Opcode Fuzzy Hash: 81415fba8eadaa8f3f9c9d0d6fd123ebfee6842ab36a5f7b68b0f86497328ccb
Instruction Fuzzy Hash: BE11D230614284DFD711DB14D540F26BBA5AB99708F28C9ACF94D1BB53C737D84BCA82

Uniqueness

Uniqueness Score: -1.00%

Function 019807E4 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4081534381.0000000001980000.00000040.00000020.00020000.00000000.sdmp, Offset: 01980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1980000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce9d8489972c5ac6b32da9c9216b897264b26fb79ad366285fe3d0f2dfb42f7
Instruction ID: 3ea3b67ecce247f3ece7d20dff9e9e542f02ad771dc935ab01217103ce21b243
Opcode Fuzzy Hash: 2ce9d8489972c5ac6b32da9c9216b897264b26fb79ad366285fe3d0f2dfb42f7
Instruction Fuzzy Hash: 28216D311093C18FC713CB24C950B54BFB1AF46218F2DC9EED4885B6A3C33A884ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 019805E0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4081534381.0000000001980000.00000040.00000020.00020000.00000000.sdmp, Offset: 01980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1980000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c258744b4bcc904a0fa6c03b2a5010c30b4c9269be151cbf9669575fb9136fe
Instruction ID: f5af1c6ce5eb2a0846efd3aeea2215fbd422f1bb4f9c2b99dd83703508f4be37
Opcode Fuzzy Hash: 1c258744b4bcc904a0fa6c03b2a5010c30b4c9269be151cbf9669575fb9136fe
Instruction Fuzzy Hash: EC01DB765097845FC7118F16EC408A3FFB8EF8663070984DFEC498B712D225A809C771

Uniqueness

Uniqueness Score: -1.00%

Function 019807C4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4081534381.0000000001980000.00000040.00000020.00020000.00000000.sdmp, Offset: 01980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1980000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63d737166a2e5ca776a926b4a2ea5ec817fe73f7c0f556bca669771502efb95
Instruction ID: ff9ea1048028111857364ffb5a317d3d727b6f11cc7b88f08f53ea03e55b0768
Opcode Fuzzy Hash: a63d737166a2e5ca776a926b4a2ea5ec817fe73f7c0f556bca669771502efb95
Instruction Fuzzy Hash: CA012535149380CFC303CB14D550B11BBB1FF86618F1986DAE4894B663C3369856CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019808D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4081534381.0000000001980000.00000040.00000020.00020000.00000000.sdmp, Offset: 01980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1980000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7489cccc064395f2936cebe98813e0a177919cb3ffb8139302bf187ae4d94871
Instruction ID: 1414da86bd1e544e16de3d1b2fb9ff2a282747a5cdd1caeb883ba92df9702d74
Opcode Fuzzy Hash: 7489cccc064395f2936cebe98813e0a177919cb3ffb8139302bf187ae4d94871
Instruction Fuzzy Hash: DFF04B35104640DFC712CB04D580B15FBA2EB89718F28CAA9E84807B62C3379817DA82

Uniqueness

Uniqueness Score: -1.00%

Function 01980606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4081534381.0000000001980000.00000040.00000020.00020000.00000000.sdmp, Offset: 01980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1980000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3343c057d385dfdee059cbfaeb7510602b700b03f9babb407ba51a58081b7ec
Instruction ID: 835ace7c46f889d8b53a2669f9ccd02c30b804fa891ec3a36ebeb264dcb19acc
Opcode Fuzzy Hash: f3343c057d385dfdee059cbfaeb7510602b700b03f9babb407ba51a58081b7ec
Instruction Fuzzy Hash: 4EE092B6A046444B9750CF0BFC81862F7D8EB84630B18C07FDC0D8B711D235F509CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 013723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4080750650.0000000001372000.00000040.00000800.00020000.00000000.sdmp, Offset: 01372000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1372000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8dd2fd1213559edac0b766884fe0c939a40d97267994ce0e7c7ed983bde856
Instruction ID: b95bcb0d5ed77c46bf8722d2e970536a50c6948edc1270bf9882dd15947e552a
Opcode Fuzzy Hash: eb8dd2fd1213559edac0b766884fe0c939a40d97267994ce0e7c7ed983bde856
Instruction Fuzzy Hash: 09D05E7A2096C18FE3269A1CC2A8B963BE4AB51718F4A44F9A8408BB63C76CD5C5D600

Uniqueness

Uniqueness Score: -1.00%

Function 013723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4080750650.0000000001372000.00000040.00000800.00020000.00000000.sdmp, Offset: 01372000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1372000_UtfPLaHG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ed7aaf7560fe995e34d23e30752717b231427d258a05a27ad5aa671f5ae29e
Instruction ID: 5546d1dd6afdcf85d9622bb25f4897fb8bb832a9eb4219e2a3155c91c5ff56ef
Opcode Fuzzy Hash: a1ed7aaf7560fe995e34d23e30752717b231427d258a05a27ad5aa671f5ae29e
Instruction Fuzzy Hash: 4DD05E342006814BE725DA0CC2D4F5A3BD4AB40718F0644EDAC108B762C7A8D8C4CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UtfPLaHG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
UtfPLaHG.exe

Function 01750B68 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Function 01750B58 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Function 0137BB7A Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 0556197C Relevance: 1.6, APIs: 1, Instructions: 100
registryCOMMON

Function 05560187 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 0137A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Function 05560FBC Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 05561A81 Relevance: 1.6, APIs: 1, Instructions: 92
windowCOMMON

Function 05560EB4 Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Function 055607B0 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 0137A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 0137A8C1 Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON