Edit tour

Windows Analysis Report
HobLb4ufqE.exe

Overview

General Information

Sample name:	HobLb4ufqE.exe renamed because original name is a hash value
Original sample name:	0222f8da926bf2722f6bef4ac243e5fa.exe
Analysis ID:	1436258
MD5:	0222f8da926bf2722f6bef4ac243e5fa
SHA1:	152144479eb94028ec92e356f99b562fa414e980
SHA256:	98c5e7aa76e1163df1ac5ea880c213a8b81a2c5b2ba0d87980ac8ffa744f226f
Tags:	32exeRedLineStealertrojan
Infos:

Detection

RedLine

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Installs new ROOT certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops certificate files (DER)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

HobLb4ufqE.exe (PID: 4160 cmdline: "C:\Users\user\Desktop\HobLb4ufqE.exe" MD5: 0222F8DA926BF2722F6BEF4AC243E5FA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["80.79.4.61:27996"], "Bot Id": "uk-ca", "Authorization Header": "27dc49c1e1facde9ccd1ca2ec0c885fd"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
HobLb4ufqE.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2042978053.0000000000512000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: HobLb4ufqE.exe PID: 4160	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.HobLb4ufqE.exe.510000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: HobLb4ufqE.exe

Malware Configuration Extractor: RedLine {"C2 url": ["80.79.4.61:27996"], "Bot Id": "uk-ca", "Authorization Header": "27dc49c1e1facde9ccd1ca2ec0c885fd"}

Multi AV Scanner detection for domain / URL

Source: 80.79.4.61:27996

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for submitted file

Source: HobLb4ufqE.exe	ReversingLabs: Detection: 60%
Source: HobLb4ufqE.exe	Virustotal: Detection: 61%			Perma Link

Source: HobLb4ufqE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HobLb4ufqE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: HobLb4ufqE.exe, 00000000.00000002.3284074544.0000000000C69000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: HobLb4ufqE.exe, 00000000.00000002.3285282153.0000000006543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: HobLb4ufqE.exe, 00000000.00000002.3285282153.0000000006543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: HobLb4ufqE.exe, 00000000.00000002.3285282153.0000000006532000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: HobLb4ufqE.exe, 00000000.00000002.3284074544.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb<d source: HobLb4ufqE.exe, 00000000.00000002.3284074544.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 80.79.4.61:27996

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 80.79.4.61:27996

Source: Joe Sandbox View

IP Address: 80.79.4.61 80.79.4.61

Source: Joe Sandbox View

ASN Name: SISTEMEMD SISTEMEMD

Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61
Source: unknown	TCP traffic detected without corresponding DNS query: 80.79.4.61

Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9g
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: HobLb4ufqE.exe	String found in binary or memory: https://api.ip.sb/ip

Source: C:\Users\user\Desktop\HobLb4ufqE.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp8A0F.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp8A0E.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_00E2DC74	0_2_00E2DC74
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_061567D8	0_2_061567D8
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_0615A3E8	0_2_0615A3E8
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_06153F50	0_2_06153F50
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_0615A3D8	0_2_0615A3D8
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_06156FF8	0_2_06156FF8
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_06156FE8	0_2_06156FE8

Source: HobLb4ufqE.exe, 00000000.00000000.2043004498.0000000000556000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFleawort.exe8 vs HobLb4ufqE.exe
Source: HobLb4ufqE.exe, 00000000.00000002.3284074544.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HobLb4ufqE.exe
Source: HobLb4ufqE.exe	Binary or memory string: OriginalFilenameFleawort.exe8 vs HobLb4ufqE.exe

Source: HobLb4ufqE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.winEXE@1/4@0/1

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp8A0E.tmp

Jump to behavior

Source: HobLb4ufqE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HobLb4ufqE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HobLb4ufqE.exe	ReversingLabs: Detection: 60%
Source: HobLb4ufqE.exe	Virustotal: Detection: 61%

Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Google Chrome.lnk.0.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HobLb4ufqE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HobLb4ufqE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: HobLb4ufqE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: HobLb4ufqE.exe, 00000000.00000002.3284074544.0000000000C69000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: HobLb4ufqE.exe, 00000000.00000002.3285282153.0000000006543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: HobLb4ufqE.exe, 00000000.00000002.3285282153.0000000006543000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: HobLb4ufqE.exe, 00000000.00000002.3285282153.0000000006532000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: HobLb4ufqE.exe, 00000000.00000002.3284074544.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb<d source: HobLb4ufqE.exe, 00000000.00000002.3284074544.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp

Source: HobLb4ufqE.exe

Static PE information: 0xE4C1C9DC [Tue Aug 14 04:49:32 2091 UTC]

Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_0615E060 push es; ret		0_2_0615E070
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Code function: 0_2_0615ECF2 push eax; ret		0_2_0615ED01

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior

Source: HobLb4ufqE.exe, 00000000.00000002.3285282153.0000000006543000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Users\user\Desktop\HobLb4ufqE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HobLb4ufqE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HobLb4ufqE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: HobLb4ufqE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.HobLb4ufqE.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2042978053.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HobLb4ufqE.exe PID: 4160, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: HobLb4ufqE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.HobLb4ufqE.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2042978053.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HobLb4ufqE.exe PID: 4160, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HobLb4ufqE.exe	61%	ReversingLabs	Win32.Trojan.Jalapeno
HobLb4ufqE.exe	62%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22LR	0%	Avira URL Cloud	safe
80.79.4.61:27996	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20LR	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22LR	2%	Virustotal		Browse
80.79.4.61:27996	10%	Virustotal		Browse
http://tempuri.org/Entity/Id15Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id22Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id18Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id15LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id9LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id13LR	0%	Avira URL Cloud	safe
http://tempuri.org/	2%	Virustotal		Browse
http://tempuri.org/Entity/Id7LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id11LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id19Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id15LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id10Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id5LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id1LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id22Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id3LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id5LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id23Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Responsex	2%	Virustotal		Browse
http://tempuri.org/Entity/Id21LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id5Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id21Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id1Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id2Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id3LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id11Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id7Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id14Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id23Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id5Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id20Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id18LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id16Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id14LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id6LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13Responsex	0%	Virustotal		Browse
http://tempuri.org/Entity/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16Responsex	0%	Virustotal		Browse
http://tempuri.org/Entity/Id16LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id12LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id3Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id4LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id24Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id4Responsex	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
80.79.4.61:27996	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/Entity/Id24LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id5LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id3LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9g	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	HobLb4ufqE.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id23LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id14Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id3Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id4LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2LR	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/actor/next	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4Responsex	HobLb4ufqE.exe, 00000000.00000002.3284635466.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.79.4.61	unknown	Moldova Republic of		49006	SISTEMEMD	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436258
Start date and time:	2024-05-04 06:41:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HobLb4ufqE.exe renamed because original name is a hash value
Original Sample Name:	0222f8da926bf2722f6bef4ac243e5fa.exe
Detection:	MAL
Classification:	mal80.troj.winEXE@1/4@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 77 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
80.79.4.61	SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe	Get hash	malicious	LummaC, Amadey, Fabookie, Glupteba, PureLog Stealer, RedLine, Stealc	Browse
	aXv0VxfPWu.exe	Get hash	malicious	Amadey, Glupteba, PureLog Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse
	aAFT2MDHxI.exe	Get hash	malicious	LummaC, Amadey, PureLog Stealer, RedLine, Stealc, Xmrig, zgRAT	Browse
	aQ5ih9d6UB.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Xmrig, zgRAT	Browse
	n2vzgCmJ7K.exe	Get hash	malicious	Amadey, Fabookie, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc	Browse
	x25SSkTlym.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse
	x5e0c6nlpQ.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, zgRAT	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	explorhe.exe	Get hash	malicious	LummaC, Amadey, Fabookie, Glupteba, LummaC Stealer, RedLine, Stealc	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SISTEMEMD	NXyJTepLSo.exe	Get hash	malicious	AsyncRAT, BazaLoader	Browse	80.79.7.197
	qkDMYDWcDJ.exe	Get hash	malicious	Unknown	Browse	80.79.6.160
	SecuriteInfo.com.Variant.Doina.70962.23498.25743.exe	Get hash	malicious	Unknown	Browse	80.79.6.160
	pcqzfE30rz.exe	Get hash	malicious	Parallax RAT	Browse	80.79.4.144
	pcqzfE30rz.exe	Get hash	malicious	Parallax RAT	Browse	80.79.4.144
	SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe	Get hash	malicious	LummaC, Amadey, Fabookie, Glupteba, PureLog Stealer, RedLine, Stealc	Browse	80.79.4.61
	aXv0VxfPWu.exe	Get hash	malicious	Amadey, Glupteba, PureLog Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse	80.79.4.61
	j2q75jwB7A.exe	Get hash	malicious	AsyncRAT	Browse	80.79.7.197
	aAFT2MDHxI.exe	Get hash	malicious	LummaC, Amadey, PureLog Stealer, RedLine, Stealc, Xmrig, zgRAT	Browse	80.79.4.61
	aQ5ih9d6UB.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Xmrig, zgRAT	Browse	80.79.4.61

Process:	C:\Users\user\Desktop\HobLb4ufqE.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:12 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.467621229062337
Encrypted:	false
SSDEEP:	48:8SXd5TvG/0lRYrnvPdAKRkdAGdAKRFdAKR6P:8SbbM7
MD5:	6044B07915CA53C0034A821257E98961
SHA1:	FAB06AD35762B56042FDB8D8D89864005B441D61
SHA-256:	0D04680FDF38385EFD8196806E066ACF56BEE24F4CBDDD41F40CA723E4B2D734
SHA-512:	182D2191F02B4E07C9D48EEC85E8152744B509D4A70BB036C1FF89D0398D36A046DEE723B8306D2AE16ED21C16B3C91F75BE537D6C2E4A436EC7F5BBF24748FD
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,........W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Temp\Tmp8A0E.tmp

Download File

Process:	C:\Users\user\Desktop\HobLb4ufqE.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp8A0F.tmp

Download File

Process:	C:\Users\user\Desktop\HobLb4ufqE.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\HobLb4ufqE.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	7.621994830361549
Encrypted:	false
SSDEEP:	48:S7SjQDUy2lCdYzrBSz0gGVSEjQSwCI9RlycAAXqE90N:ASUDfUpG9RJAMG
MD5:	9173CFD685C2FC7CF6474912025E480F
SHA1:	EEA8EA56B6C23136621FA312CE6BB078E66E61E8
SHA-256:	3505229CCF55BFA51BEA45B440ABF66C7153639F456F480BA666BDDC0A2E91CE
SHA-512:	BF6FED4A667B8D4AC814D94A40B5EB192997B3EEDD1B68E6B8078E9EFFA2DE90ACE6258F3186134E59DA495D18D45B4538161F20914EA271E4FE10F3471D9BF5
Malicious:	false
Reputation:	low
Preview:	........'...............P...............{41744BE4-11C5-494C-A213-BA0CE944938E}.....................RSA1..................v..XU~l2_.......vj....b.... ..&...X.Y...=q...).....`.1.0..~......5DL. ..S>.......<..y...?YOA.... eb.QD..B..<.!..'J..+.'...4fu.z./....]@.y.b...o...).j'......0}B.j..R..-..2.....'=...@....s....;. .v=..;...\$...G....2S....al.ZQ.Q...w...aXzW.....................z..O......m;PZ..4K.3..CZ+]....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....a.i..]T...]..Q.U.^Y... ,...L............. ....?b.x.........k..l.....7.....P...p..z./...`m.H.W6d.....f..V:..A..9....6WC+.....h..Ed..6..g^S..?..@,_"@.i.BQ(.F.VzO.=Jx..l...P.......\|%t.^..N5..vE.W..&.E.i...'...;_.S)59.Oiv)\.n.Ua.m...+.....kmce...r. .Qd.<.S..c.?{..?.....<&....[n..nI.[['...$.....>].....v....gc....S..\|]R8c}.w..B......R6.\V..w....y....!Z.b0...e?..7$.P...dO....^.@W0. }&.=......'...h@e.i...x.wG...7..'..co...x...`.....b...pG.:......-F.\.L.3a...X[r....xk"T..$....)E...j.2.o.>.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.080784622046203
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	HobLb4ufqE.exe
File size:	311'296 bytes
MD5:	0222f8da926bf2722f6bef4ac243e5fa
SHA1:	152144479eb94028ec92e356f99b562fa414e980
SHA256:	98c5e7aa76e1163df1ac5ea880c213a8b81a2c5b2ba0d87980ac8ffa744f226f
SHA512:	690cc96b3ff6bc3e801b6c142c34afa81feb45e4916898cea0a3ddae41c8aa2b9a794886c2275dd2396e378402e4182209e037a8094fc6e08ce3764e5cbf9999
SSDEEP:	3072:2qq6EgY6iYrUjOU44wPdyWAqeGXHTAftAmKOhcZqf7D34deqiOLibBOM:2pqY6irwPfASXHTA1A4hcZqf7DInL
TLSH:	2C646C1823DC8911E27F4B7994B1E27493B5EC56A856D30F4ED06CAB3E32741FA11AB3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	4d8ea38d85a38e6d

Static PE Info

General

Entrypoint:	0x42b9aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE4C1C9DC [Tue Aug 14 04:49:32 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
popad
add byte ptr [ebp+00h], dh
je 00007F80A4D6BAD2h
outsd
add byte ptr [esi+00h], ah
imul eax, dword ptr [eax], 006C006Ch
xor eax, 59007400h
add byte ptr [edi+00h], dl
push edx
add byte ptr [ecx+00h], dh
popad
add byte ptr [edi+00h], dl
push esi
add byte ptr [edi+00h], ch
popad
add byte ptr [ebp+00h], ch
push 61006800h
add byte ptr [ebp+00h], ch
dec edx
add byte ptr [eax], bh
add byte ptr [edi+00h], dl
push edi
add byte ptr [ecx], bh
add byte ptr [ecx+00h], bh
bound eax, dword ptr [eax]
xor al, byte ptr [eax]
insb
add byte ptr [eax+00h], bl
pop ecx
add byte ptr [edi+00h], dl
js 00007F80A4D6BAD2h
jnc 00007F80A4D6BAD2h
pop edx
add byte ptr [eax+00h], bl
push ecx
add byte ptr [ebx+00h], cl
popad
add byte ptr [edi+00h], dl
dec edx
add byte ptr [ebp+00h], dh
pop edx
add byte ptr [edi+00h], dl
jo 00007F80A4D6BAD2h
imul eax, dword ptr [eax], 5Ah
add byte ptr [ebp+00h], ch
jo 00007F80A4D6BAD2h
je 00007F80A4D6BAD2h
bound eax, dword ptr [eax]
push edi
add byte ptr [eax+eax+77h], dh
add byte ptr [ecx+00h], bl
xor al, byte ptr [eax]
xor eax, 63007300h
add byte ptr [edi+00h], al
push esi
add byte ptr [ecx+00h], ch
popad
add byte ptr [edx], dh
add byte ptr [eax+00h], bh
je 00007F80A4D6BAD2h
bound eax, dword ptr [eax]
insd
add byte ptr [eax+eax+76h], dh
add byte ptr [edx+00h], bl
push edi
add byte ptr [ecx], bh
add byte ptr [eax+00h], dh
popad
add byte ptr [edi+00h], al
cmp dword ptr [eax], eax
insd
add byte ptr [edx+00h], bl
push edi
add byte ptr [esi+00h], cl
cmp byte ptr [eax], al
push esi
add byte ptr [eax+00h], cl
dec edx
add byte ptr [esi+00h], dh
bound eax, dword ptr [eax]
insd
add byte ptr [eax+00h], bh
jo 00007F80A4D6BAD2h
bound eax, dword ptr [eax]
insd
add byte ptr [ebx+00h], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b958	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x1c9cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b93c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2e990	0x2ec00	dec6bcaca408518e262f2f6801681bdd	False	0.46955422794117646	PGP symmetric key encrypted data - Plaintext or unencrypted data	6.20357865177658	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x1c9cc	0x1cc00	c6461f5fca381943b46061a39aaf2e5b	False	0.23721976902173914	data	2.6060625012283167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x400	70de2bdc721b7cb1b4aff274dfd9cd14	False	0.025390625	data	0.05585530805374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x321a0	0x3d04	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9934058898847631
RT_ICON	0x35eb4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.09013072282030049
RT_ICON	0x466ec	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.13905290505432216
RT_ICON	0x4a924	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.17033195020746889
RT_ICON	0x4cedc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2045028142589118
RT_ICON	0x4df94	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.24645390070921985
RT_GROUP_ICON	0x4e40c	0x5a	data	0.7666666666666667
RT_VERSION	0x4e478	0x352	data	0.44
RT_MANIFEST	0x4e7dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 06:41:53.150141954 CEST	49699	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:41:54.152806997 CEST	49699	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:41:56.152920008 CEST	49699	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:00.152852058 CEST	49699	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:08.168448925 CEST	49699	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:19.233795881 CEST	49706	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:20.246607065 CEST	49706	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:22.262327909 CEST	49706	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:26.262270927 CEST	49706	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:34.277919054 CEST	49706	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:45.316200018 CEST	49707	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:46.324754000 CEST	49707	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:48.340434074 CEST	49707	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:42:52.343456984 CEST	49707	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:00.481029034 CEST	49707	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:11.513886929 CEST	49709	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:12.528017998 CEST	49709	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:14.528074980 CEST	49709	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:18.543570995 CEST	49709	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:26.543551922 CEST	49709	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:37.560864925 CEST	49710	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:38.574814081 CEST	49710	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:40.575079918 CEST	49710	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:44.574836969 CEST	49710	27996	192.168.2.6	80.79.4.61
May 4, 2024 06:43:52.652976036 CEST	49710	27996	192.168.2.6	80.79.4.61

Target ID:	0
Start time:	06:41:50
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\HobLb4ufqE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HobLb4ufqE.exe"
Imagebase:	0x510000
File size:	311'296 bytes
MD5 hash:	0222F8DA926BF2722F6BEF4AC243E5FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.2042978053.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	9

Executed Functions

Function 0615A3D8 Relevance: 1.5, Strings: 1, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oleProvider" applicationName="/" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web>, xrefs: 0615A566

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: oleProvider" applicationName="/" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web>
API String ID: 0-2322611374
Opcode ID: c6f317f670d54d948fa02d65f1c5682c37a957aa47921fb9f44dcb3afac6cf64
Instruction ID: 2c9f15a18c7d34d83ad5830a596d2fd428985def54e1bf5507ea5be417691de4
Opcode Fuzzy Hash: c6f317f670d54d948fa02d65f1c5682c37a957aa47921fb9f44dcb3afac6cf64
Instruction Fuzzy Hash: 7CD1F434901218CFDB58EFB4D854AADBBB2FF8A311F1081ADD50AAB354DB355986CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0615A3E8 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

oleProvider" applicationName="/" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web>, xrefs: 0615A566

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: oleProvider" applicationName="/" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web>
API String ID: 0-2322611374
Opcode ID: 02591756be0f41f3d66f00481e9fe406d61eb7943ed34efa8323e2f563d4e333
Instruction ID: 8e42261f3d75dc63217b09b824476759a841d69b3ad7d5846a11a1a984b297fd
Opcode Fuzzy Hash: 02591756be0f41f3d66f00481e9fe406d61eb7943ed34efa8323e2f563d4e333
Instruction Fuzzy Hash: A1D1D334A00218CFDB58EFB4D854A9DBBB2FF8A311F1085A9D50AAB354DB355986CF11

Uniqueness

Uniqueness Score: -1.00%

Function 06153F50 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8155cf8f8ce50e7aacf213592e83741688e8af0b35dbe20acf007547959d0927
Instruction ID: 9d360ee1aaddc3900b90d039e481a91d7e2bffeb720abed64c71f0e8c8fa21a3
Opcode Fuzzy Hash: 8155cf8f8ce50e7aacf213592e83741688e8af0b35dbe20acf007547959d0927
Instruction Fuzzy Hash: 8E127F34B00215CFCB54DF69C894AAEBBF2BF88710B158169E916EB365DB70EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061567D8 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a54e814316614657d71726fddab6258b0b0c72fc00d72604498f9f781579259
Instruction ID: 8a1540dc10eed9a4ea02c51673f1feca0202c558a197bb5be69b6dbf5e67a63a
Opcode Fuzzy Hash: 0a54e814316614657d71726fddab6258b0b0c72fc00d72604498f9f781579259
Instruction Fuzzy Hash: 4AF1CF31A00209DFDB15DFA8D880B9EBBF2EF84300F558569E915AB2A1DB70ED45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E2D136
GetCurrentThread.KERNEL32 ref: 00E2D173
GetCurrentProcess.KERNEL32 ref: 00E2D1B0
GetCurrentThreadId.KERNEL32 ref: 00E2D209

Strings

"-, xrefs: 00E2D0D4

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: Current$ProcessThread
String ID: "-
API String ID: 2063062207-2235666382
Opcode ID: 985d5bf69c9c1b09e38974ee7f32c5885fe34a0b0b5b7566ea598c90a1ca1f18
Instruction ID: ee4f9903618a3addfca5b0f10c2fb683a075f4514b1a8e586474d7a62d5f1a99
Opcode Fuzzy Hash: 985d5bf69c9c1b09e38974ee7f32c5885fe34a0b0b5b7566ea598c90a1ca1f18
Instruction Fuzzy Hash: C75158B090134ACFDB44CFA9D94879EBBF1EF88314F248459E119B73A0DB789944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E2D136
GetCurrentThread.KERNEL32 ref: 00E2D173
GetCurrentProcess.KERNEL32 ref: 00E2D1B0
GetCurrentThreadId.KERNEL32 ref: 00E2D209

Strings

"-, xrefs: 00E2D0D4

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: Current$ProcessThread
String ID: "-
API String ID: 2063062207-2235666382
Opcode ID: b01c8c83eb5944d6df9f11e2673dfade24ece81c702952ed53d1d2742cd7a750
Instruction ID: b536e567fa78fcacd5cc2cb6d7ede1cb217c40872f81a79ae2f3f2d5d8258120
Opcode Fuzzy Hash: b01c8c83eb5944d6df9f11e2673dfade24ece81c702952ed53d1d2742cd7a750
Instruction Fuzzy Hash: A15157B090134ACFDB54CFA9D948B9EBBF1EF88314F208459E119B73A0DB749944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E2AE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E2B086

Strings

"-, xrefs: 00E2B03F

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: HandleModule
String ID: "-
API String ID: 4139908857-2235666382
Opcode ID: eab37ee0d8adf48149c4b09ef6cc01cd8f8e7a443eecf00257c0338351c89997
Instruction ID: 2dbcc20ea96e8685192eff27a3b6d68bfb3ebfb76463da18765df81a8a7b3685
Opcode Fuzzy Hash: eab37ee0d8adf48149c4b09ef6cc01cd8f8e7a443eecf00257c0338351c89997
Instruction Fuzzy Hash: 50714770A00B158FE728DF69E14575ABBF1FF88704F04892DE44AE7A40DB74E94ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E24248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E259F1

Strings

"-, xrefs: 00E25974

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: Create
String ID: "-
API String ID: 2289755597-2235666382
Opcode ID: 9f80d061c469e0b716cde04bed4da26e9bb715ec9e8a7002148f2bce41b72db8
Instruction ID: 0358521fb1ebbadb213cf844902f2284ba39f9cb3591667ce8d4b600bc5892e4
Opcode Fuzzy Hash: 9f80d061c469e0b716cde04bed4da26e9bb715ec9e8a7002148f2bce41b72db8
Instruction Fuzzy Hash: D541CFB1C0072DDAEB24CFA9C985B9EBBB5FF48704F20815AD408AB251DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E25935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E259F1

Strings

"-, xrefs: 00E25974

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: Create
String ID: "-
API String ID: 2289755597-2235666382
Opcode ID: 2be30947fabf4e8392b4a3b122be1994a510da325ca5da6f4d4571f73a2b1a36
Instruction ID: 1cc4fbc838854bcdf07282c8af8d8810a1db8833f56c02293081ca52808c7915
Opcode Fuzzy Hash: 2be30947fabf4e8392b4a3b122be1994a510da325ca5da6f4d4571f73a2b1a36
Instruction Fuzzy Hash: 3341EFB1C00729CAEB25CFA9C985B9EBBB5FF48704F20816AD408AB251DBB56945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A858 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E2B101,00000800,00000000,00000000), ref: 00E2B312

Strings

"-, xrefs: 00E2B2C7

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: LibraryLoad
String ID: "-
API String ID: 1029625771-2235666382
Opcode ID: 111865e95067c3745676e0aafd30484136df64a4520a3c1781afff66e4258ddc
Instruction ID: a3c900878a80e2164dad9d7eb5e3fad13b057edf45a274c7471f8cd33ee34f4a
Opcode Fuzzy Hash: 111865e95067c3745676e0aafd30484136df64a4520a3c1781afff66e4258ddc
Instruction Fuzzy Hash: 9F31ACB2808358CFDB05CF9ED8446EABFF0EB59314F14806AD554A7211C774A505CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E2D387

Strings

"-, xrefs: 00E2D31F

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: DuplicateHandle
String ID: "-
API String ID: 3793708945-2235666382
Opcode ID: cb41daf6045f60d8e1ceb47f64a8b82c35f0ed021dc9ef84ef9773764ec3c15b
Instruction ID: 8c3f50c5d473fb8872eeaafcfb56b2d85fee8c583efd1802fc3ac807a0e025ec
Opcode Fuzzy Hash: cb41daf6045f60d8e1ceb47f64a8b82c35f0ed021dc9ef84ef9773764ec3c15b
Instruction Fuzzy Hash: 2521C4B5900359DFDB10CFAAD984ADEBBF4FB48320F14841AE918A3350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D2F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E2D387

Strings

"-, xrefs: 00E2D31F

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: DuplicateHandle
String ID: "-
API String ID: 3793708945-2235666382
Opcode ID: de1aedb45e5b3a4c27ebb8324d649f63da0cb1c2ce5160571a2a6a19e6cdb804
Instruction ID: 0b5fca8f37ba29813e14aa477c8e951049515bf805f228f18dc4a01fead766c5
Opcode Fuzzy Hash: de1aedb45e5b3a4c27ebb8324d649f63da0cb1c2ce5160571a2a6a19e6cdb804
Instruction Fuzzy Hash: 0B21E2B5900319DFDB00CFAAE984ADEBBF5FB48324F14841AE958B3250C778A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E2B101,00000800,00000000,00000000), ref: 00E2B312

Strings

"-, xrefs: 00E2B2C7

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: LibraryLoad
String ID: "-
API String ID: 1029625771-2235666382
Opcode ID: 0ab57713ef2d93feda6118aef29eb1e8096d27259e6c2550833ee294bee26e7c
Instruction ID: ec39a4df37e89b2e1c7f1489ce2a4569edbe045b20f6bde2ae6726bec1cd1fed
Opcode Fuzzy Hash: 0ab57713ef2d93feda6118aef29eb1e8096d27259e6c2550833ee294bee26e7c
Instruction Fuzzy Hash: D41103B6800349DFDB10CF9AD444A9EFBF4EB88324F14842AE519B7210C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B2A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E2B101,00000800,00000000,00000000), ref: 00E2B312

Strings

"-, xrefs: 00E2B2C7

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: LibraryLoad
String ID: "-
API String ID: 1029625771-2235666382
Opcode ID: bcad9eb8e7e99ac06bf4d04b05082d2d301469597959306b5c87f5c3536cd153
Instruction ID: 80cc7cc09b5186b8516101e49ec0def38ff312a70ae830fc033e7fbb01e9c934
Opcode Fuzzy Hash: bcad9eb8e7e99ac06bf4d04b05082d2d301469597959306b5c87f5c3536cd153
Instruction Fuzzy Hash: E411E4B6800349DFDB10CF9AD444BDEFBF4EB88724F14845AD529A7210C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E2B086

Strings

"-, xrefs: 00E2B03F

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID: HandleModule
String ID: "-
API String ID: 4139908857-2235666382
Opcode ID: 43eb5b68c75325ba18806afad5f15f49154c939c1f5fd5fe73e88704c185d621
Instruction ID: 4610d50a6c8bc9a430b443e1b40d82021278970aea3043b35ad0ad410f385f58
Opcode Fuzzy Hash: 43eb5b68c75325ba18806afad5f15f49154c939c1f5fd5fe73e88704c185d621
Instruction Fuzzy Hash: F211FDB6C00749CBDB20CF9AD444A9EFBF4AB88724F10841AD428B7210C3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06157D58 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"-, xrefs: 06157F17
"-, xrefs: 06157D7D

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: "-$"-
API String ID: 0-2195019045
Opcode ID: 9b65b8cf11bf4acb4b36b5fb54974c9a8d44175aa97e190b3e0d7bedb12783bc
Instruction ID: fd078de150cb7a6f0bbd15375b98e963270a73c1ffbd9a9fc20ea07b01b97f5b
Opcode Fuzzy Hash: 9b65b8cf11bf4acb4b36b5fb54974c9a8d44175aa97e190b3e0d7bedb12783bc
Instruction Fuzzy Hash: 6F511471E00358DFDB55CFAAD981BDEFBB5AB88700F15852AE825A7284DB749841CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06157D4C Relevance: 2.6, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"-, xrefs: 06157D7D
"-, xrefs: 06157D9D

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: "-$"-
API String ID: 0-2195019045
Opcode ID: f91dd2a9b6a84c9ee71edaba266c2c6f10f1b874998c771314a1e85962b67d7b
Instruction ID: 60d4bf8384f097d183ea5ffd4c2a7fd947497dd678040e1110bd430931b5003f
Opcode Fuzzy Hash: f91dd2a9b6a84c9ee71edaba266c2c6f10f1b874998c771314a1e85962b67d7b
Instruction Fuzzy Hash: 84511270D00359DFDB55CFAAC992BDEFBF5AB48700F14852AE825AB284DB749841CF80

Uniqueness

Uniqueness Score: -1.00%

Function 061559D8 Relevance: 1.5, Strings: 1, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 06155C29

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a5ef241155b462c17ff7aac92ff67987b3ed8f71e91ae9b83aa6a464cc35b56e
Instruction ID: 1c49d1abd3bb6a3d802238c75a0d5a8045dd22b58d3d24800e0b436cea6cd097
Opcode Fuzzy Hash: a5ef241155b462c17ff7aac92ff67987b3ed8f71e91ae9b83aa6a464cc35b56e
Instruction Fuzzy Hash: 8CC13C34600602CFC725CF18C49096AFBF2FF89310B56C999D96A9B666D730FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061587A0 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

"-, xrefs: 061587C5

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: "-
API String ID: 0-2235666382
Opcode ID: 75a2b388a84d6dd6ed5a0670804a587e3aa90a5a27d3c8c7868a3dd9d95cefed
Instruction ID: 91a068a0b0aa04963db8d4b910d3164ace919cfeb93b7daefc45b6e60864b333
Opcode Fuzzy Hash: 75a2b388a84d6dd6ed5a0670804a587e3aa90a5a27d3c8c7868a3dd9d95cefed
Instruction Fuzzy Hash: 3441D1B1D01258DFDB58DFAAD940ADEFBB6EF88310F10802AE815B7250DB74A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06158795 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

"-, xrefs: 061587C5

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: "-
API String ID: 0-2235666382
Opcode ID: f99a077faed4d96b36fa5942e69d87ef22e6f0a96732885b5c98f96eb3b98698
Instruction ID: 38db80db7c9f5cbadbb16e1cc203a26203f7c0a6474e5ad52c53a850509260ff
Opcode Fuzzy Hash: f99a077faed4d96b36fa5942e69d87ef22e6f0a96732885b5c98f96eb3b98698
Instruction Fuzzy Hash: 33310DB1D01258DBDB58DFAAC940ADEFBF6EF88300F14802AE825B7250DB759945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06158A98 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

"-, xrefs: 06158ABA

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: "-
API String ID: 0-2235666382
Opcode ID: 4845b6e42e62752b88688af533c07c72befe286eb566f8805c13a766e4d56f8a
Instruction ID: 5e207fb15f6635fcd165926b105e11b201382dd558d99bd4610c14edd869828c
Opcode Fuzzy Hash: 4845b6e42e62752b88688af533c07c72befe286eb566f8805c13a766e4d56f8a
Instruction Fuzzy Hash: 503103B1D01218DFDB54DFA9D990B9EFBF9AF88310F14842AE815B7240DB74A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06158A8C Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

"-, xrefs: 06158ABA

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID: "-
API String ID: 0-2235666382
Opcode ID: 563cd56d300ba416a86781645d5e07c55e8a2b8e61297bb8e26ed21b125646da
Instruction ID: 13f195c042ff2f6afe36ef6e5ba5b1f221f76f5f6bea9074687f9e170d3d11bb
Opcode Fuzzy Hash: 563cd56d300ba416a86781645d5e07c55e8a2b8e61297bb8e26ed21b125646da
Instruction Fuzzy Hash: 42210FB1D01358DFDB54DFA9C990B9EBBF9AB48310F24802AE815B7240DB74A845CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 061548B8 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90266331aa86075fb53409104aefe7560f54a4ebc59e08c55d00b6c3a5cf60f
Instruction ID: 9bfd5177e768f8924c286715e44f0c31390df9bedaa2708ea289a912ed6f6365
Opcode Fuzzy Hash: b90266331aa86075fb53409104aefe7560f54a4ebc59e08c55d00b6c3a5cf60f
Instruction Fuzzy Hash: 59325C34B00605CFDB58DF29C484A6ABBF2FF89304B1684A9E916DB365DB30EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061548A8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4589b8b9857b5caf5f3660865f4d6e3d93505ebadb962fe418984cbe45204c9f
Instruction ID: 4dfad283ea8863e231ef507a0d8f9918b81c1469383a52fb6658918785a1736d
Opcode Fuzzy Hash: 4589b8b9857b5caf5f3660865f4d6e3d93505ebadb962fe418984cbe45204c9f
Instruction Fuzzy Hash: EBB14838B00605CFDB54DF29C488A6ABBF6FF89304B1644A8E556DB362DB30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 061559C8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8ad03f0d9e2a02e1a6272fb4a4c69c7df48ff1823b2daa8476cbda5e893bbc
Instruction ID: 5459a9e0b6c177d6057ee03402d60ba647838876dfc2d865d7fd10ad7c7482b1
Opcode Fuzzy Hash: 5a8ad03f0d9e2a02e1a6272fb4a4c69c7df48ff1823b2daa8476cbda5e893bbc
Instruction Fuzzy Hash: B2511835A00606CFCB54CF59C8849AAFBF2FF89310B56C999E9599B761D730F805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06153DE0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c36d442a5a877bea0a7fc647e5a08f23535b6e29bb10d7754829702b08c4c
Instruction ID: c8199f70e3e1ba5a09691b73a5e20baf79c3f0077e35005c156ced16eb5db724
Opcode Fuzzy Hash: 117c36d442a5a877bea0a7fc647e5a08f23535b6e29bb10d7754829702b08c4c
Instruction Fuzzy Hash: E931F5317047508FC72AA778A45065E7BE6DFC635431A44AAE45ACB391DE34EC07C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 06155579 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f218350af424f1a34472f8441017e082e4fdae6ed3a960e333a33ebf9e7bb1f3
Instruction ID: b4166695907c40e1e8b3841740e9561d372f4e19b6c5848bc6e47816a6b1c7a3
Opcode Fuzzy Hash: f218350af424f1a34472f8441017e082e4fdae6ed3a960e333a33ebf9e7bb1f3
Instruction Fuzzy Hash: 76315879B016509FCB15DF38D88495EBFB2BF89200B118469E915CB3A5DB31ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 061584C8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e5344d601859c1ff95a84530aa21a07a82b4e7cffcc68c96f8513b1a8eb5f1
Instruction ID: ea99c96fd85bc3700f5cdb03829195f460c78db1123743e904d1751814e629dc
Opcode Fuzzy Hash: 49e5344d601859c1ff95a84530aa21a07a82b4e7cffcc68c96f8513b1a8eb5f1
Instruction Fuzzy Hash: 5C31D1717002048FCB49EB79A4605AE7BE7EFC8200B544479E60ACB385EF74AD0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 06155588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665495eebb4775c0200786f10b6e88623f25500c5a9534c8387bc9a4683daf36
Instruction ID: 9e53088ac58d18ac1fe51ca5271c59deebaa2cbc33bbee3acd86e8fbec3d2c07
Opcode Fuzzy Hash: 665495eebb4775c0200786f10b6e88623f25500c5a9534c8387bc9a4683daf36
Instruction Fuzzy Hash: E6315539B01611DFCB25DF38D88496EBFB2BF89200B108469E9168B3A5DB31ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0615F920 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad47e8d5f3426e297d539fc989cf4d9849198b8887e15335f741fe42544e403d
Instruction ID: 4a96f1c7ae25198438efd3e6bf3713d8cbd0c426e27eda742fe5177a98c622cd
Opcode Fuzzy Hash: ad47e8d5f3426e297d539fc989cf4d9849198b8887e15335f741fe42544e403d
Instruction Fuzzy Hash: 483146357043509FD75D6B78E82856A3FABEBC6210B0404ABE606CB395EF304C02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3283875727.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc44db92f696bed0b89ffd9af4247ba56abffae2ce6c75d23996810d5bef3173
Instruction ID: 8964154f81a1689f7d4da1e733ac1d3423473ba171827d1a1c26d952e9e3c501
Opcode Fuzzy Hash: fc44db92f696bed0b89ffd9af4247ba56abffae2ce6c75d23996810d5bef3173
Instruction Fuzzy Hash: 74213A76504204DFDB05DF14D9C0B26BFA5FB94324F20C5ADE9090B356C33AE956DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3283924149.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b5d000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dab3c982c5c4f44246d51a3a1eeee750c8108d17309ab8a3e4ce16e1bafd74
Instruction ID: 42c5296902fa53f49ff27cf7e5f19cf7717507c91e388444744c491be9bf74d4
Opcode Fuzzy Hash: 46dab3c982c5c4f44246d51a3a1eeee750c8108d17309ab8a3e4ce16e1bafd74
Instruction Fuzzy Hash: D1212575504240DFDB24DF14D5D0B26BBA1FB84315F28C6EDDD0A4B292C37AD80BCA61

Uniqueness

Uniqueness Score: -1.00%

Function 06158F42 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3d15901529e1ea701a9f3a7061e67fdff2105d906a2eeb1d956fbe37540f5c
Instruction ID: 7553e926875e6bf82b49c82930ce574dbcbf3a4689058b7081f05ae63e91ee6d
Opcode Fuzzy Hash: fd3d15901529e1ea701a9f3a7061e67fdff2105d906a2eeb1d956fbe37540f5c
Instruction Fuzzy Hash: 25213074D0426ADFCB84CFA8D0846EDFBB1EB09315F1140AAE921A7391D7340A81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3283924149.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b5d000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d543a8d7b3e628c83fa6346eb213e35b07ed2e6856d46777d609132b17146a
Instruction ID: 0c339957e535836f1a0eae5d37150aae2d88f239784e4ada220d6df778e0b722
Opcode Fuzzy Hash: 47d543a8d7b3e628c83fa6346eb213e35b07ed2e6856d46777d609132b17146a
Instruction Fuzzy Hash: 3C2187755093C48FDB16CF20D594715BF71EB45314F28C6DAD8498B6A7C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0615BC5F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a1283e2f6fad38b1677f56950c29138825ddc92974d17ec4f50eafba7e57fa
Instruction ID: c7c87d63f7afab6f8c68ef92da054c1cb9135bb533ca2e6665bc768765ccd4c9
Opcode Fuzzy Hash: c6a1283e2f6fad38b1677f56950c29138825ddc92974d17ec4f50eafba7e57fa
Instruction Fuzzy Hash: B801ED70200200AFD7ADAB34A854A6E3FE7EEC2250B181A1DE207CBA00CD707E0687F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3283875727.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 5f5bf2a02a40892eadd4cf53bee52a9d7bfc0be9e8ef67009677179f966a1401
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: F011B1B6504280DFCB15CF10D5C4B16BFB1FB94324F24C6A9D8490B756C33AE956DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06156E90 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfac6cef1c4d58a6246b9014b8128acf9245ff0ee9a5ed67c1043e05541ed8dd
Instruction ID: 7e78bc1a8daf084321b6824fa5ff73dc8c2ab725dcd5798de032c0b11e7c10db
Opcode Fuzzy Hash: cfac6cef1c4d58a6246b9014b8128acf9245ff0ee9a5ed67c1043e05541ed8dd
Instruction Fuzzy Hash: 6801F7772040942FCB615EA95C50AFB7FEDDB8D162B194166FFD4C2241C418C9116BF0

Uniqueness

Uniqueness Score: -1.00%

Function 06158350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91153a2bce5eaa5a8d8e1e662f83bb9c7c0f632213740195b0f3585b2e9194a4
Instruction ID: 018fc7aad8958f983f6f7b1c14fd3aa7e1d0ac0fc31bb21d0cafea95d6ac6f9f
Opcode Fuzzy Hash: 91153a2bce5eaa5a8d8e1e662f83bb9c7c0f632213740195b0f3585b2e9194a4
Instruction Fuzzy Hash: C701DF32B001199BDB54DEA9EC84ABFF7FAEBD4650B14403AEA14D3240EB7099158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0615C499 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b30dbd639000bbbac98ce3487021387ebc4433789faf735f394028c24f9496
Instruction ID: 930cd51bd6d78d0e37a392b431db02760f814bc377ec991e45cf289082145c6e
Opcode Fuzzy Hash: 08b30dbd639000bbbac98ce3487021387ebc4433789faf735f394028c24f9496
Instruction Fuzzy Hash: 8101C4352042048FE369AB74E41466A7BE3EFC5311F14866ED1469B745CF789D0A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0615BC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2cd10071822942e9725ed6f55694e61c2bb8570bb40d81af47ce515bfb0fcd
Instruction ID: 6561d8746d27d6e3faf26afa3e265b4c652160b4d63174be61b2167ddb8f5961
Opcode Fuzzy Hash: 6a2cd10071822942e9725ed6f55694e61c2bb8570bb40d81af47ce515bfb0fcd
Instruction Fuzzy Hash: 6D01B1712002018B97DCAB78E45462E7AE3EFC1654B58592DE207C7B04DDB07E4687A1

Uniqueness

Uniqueness Score: -1.00%

Function 0615ACB8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5b6d60f4723e587fd6bba13c259a2f806ef8a3ef8c4d0a5b8f458915d2eec6
Instruction ID: b374a9d90762803274086e0126bdc08ec2e7ff8782842cc00fa2eb062de7cf2f
Opcode Fuzzy Hash: de5b6d60f4723e587fd6bba13c259a2f806ef8a3ef8c4d0a5b8f458915d2eec6
Instruction Fuzzy Hash: C1F02872709254AFC3A61BA86C154AA7F65D9C2351349059FE642C7341CF584902D3F2

Uniqueness

Uniqueness Score: -1.00%

Function 0615E8B0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ed327e5c7100216cdfc5d1a77f592ff15ba60fd9a0226e613b6d80ece093e
Instruction ID: 335a5318fc4087aa5e300f6d119669e3d46a1d44c90601fa2593ad5c0fa8eb0f
Opcode Fuzzy Hash: c61ed327e5c7100216cdfc5d1a77f592ff15ba60fd9a0226e613b6d80ece093e
Instruction Fuzzy Hash: D801F434618308EFCB06EB74D81489A7FBBEF86600B0485E9E905CB262DB32DD11D791

Uniqueness

Uniqueness Score: -1.00%

Function 0615B2D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cb9ea56dd24eff4bdc9677725df5cc0e7a26127a197aceb75d25a0cf92adf1
Instruction ID: 9ace52710aac00124aec05b1d516d44626750e35e530c106e8a833fdfd6b5da9
Opcode Fuzzy Hash: b8cb9ea56dd24eff4bdc9677725df5cc0e7a26127a197aceb75d25a0cf92adf1
Instruction Fuzzy Hash: 4001F534906244DFCB49FF74E845899BFB2EF82710B0859CEE41A8730AEB341A05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0615C4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4453618cfe54506a99c458b21eaf0a94e2501d359777c422e631e328d79d00
Instruction ID: 19efbbc6aa2af9a52b52b429507abc1a71437868125a6bd4aca403cbbe65b775
Opcode Fuzzy Hash: 4c4453618cfe54506a99c458b21eaf0a94e2501d359777c422e631e328d79d00
Instruction Fuzzy Hash: 4B01B1352002048FE368EF79E41865A7BE3EFC5711F148A2ED14B97744DFB8A90A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 06155508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7483e3395246940e95ac38d77226e83edec3a982a5e5c671c1730b90f651d4de
Instruction ID: d6900557820a3c0892114bd053a2c936bb5be9848baa843444694a4a4813cf24
Opcode Fuzzy Hash: 7483e3395246940e95ac38d77226e83edec3a982a5e5c671c1730b90f651d4de
Instruction Fuzzy Hash: 3C018134A21702CFDBA99E39A404627FBF7BF84215B16883CE91686615DF75E480CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0615B358 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12cd2185a81bd52990f9775c279ff9485f28f99909d7f5a8c6ef3dda71c835c0
Instruction ID: d745bf9d195b7a668b5ea357c0d6ad43356ed5d485c333dbcbb9611886dd895c
Opcode Fuzzy Hash: 12cd2185a81bd52990f9775c279ff9485f28f99909d7f5a8c6ef3dda71c835c0
Instruction Fuzzy Hash: 9401DF70906249EFCB09EBB8E89459CBFB6FF45200B1805AAE405E7345DB301F45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0615C170 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea412a49992fcfc6b5eeb815a5ca533a196c72fb01abde32b30408ae615cf73e
Instruction ID: 8140dccb0bc436f2a4514112a30d5ee8719b4904af1de303b428a200aa55451c
Opcode Fuzzy Hash: ea412a49992fcfc6b5eeb815a5ca533a196c72fb01abde32b30408ae615cf73e
Instruction Fuzzy Hash: DB01A435501B00AFD365DF26E818562BFFBFF89311B00861AE487C2A14DB35A54ACFD5

Uniqueness

Uniqueness Score: -1.00%

Function 06158F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a124ec6fad17e0a05d87b11500c2d97096a56dd918b6eb3aec6684e740ef5fbc
Instruction ID: 321e9f57708447ac72fba8469f0f422af96d7141d1b875ba833f1fdc3201e28c
Opcode Fuzzy Hash: a124ec6fad17e0a05d87b11500c2d97096a56dd918b6eb3aec6684e740ef5fbc
Instruction Fuzzy Hash: CE01D2B4D0426AEFDB84DFA9D9446AEFBF1FB48305F1085AAD825A3350E7740A40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0615ADE9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efccda3ee1f6a8e48b794f784174cf9e92fa9f4e3a4c1a6c6fefbb3d7cc6f5be
Instruction ID: 4dcbe7a9de99534560d80c9a8a5f3e5e6436754037b2d99e181fb7f246ab4961
Opcode Fuzzy Hash: efccda3ee1f6a8e48b794f784174cf9e92fa9f4e3a4c1a6c6fefbb3d7cc6f5be
Instruction Fuzzy Hash: 39F02E312051406FC3952B69A8557DF7FDBDFCB764B04015EF10AC7343C969194543B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D5F3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3283875727.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7c111551b00e8a48d2cb15f3bba0ce0671d17d50e3ad95f9c2755097ca7147
Instruction ID: fede9520898cd426e7e296b185f2d66bf046efa15329241d37475906dd35e6e9
Opcode Fuzzy Hash: 8e7c111551b00e8a48d2cb15f3bba0ce0671d17d50e3ad95f9c2755097ca7147
Instruction Fuzzy Hash: 24F0FF76200604AF97108F0AD984C27FBEDEBD4770715C59AE94A4B656C671EC41DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 061567C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69ae566bd69c843b1601e7ee627687a5835bea44eaa667313b6de236490428c
Instruction ID: c8e261f654c7108378af4de04d6eaa299e9f09427e5ad2bf940cfe549efa8d4e
Opcode Fuzzy Hash: a69ae566bd69c843b1601e7ee627687a5835bea44eaa667313b6de236490428c
Instruction Fuzzy Hash: C4F09031B04300ABD7209A68D805F96BFE5AB86714F56816AF664CF1E2EBB1E80597C1

Uniqueness

Uniqueness Score: -1.00%

Function 06153EC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3abc2c4dcda15a962abd5f47b75f8e35fa71e0484cd7cb51d6322357b528531c
Instruction ID: 43e27923fe4d5ab83f903b94b43bf8e8e09cf79aeb1e5898713d8422bc14776f
Opcode Fuzzy Hash: 3abc2c4dcda15a962abd5f47b75f8e35fa71e0484cd7cb51d6322357b528531c
Instruction Fuzzy Hash: 27F0B4303002018FC62CE769E451A6E7BD7EBC9250314492DE10B9B744EFB0BD0687F1

Uniqueness

Uniqueness Score: -1.00%

Function 06156EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f740b98c9f785184ff62eebb71baede7fa7f12f7610363580f279164a75e1bbf
Instruction ID: 2c98d6cf2151afd54e46a488e5437c7dd639e6e7f1fed552e9644ec112c6f319
Opcode Fuzzy Hash: f740b98c9f785184ff62eebb71baede7fa7f12f7610363580f279164a75e1bbf
Instruction Fuzzy Hash: 44F037772041E83F8B654E9A5C10DFB7FEDDA8E561B084156FFD8D2241C429C961BBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D5E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3283875727.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f37fa6b562f836c7e800f9721ba28235e078e7da9dcfaed389ab30fd11077e
Instruction ID: 7dafe0be937d9c663d78a3a0ad4b5d7994cd2e7fb49cfff8e96b4c543fb523e7
Opcode Fuzzy Hash: c1f37fa6b562f836c7e800f9721ba28235e078e7da9dcfaed389ab30fd11077e
Instruction Fuzzy Hash: 12F03C75104680AFD3158F15C984C23BFF9EF8976071AC489E88A4B262C671FC42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0615C110 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6dce87a61aae5e335a57cdb8a2c4add236c8e6ae12ca7f2e0dbfd2d4e0327fc
Instruction ID: 0f5f3de321b6809ec87150dc0a54f4f2ddc3e43cacdb5c285eb90bbf53c24a31
Opcode Fuzzy Hash: b6dce87a61aae5e335a57cdb8a2c4add236c8e6ae12ca7f2e0dbfd2d4e0327fc
Instruction Fuzzy Hash: D5F0B4302097D05FC316A738E814A9B7FE7DFC3204F0C059FE282CB652CAA56A09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 06158FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7f8e5f8156f738de9a0048a3c7bca8bf61675be49c676a3e55c64d493031bb
Instruction ID: e8ab73e91c08ebc7828d676909151c76a7b8966166e83e68d4065dffac5cf124
Opcode Fuzzy Hash: ca7f8e5f8156f738de9a0048a3c7bca8bf61675be49c676a3e55c64d493031bb
Instruction Fuzzy Hash: AEF0A9B5D08169EFDB80CBA0C8140ADFFB0EB1A301F0546CBE866E7350E7784A01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0615B368 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815a0e67eb3c2f77baa96a28bf0c964b04b1c1d7f0943e0ec9d33c64fa1b58fc
Instruction ID: 3ef760cb4aa680785dfd65a317d2be601b805c8b29ae8589b50254938aafc48e
Opcode Fuzzy Hash: 815a0e67eb3c2f77baa96a28bf0c964b04b1c1d7f0943e0ec9d33c64fa1b58fc
Instruction Fuzzy Hash: E9F08C70A01209EFCB08EFB8E54855CBFF2FB85200F1855AAD506E7304DB301B048B40

Uniqueness

Uniqueness Score: -1.00%

Function 061554F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62126bfcb41db31c6ae9498ea17b0c734406b860008eef57fd3b59d248481d3f
Instruction ID: 2d20a948d65b91f6c7b300c02b011f17e38f8ce49bbc0d1e9c4cc435a65997d2
Opcode Fuzzy Hash: 62126bfcb41db31c6ae9498ea17b0c734406b860008eef57fd3b59d248481d3f
Instruction Fuzzy Hash: 76F02431910701CFEBB8CE61D50076BFBB3BF80324F09886DD45246911CB74E485CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0615AC60 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45626ea58e6005a33db0db8110ebbc391b8c066ee2b65cd4e4888dc6fcb6e55
Instruction ID: 607771b07d702eba195f897afd85f16933391f75b923b54b297913ae07326b3f
Opcode Fuzzy Hash: c45626ea58e6005a33db0db8110ebbc391b8c066ee2b65cd4e4888dc6fcb6e55
Instruction Fuzzy Hash: ABF0A7312082A46FC71717386C354DD3F6ADAC672470900DFD146CB383CD590A45C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 06158340 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932cdd55e24d3e0e72b2ca07e351e71aea27440d295c51db800a4512fd861bb2
Instruction ID: 57063fdd338232c8bb4177fcd46964bcc0f0bf43e3150714253c7c35233160af
Opcode Fuzzy Hash: 932cdd55e24d3e0e72b2ca07e351e71aea27440d295c51db800a4512fd861bb2
Instruction Fuzzy Hash: 18F0A735B141258BCF84DE78AC446BEBBEAAF94295F09443ADA54C3140EB30C415CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0615ADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013638ad31074ca4027887dda8986f09f6b630cdd7340c7999e165afb398b958
Instruction ID: e49638ef1164108d2d00858aedb27c68155cc690db77eeba8c6510a0a3b002cd
Opcode Fuzzy Hash: 013638ad31074ca4027887dda8986f09f6b630cdd7340c7999e165afb398b958
Instruction Fuzzy Hash: F0E09231201104ABD3982B9AA448A9F7ADBEFCA761B04412EF20EC3342CE69180547B5

Uniqueness

Uniqueness Score: -1.00%

Function 0615C180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6ccd632d1673cdb5994887a9ff425d4894b745f4b0141687ad3f57e7d07476
Instruction ID: 6a50db45d9a8009f08018eb7f96eb405f78cab5978d346ed55918b91d16514a1
Opcode Fuzzy Hash: cd6ccd632d1673cdb5994887a9ff425d4894b745f4b0141687ad3f57e7d07476
Instruction Fuzzy Hash: 8CF06D35500B019FD769DF26E448512FBF7FF88301B00862AE44B82A14DB70A54ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 06155698 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f567486489107a6256392e8d0df02b260016bd640df1c5c0ce05a0f2b9380079
Instruction ID: 5906cb88bb7d6b527435ead5a8e45f935d5d6dc75c205a98b59938ea4cbb6b8f
Opcode Fuzzy Hash: f567486489107a6256392e8d0df02b260016bd640df1c5c0ce05a0f2b9380079
Instruction Fuzzy Hash: CBE0E5B210D250AFD345DA24A805997BBE9EBA5320B5688AEF484C7251F731E842CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0615B500 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0649f7156b1c5ef313ae8264282baf5e43bb9e1280410a723dd7c7ab51cc9d
Instruction ID: dae5b9f6c1952effcdcf074d1de4ec0a705d9f2ddc0bf04d61ba23e817598fa2
Opcode Fuzzy Hash: 8a0649f7156b1c5ef313ae8264282baf5e43bb9e1280410a723dd7c7ab51cc9d
Instruction Fuzzy Hash: 87F01535D0120CEFCB01EFB4D9498CDBBBAEB44204F2442A6A805E2244EA305B458B91

Uniqueness

Uniqueness Score: -1.00%

Function 0615C120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c6cb77004134c64b4c7324a75c20e3f67858d8a10501b1f7c648bfae3a1d3b
Instruction ID: 3ec81b39c200fc12bd4b82aa7388b02ee199d3050292dd1b1e7bef0ca5f80cd0
Opcode Fuzzy Hash: a1c6cb77004134c64b4c7324a75c20e3f67858d8a10501b1f7c648bfae3a1d3b
Instruction Fuzzy Hash: 06E030312047518FC755AB29E40879EBFE7DFC6314F08052EE24687745CAA569068791

Uniqueness

Uniqueness Score: -1.00%

Function 0615CC38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033f75b8eb80f53cc9a3042fcfec5d164dd154d8019496f05cf765ac61e53d54
Instruction ID: 2809f835172023ec03a45a0d2574992fa2452f6016cd4a7fe91828275e2920e4
Opcode Fuzzy Hash: 033f75b8eb80f53cc9a3042fcfec5d164dd154d8019496f05cf765ac61e53d54
Instruction Fuzzy Hash: EDE04F31206390DFD756FA25FC08ADB7FA5DB86610F05515AE2009774ACB300A479BE3

Uniqueness

Uniqueness Score: -1.00%

Function 0615CE88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683e406c760ad68b8a54a0040b92a894f4bad82a945f7dae38306495e485eec8
Instruction ID: 8edd52c50bef622f5ddb6f54cd2a45d1772bd5d9ac3a64be44c362498f4ebafe
Opcode Fuzzy Hash: 683e406c760ad68b8a54a0040b92a894f4bad82a945f7dae38306495e485eec8
Instruction Fuzzy Hash: 9BE02630006380FFD742BB34F809A963FB9DB42610B050189EE4097B0ADB305D42C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0615E280 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b47f08981ee22e9631e90d07bbb3fcf117f45283bb072ea5b113b05303203f
Instruction ID: 4f556992cb60a8cb428fd7b0272ac685d923fe36f1fd80f5e3a52bd32b9ac83a
Opcode Fuzzy Hash: 37b47f08981ee22e9631e90d07bbb3fcf117f45283bb072ea5b113b05303203f
Instruction Fuzzy Hash: E8E0DF34405700EFCB15FB30BC02A963BE6E789B00F011045EA006B2AACB740B4ADBD3

Uniqueness

Uniqueness Score: -1.00%

Function 0615E1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb463756b52dfe00b5729e11e4c08a9324e33674131ed64c0aac9133a90d0f6
Instruction ID: 80f7db67868faaa1cdbc9e88f1e8ba7edf5f98761e10da41586253abcfc84e8a
Opcode Fuzzy Hash: 9cb463756b52dfe00b5729e11e4c08a9324e33674131ed64c0aac9133a90d0f6
Instruction Fuzzy Hash: 97E0DF71A05248EFCB01DF64E90199D3BB2DB82300F2441DBE809E7351E6710F119752

Uniqueness

Uniqueness Score: -1.00%

Function 0615E8F8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e3ff202a4176f10910723851434a0dac8cddb0727b2c2397d005167583f273
Instruction ID: 8f1f511a664e657ae245691dcbc4b849af00783fd738edce52df5a15c2d2eba4
Opcode Fuzzy Hash: 58e3ff202a4176f10910723851434a0dac8cddb0727b2c2397d005167583f273
Instruction Fuzzy Hash: 2AE0173922A244AFC702AB68DC41C963F79EF4A62030841C6F5418F273C622A921DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0615F910 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838db5f3b782576d7e45005ffd81f7f0c88f53be5902dd2eba3faf8e34e52ea0
Instruction ID: 5bee14ba4ea1c608cc426e8b2459077f6f5728b2d57741ee43de44934095b7ac
Opcode Fuzzy Hash: 838db5f3b782576d7e45005ffd81f7f0c88f53be5902dd2eba3faf8e34e52ea0
Instruction Fuzzy Hash: 4ED02B347056246F8709127968240E7BBAB9BC621031680A3F515CB645CE354C0A83E1

Uniqueness

Uniqueness Score: -1.00%

Function 0615AC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b329a07c221bfb582cf9cb0f0736041cf8e5d876e4494b3fbfbb062e5dea06
Instruction ID: 9886a817c607d15d704b2c3e76251e89972ee1734e4d982063307778b16b1313
Opcode Fuzzy Hash: 37b329a07c221bfb582cf9cb0f0736041cf8e5d876e4494b3fbfbb062e5dea06
Instruction Fuzzy Hash: 7ED05B313105186B8759276DB4184AE7FDBDBC5771305016EE707C7340CF691D4147D5

Uniqueness

Uniqueness Score: -1.00%

Function 0615B510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728fd83a9ac102c4d811668fd39282979292df692dccb6e7c80f9aca85ff7fc7
Instruction ID: 5214bbe5b2c032b0c52bd5f943babdb129f8f60ae5c08e511a5327306ba85002
Opcode Fuzzy Hash: 728fd83a9ac102c4d811668fd39282979292df692dccb6e7c80f9aca85ff7fc7
Instruction Fuzzy Hash: FAE07575D0020CEFCB44DFA5D5458DDFBBAEB48200F2482AAD905A3204EA305B559B80

Uniqueness

Uniqueness Score: -1.00%

Function 0615E210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10afd890b74d3905255c1c7b01239149e0f5de3c5dd5d8d3706403a5d453a91c
Instruction ID: 6f5bcf637f1c337f919e422637be1b9e43b4842aeb51ae9e5d0cb6119dc5b03d
Opcode Fuzzy Hash: 10afd890b74d3905255c1c7b01239149e0f5de3c5dd5d8d3706403a5d453a91c
Instruction Fuzzy Hash: 07D01771A0020CFF8B44EFA8E90195DBBFAEB84204B2041AED509E3300EA712F00AB91

Uniqueness

Uniqueness Score: -1.00%

Function 0615F8EA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e92a605ccbb57d1682a6fd231dda2c90e83f648a7a3d7202e70f3717b5b315
Instruction ID: c01cf88b91c3355f9e7909f0723017d9a3d3c2680b1c4d05e94839abce986415
Opcode Fuzzy Hash: 40e92a605ccbb57d1682a6fd231dda2c90e83f648a7a3d7202e70f3717b5b315
Instruction Fuzzy Hash: 19C012727000200B02E8AB6C701416D66D782C86A338942ABE60FC338CCE608E466B81

Uniqueness

Uniqueness Score: -1.00%

Function 06153721 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58490fd9d1f8bd3ef21037499cce16fef13fd6e8102eae559bbb6f1621df2eb
Instruction ID: 3e6c9a301e8d85cc7ba6955c86e6de19d6fcf974b6b9fc4bcde6ca7723bb1e8c
Opcode Fuzzy Hash: c58490fd9d1f8bd3ef21037499cce16fef13fd6e8102eae559bbb6f1621df2eb
Instruction Fuzzy Hash: BFC08CB50593802FCB0312509C16F927F702B96B01F038082F6C08B1D791611514DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0615DFD1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f1447bd336eda30662d419689e6e7c1b1c59ec80bad0a61661fb82bf7268e
Instruction ID: ee76e100b0e046d70fe0c983e266023948f4be765be35565a03ea22b7ccae3aa
Opcode Fuzzy Hash: a15f1447bd336eda30662d419689e6e7c1b1c59ec80bad0a61661fb82bf7268e
Instruction Fuzzy Hash: 55B0927158B7D4AEEB0617B09C0EC813F26AF93725B1600CBA7429E0A7D6220005DBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06156FE8 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b16cd699a9b81540313cb7c1454077da7a2a9f0e8dd8a84afc4892ae420649a
Instruction ID: 8edaf6e3c297172d29f440166174498ffbabf6585bd456cf0c98479dc6997210
Opcode Fuzzy Hash: 4b16cd699a9b81540313cb7c1454077da7a2a9f0e8dd8a84afc4892ae420649a
Instruction Fuzzy Hash: 7B620EB06003009BE74CDF68D45571ABED6EB84308F68C59DD10A9F392DFB6DA0B8B95

Uniqueness

Uniqueness Score: -1.00%

Function 06156FF8 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3285154294.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6150000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7461758e3702e4ead2c3d17c386c991212a6a59ebd52a8d97ef411963d43e19
Instruction ID: 8fee2cd2e6f7feeeb2d0523b4819f43fc8726e870722e87fdfab9c74902c3bcc
Opcode Fuzzy Hash: b7461758e3702e4ead2c3d17c386c991212a6a59ebd52a8d97ef411963d43e19
Instruction Fuzzy Hash: 08620EB06003009BE74CDF68D45571ABED6EB84308F68C59DD10A9F392DFB6DA0B8B95

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3284324020.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_HobLb4ufqE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a28044fd06ddff63fe9659860ce50ca739ff8cfda4233df493dda93f16e09aa
Instruction ID: 06f28609a6335967486120b42f1a19d62d707a98044dfc939a7bcd3a5b5bc5df
Opcode Fuzzy Hash: 4a28044fd06ddff63fe9659860ce50ca739ff8cfda4233df493dda93f16e09aa
Instruction Fuzzy Hash: 02A16A32E002298FCF05DFB4D88059EB7B2FF85304B25957AE905BB265DB71E916CB80

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HobLb4ufqE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Temp\Tmp8A0E.tmp

C:\Users\user\AppData\Local\Temp\Tmp8A0F.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
HobLb4ufqE.exe

Function 0615A3D8 Relevance: 1.5, Strings: 1, Instructions: 296
COMMON

Function 00E2D0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
threadCOMMON

Function 00E2D0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 00E2AE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Function 00E24248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 00E25935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
COMMON

Function 00E2A858 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
libraryCOMMON

Function 00E2D300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Function 00E2D2F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Function 00E2A870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Function 00E2B2A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Function 00E2B020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Function 06157D58 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Function 06157D4C Relevance: 2.6, Strings: 2, Instructions: 130
COMMON

Function 061559D8 Relevance: 1.5, Strings: 1, Instructions: 290
COMMON