Windows
Analysis Report
HobLb4ufqE.exe
Overview
General Information
Sample name: | HobLb4ufqE.exerenamed because original name is a hash value |
Original sample name: | 0222f8da926bf2722f6bef4ac243e5fa.exe |
Analysis ID: | 1436258 |
MD5: | 0222f8da926bf2722f6bef4ac243e5fa |
SHA1: | 152144479eb94028ec92e356f99b562fa414e980 |
SHA256: | 98c5e7aa76e1163df1ac5ea880c213a8b81a2c5b2ba0d87980ac8ffa744f226f |
Tags: | 32exeRedLineStealertrojan |
Infos: | |
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- HobLb4ufqE.exe (PID: 4160 cmdline:
"C:\Users\ user\Deskt op\HobLb4u fqE.exe" MD5: 0222F8DA926BF2722F6BEF4AC243E5FA)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
{"C2 url": ["80.79.4.61:27996"], "Bot Id": "uk-ca", "Authorization Header": "27dc49c1e1facde9ccd1ca2ec0c885fd"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | URLs: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 0_2_00E2DC74 | |
Source: | Code function: | 0_2_061567D8 | |
Source: | Code function: | 0_2_0615A3E8 | |
Source: | Code function: | 0_2_06153F50 | |
Source: | Code function: | 0_2_0615A3D8 | |
Source: | Code function: | 0_2_06156FF8 | |
Source: | Code function: | 0_2_06156FE8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0615E070 | |
Source: | Code function: | 0_2_0615ED01 |
Persistence and Installation Behavior |
---|
Source: | Registry value created: | Jump to behavior |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Masquerading | OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Disable or Modify Tools | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Install Root Certificate | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Timestomp | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
61% | ReversingLabs | Win32.Trojan.Jalapeno | ||
62% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
10% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
80.79.4.61 | unknown | Moldova Republic of | 49006 | SISTEMEMD | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1436258 |
Start date and time: | 2024-05-04 06:41:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | HobLb4ufqE.exerenamed because original name is a hash value |
Original Sample Name: | 0222f8da926bf2722f6bef4ac243e5fa.exe |
Detection: | MAL |
Classification: | mal80.troj.winEXE@1/4@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
80.79.4.61 | Get hash | malicious | LummaC, Amadey, Fabookie, Glupteba, PureLog Stealer, RedLine, Stealc | Browse | ||
Get hash | malicious | Amadey, Glupteba, PureLog Stealer, RedLine, SmokeLoader, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, PureLog Stealer, RedLine, Stealc, Xmrig, zgRAT | Browse | |||
Get hash | malicious | Amadey, PureLog Stealer, RedLine, Xmrig, zgRAT | Browse | |||
Get hash | malicious | Amadey, Fabookie, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc | Browse | |||
Get hash | malicious | Amadey, RedLine, RisePro Stealer | Browse | |||
Get hash | malicious | Amadey, PureLog Stealer, RedLine, zgRAT | Browse | |||
Get hash | malicious | RedLine | Browse | |||
Get hash | malicious | RedLine | Browse | |||
Get hash | malicious | LummaC, Amadey, Fabookie, Glupteba, LummaC Stealer, RedLine, Stealc | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SISTEMEMD | Get hash | malicious | AsyncRAT, BazaLoader | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Parallax RAT | Browse |
| ||
Get hash | malicious | Parallax RAT | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Fabookie, Glupteba, PureLog Stealer, RedLine, Stealc | Browse |
| ||
Get hash | malicious | Amadey, Glupteba, PureLog Stealer, RedLine, SmokeLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | LummaC, Amadey, PureLog Stealer, RedLine, Stealc, Xmrig, zgRAT | Browse |
| ||
Get hash | malicious | Amadey, PureLog Stealer, RedLine, Xmrig, zgRAT | Browse |
|
Process: | C:\Users\user\Desktop\HobLb4ufqE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2104 |
Entropy (8bit): | 3.467621229062337 |
Encrypted: | false |
SSDEEP: | 48:8SXd5TvG/0lRYrnvPdAKRkdAGdAKRFdAKR6P:8SbbM7 |
MD5: | 6044B07915CA53C0034A821257E98961 |
SHA1: | FAB06AD35762B56042FDB8D8D89864005B441D61 |
SHA-256: | 0D04680FDF38385EFD8196806E066ACF56BEE24F4CBDDD41F40CA723E4B2D734 |
SHA-512: | 182D2191F02B4E07C9D48EEC85E8152744B509D4A70BB036C1FF89D0398D36A046DEE723B8306D2AE16ED21C16B3C91F75BE537D6C2E4A436EC7F5BBF24748FD |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\HobLb4ufqE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2662 |
Entropy (8bit): | 7.8230547059446645 |
Encrypted: | false |
SSDEEP: | 48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g |
MD5: | 1420D30F964EAC2C85B2CCFE968EEBCE |
SHA1: | BDF9A6876578A3E38079C4F8CF5D6C79687AD750 |
SHA-256: | F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9 |
SHA-512: | 6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\HobLb4ufqE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2662 |
Entropy (8bit): | 7.8230547059446645 |
Encrypted: | false |
SSDEEP: | 48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g |
MD5: | 1420D30F964EAC2C85B2CCFE968EEBCE |
SHA1: | BDF9A6876578A3E38079C4F8CF5D6C79687AD750 |
SHA-256: | F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9 |
SHA-512: | 6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Download File
Process: | C:\Users\user\Desktop\HobLb4ufqE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2251 |
Entropy (8bit): | 7.621994830361549 |
Encrypted: | false |
SSDEEP: | 48:S7SjQDUy2lCdYzrBSz0gGVSEjQSwCI9RlycAAXqE90N:ASUDfUpG9RJAMG |
MD5: | 9173CFD685C2FC7CF6474912025E480F |
SHA1: | EEA8EA56B6C23136621FA312CE6BB078E66E61E8 |
SHA-256: | 3505229CCF55BFA51BEA45B440ABF66C7153639F456F480BA666BDDC0A2E91CE |
SHA-512: | BF6FED4A667B8D4AC814D94A40B5EB192997B3EEDD1B68E6B8078E9EFFA2DE90ACE6258F3186134E59DA495D18D45B4538161F20914EA271E4FE10F3471D9BF5 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.080784622046203 |
TrID: |
|
File name: | HobLb4ufqE.exe |
File size: | 311'296 bytes |
MD5: | 0222f8da926bf2722f6bef4ac243e5fa |
SHA1: | 152144479eb94028ec92e356f99b562fa414e980 |
SHA256: | 98c5e7aa76e1163df1ac5ea880c213a8b81a2c5b2ba0d87980ac8ffa744f226f |
SHA512: | 690cc96b3ff6bc3e801b6c142c34afa81feb45e4916898cea0a3ddae41c8aa2b9a794886c2275dd2396e378402e4182209e037a8094fc6e08ce3764e5cbf9999 |
SSDEEP: | 3072:2qq6EgY6iYrUjOU44wPdyWAqeGXHTAftAmKOhcZqf7D34deqiOLibBOM:2pqY6irwPfASXHTA1A4hcZqf7DInL |
TLSH: | 2C646C1823DC8911E27F4B7994B1E27493B5EC56A856D30F4ED06CAB3E32741FA11AB3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................ |
Icon Hash: | 4d8ea38d85a38e6d |
Entrypoint: | 0x42b9aa |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0xE4C1C9DC [Tue Aug 14 04:49:32 2091 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
popad |
add byte ptr [ebp+00h], dh |
je 00007F80A4D6BAD2h |
outsd |
add byte ptr [esi+00h], ah |
imul eax, dword ptr [eax], 006C006Ch |
xor eax, 59007400h |
add byte ptr [edi+00h], dl |
push edx |
add byte ptr [ecx+00h], dh |
popad |
add byte ptr [edi+00h], dl |
push esi |
add byte ptr [edi+00h], ch |
popad |
add byte ptr [ebp+00h], ch |
push 61006800h |
add byte ptr [ebp+00h], ch |
dec edx |
add byte ptr [eax], bh |
add byte ptr [edi+00h], dl |
push edi |
add byte ptr [ecx], bh |
add byte ptr [ecx+00h], bh |
bound eax, dword ptr [eax] |
xor al, byte ptr [eax] |
insb |
add byte ptr [eax+00h], bl |
pop ecx |
add byte ptr [edi+00h], dl |
js 00007F80A4D6BAD2h |
jnc 00007F80A4D6BAD2h |
pop edx |
add byte ptr [eax+00h], bl |
push ecx |
add byte ptr [ebx+00h], cl |
popad |
add byte ptr [edi+00h], dl |
dec edx |
add byte ptr [ebp+00h], dh |
pop edx |
add byte ptr [edi+00h], dl |
jo 00007F80A4D6BAD2h |
imul eax, dword ptr [eax], 5Ah |
add byte ptr [ebp+00h], ch |
jo 00007F80A4D6BAD2h |
je 00007F80A4D6BAD2h |
bound eax, dword ptr [eax] |
push edi |
add byte ptr [eax+eax+77h], dh |
add byte ptr [ecx+00h], bl |
xor al, byte ptr [eax] |
xor eax, 63007300h |
add byte ptr [edi+00h], al |
push esi |
add byte ptr [ecx+00h], ch |
popad |
add byte ptr [edx], dh |
add byte ptr [eax+00h], bh |
je 00007F80A4D6BAD2h |
bound eax, dword ptr [eax] |
insd |
add byte ptr [eax+eax+76h], dh |
add byte ptr [edx+00h], bl |
push edi |
add byte ptr [ecx], bh |
add byte ptr [eax+00h], dh |
popad |
add byte ptr [edi+00h], al |
cmp dword ptr [eax], eax |
insd |
add byte ptr [edx+00h], bl |
push edi |
add byte ptr [esi+00h], cl |
cmp byte ptr [eax], al |
push esi |
add byte ptr [eax+00h], cl |
dec edx |
add byte ptr [esi+00h], dh |
bound eax, dword ptr [eax] |
insd |
add byte ptr [eax+00h], bh |
jo 00007F80A4D6BAD2h |
bound eax, dword ptr [eax] |
insd |
add byte ptr [ebx+00h], dh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2b958 | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x32000 | 0x1c9cc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x50000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2b93c | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x2e990 | 0x2ec00 | dec6bcaca408518e262f2f6801681bdd | False | 0.46955422794117646 | PGP symmetric key encrypted data - Plaintext or unencrypted data | 6.20357865177658 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x32000 | 0x1c9cc | 0x1cc00 | c6461f5fca381943b46061a39aaf2e5b | False | 0.23721976902173914 | data | 2.6060625012283167 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x50000 | 0xc | 0x400 | 70de2bdc721b7cb1b4aff274dfd9cd14 | False | 0.025390625 | data | 0.05585530805374581 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x321a0 | 0x3d04 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9934058898847631 | ||
RT_ICON | 0x35eb4 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m | 0.09013072282030049 | ||
RT_ICON | 0x466ec | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m | 0.13905290505432216 | ||
RT_ICON | 0x4a924 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m | 0.17033195020746889 | ||
RT_ICON | 0x4cedc | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m | 0.2045028142589118 | ||
RT_ICON | 0x4df94 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m | 0.24645390070921985 | ||
RT_GROUP_ICON | 0x4e40c | 0x5a | data | 0.7666666666666667 | ||
RT_VERSION | 0x4e478 | 0x352 | data | 0.44 | ||
RT_MANIFEST | 0x4e7dc | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2024 06:41:53.150141954 CEST | 49699 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:41:54.152806997 CEST | 49699 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:41:56.152920008 CEST | 49699 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:00.152852058 CEST | 49699 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:08.168448925 CEST | 49699 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:19.233795881 CEST | 49706 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:20.246607065 CEST | 49706 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:22.262327909 CEST | 49706 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:26.262270927 CEST | 49706 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:34.277919054 CEST | 49706 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:45.316200018 CEST | 49707 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:46.324754000 CEST | 49707 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:48.340434074 CEST | 49707 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:42:52.343456984 CEST | 49707 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:00.481029034 CEST | 49707 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:11.513886929 CEST | 49709 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:12.528017998 CEST | 49709 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:14.528074980 CEST | 49709 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:18.543570995 CEST | 49709 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:26.543551922 CEST | 49709 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:37.560864925 CEST | 49710 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:38.574814081 CEST | 49710 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:40.575079918 CEST | 49710 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:44.574836969 CEST | 49710 | 27996 | 192.168.2.6 | 80.79.4.61 |
May 4, 2024 06:43:52.652976036 CEST | 49710 | 27996 | 192.168.2.6 | 80.79.4.61 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 06:41:50 |
Start date: | 04/05/2024 |
Path: | C:\Users\user\Desktop\HobLb4ufqE.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x510000 |
File size: | 311'296 bytes |
MD5 hash: | 0222F8DA926BF2722F6BEF4AC243E5FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 6.8% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 52 |
Total number of Limit Nodes: | 9 |
Graph
Function 0615A3D8 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615A3E8 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06153F50 Relevance: .5, Instructions: 525COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061567D8 Relevance: .4, Instructions: 421COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00E2D0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129threadCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00E2D0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00E2A858 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00E2A870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00E2B2A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06157D58 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06157D4C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061559D8 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061587A0 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158795 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158A98 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158A8C Relevance: 1.3, Strings: 1, Instructions: 67COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061548B8 Relevance: .6, Instructions: 593COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061548A8 Relevance: .3, Instructions: 281COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061559C8 Relevance: .1, Instructions: 142COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06153DE0 Relevance: .1, Instructions: 110COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06155579 Relevance: .1, Instructions: 105COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061584C8 Relevance: .1, Instructions: 102COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06155588 Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615F920 Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4D3D8 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B5D01C Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158F42 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B5D005 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615BC5F Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4D3D3 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06156E90 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158350 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615C499 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615BC70 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615ACB8 Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615E8B0 Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615B2D9 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615C4A8 Relevance: .0, Instructions: 42COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06155508 Relevance: .0, Instructions: 42COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615B358 Relevance: .0, Instructions: 40COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615C170 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158F50 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615ADE9 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4D5F3 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061567C8 Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06153EC8 Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06156EA0 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4D5E4 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615C110 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158FC0 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615B368 Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 061554F8 Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615AC60 Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06158340 Relevance: .0, Instructions: 29COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615ADF8 Relevance: .0, Instructions: 28COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615C180 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06155698 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615B500 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615C120 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615CC38 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615CE88 Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615E280 Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615E1FF Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615E8F8 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615F910 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615AC80 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615B510 Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615E210 Relevance: .0, Instructions: 16COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615F8EA Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06153721 Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0615DFD1 Relevance: .0, Instructions: 8COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06156FE8 Relevance: .8, Instructions: 783COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 06156FF8 Relevance: .8, Instructions: 780COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00E2DC74 Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |