Windows
Analysis Report
Ydpdt8Efff.exe
Overview
General Information
Sample name: | Ydpdt8Efff.exerenamed because original name is a hash value |
Original sample name: | 039aebb1a469963963e34d31a42e6608.exe |
Analysis ID: | 1417246 |
MD5: | 039aebb1a469963963e34d31a42e6608 |
SHA1: | 6a60e11aa5949ab9fd861397879e2b6649292e2b |
SHA256: | 5cad07e8a93e151126f2668e4acd40bfb6a6c136720868e1abb88d6ce855488b |
Tags: | exe |
Infos: | |
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Ydpdt8Efff.exe (PID: 6748 cmdline:
"C:\Users\ user\Deskt op\Ydpdt8E fff.exe" MD5: 039AEBB1A469963963E34D31A42E6608)
- cleanup
{"Type": "Metasploit Connect", "IP": "91.92.251.119", "Port": 4444}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_004056E0 | |
Source: | Code function: | 0_2_004056E0 |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00401253 | |
Source: | Code function: | 0_2_00404C8F | |
Source: | Code function: | 0_2_00407EC1 | |
Source: | Code function: | 0_2_00402776 | |
Source: | Code function: | 0_2_00401AEA | |
Source: | Code function: | 0_2_0040837F | |
Source: | Code function: | 0_2_00402776 | |
Source: | Code function: | 0_2_00404B9C |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 2 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
82% | ReversingLabs | Win32.Trojan.CryptZMarte | ||
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.92.251.119 | unknown | Bulgaria | 34368 | THEZONEBG | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1417246 |
Start date and time: | 2024-03-28 20:09:16 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Ydpdt8Efff.exerenamed because original name is a hash value |
Original Sample Name: | 039aebb1a469963963e34d31a42e6608.exe |
Detection: | MAL |
Classification: | mal96.troj.winEXE@1/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: Ydpdt8Efff.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
THEZONEBG | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
File type: | |
Entropy (8bit): | 6.328182161985991 |
TrID: |
|
File name: | Ydpdt8Efff.exe |
File size: | 73'802 bytes |
MD5: | 039aebb1a469963963e34d31a42e6608 |
SHA1: | 6a60e11aa5949ab9fd861397879e2b6649292e2b |
SHA256: | 5cad07e8a93e151126f2668e4acd40bfb6a6c136720868e1abb88d6ce855488b |
SHA512: | 37ce7dff742d3a9680574c96012c81fcbb3aa94435c7aeb4691f1a6fa9e9e8009e63b4d3d126302fbeab13adf453b045fd5c2dcfd4ca7d24b20f90e4e4e386a0 |
SSDEEP: | 1536:Ia6vKe2IO6a0lRL82nTnWVMb+KR0Nc8QsJq39:W1xL5ue0Nc8QsC9 |
TLSH: | 2C73B042D9C42575C2B7127E26752E7A9971F2FE7301C1DA754CCDB9DBC08B0A62A3C2 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...$.XJ........... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x401511 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4A580B24 [Sat Jul 11 03:46:44 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 481f47bbb2c9c21e108d65f52b04c448 |
Instruction |
---|
inc ebx |
cdq |
cdq |
wait |
cdq |
wait |
xchg eax, edx |
std |
cmc |
std |
cwde |
inc edx |
inc ecx |
stc |
dec eax |
cwde |
das |
stc |
nop |
stc |
wait |
nop |
xchg eax, edx |
inc ebx |
inc eax |
aas |
das |
xchg eax, ecx |
dec edx |
cdq |
nop |
aas |
inc ebx |
cwde |
salc |
aas |
inc eax |
inc eax |
cwde |
das |
xchg eax, ecx |
stc |
clc |
salc |
inc ebx |
stc |
cdq |
cwde |
lahf |
dec eax |
std |
cwde |
cld |
inc edx |
dec ecx |
aaa |
wait |
std |
xchg eax, ebx |
das |
xchg eax, edx |
wait |
xchg eax, ecx |
salc |
clc |
das |
cwde |
dec ebx |
inc ecx |
cmc |
dec edx |
das |
stc |
xchg eax, edx |
aas |
xchg eax, edx |
lahf |
cmc |
inc edx |
cmc |
lahf |
aas |
wait |
cdq |
das |
inc eax |
dec edx |
std |
xchg eax, ecx |
inc edx |
salc |
dec eax |
stc |
dec eax |
nop |
das |
aaa |
aas |
std |
inc edx |
dec ebx |
xchg eax, edx |
inc edx |
cdq |
aaa |
salc |
cwde |
cld |
inc ebx |
aaa |
salc |
clc |
cld |
cwde |
das |
das |
inc edx |
dec eax |
xchg eax, ecx |
cld |
xchg eax, ecx |
dec ebx |
dec edx |
aaa |
aaa |
aas |
dec ecx |
clc |
cld |
aaa |
dec eax |
lahf |
lahf |
cdq |
cmc |
das |
lahf |
inc edx |
inc eax |
nop |
std |
inc eax |
cld |
cld |
stc |
stc |
dec eax |
dec ebx |
aas |
cdq |
dec ecx |
xchg eax, ebx |
dec ebx |
inc eax |
nop |
nop |
nop |
cld |
inc eax |
lahf |
cwde |
xchg eax, ecx |
lahf |
cdq |
dec edx |
inc ecx |
inc ebx |
cld |
inc ebx |
salc |
inc edx |
wait |
xchg eax, ecx |
nop |
cwde |
wait |
cdq |
wait |
xchg eax, ebx |
cdq |
std |
cwde |
inc ebx |
dec ebx |
xchg eax, ecx |
inc ebx |
lahf |
std |
cmc |
cwde |
clc |
wait |
daa |
dec ecx |
inc ecx |
cwde |
xchg eax, ecx |
xchg eax, ecx |
daa |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc76c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15000 | 0x7c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xc1e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa966 | 0xb000 | 6d71628a936db04aad377a613b9130d2 | False | 0.8174272017045454 | data | 7.02404492702774 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xfe6 | 0x1000 | 25d7ceee3aa85bb3e8c5174736f6f830 | False | 0.46142578125 | DOS executable (COM, 0x8C-variant) | 5.318390353744998 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x705c | 0x4000 | 283b5f792323d57b9db4d2bcc46580f8 | False | 0.25634765625 | Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0 | 4.407841023203495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x15000 | 0x7c8 | 0x1000 | c13a9413aea7291b6fc85d75bfcde381 | False | 0.197998046875 | data | 1.958296025171192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x15060 | 0x768 | data | English | United States | 0.40189873417721517 |
DLL | Import |
---|---|
MSVCRT.dll | _iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp |
KERNEL32.dll | PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree |
ADVAPI32.dll | FreeSid, AllocateAndInitializeSid |
WSOCK32.dll | getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError |
WS2_32.dll | WSARecv, WSASend |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 28, 2024 20:10:06.386260986 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:07.382877111 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:09.398458958 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:13.414086103 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:21.414071083 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:27.414592981 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:28.414031029 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:30.414032936 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:34.414139032 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:42.414051056 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:48.414510965 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:49.429656982 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:51.429661036 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:10:55.429637909 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:03.429671049 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:09.445806026 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:10.445302010 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:12.460943937 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:16.476552010 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:24.492157936 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:30.492696047 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:31.492172956 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:33.492172956 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:37.492150068 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:45.492213011 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:51.640671015 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:52.648426056 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:54.664077997 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:11:58.664042950 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:12:06.664161921 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:12:12.664531946 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Mar 28, 2024 20:12:13.679620028 CET | 49729 | 4444 | 192.168.2.4 | 91.92.251.119 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 20:10:05 |
Start date: | 28/03/2024 |
Path: | C:\Users\user\Desktop\Ydpdt8Efff.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73'802 bytes |
MD5 hash: | 039AEBB1A469963963E34D31A42E6608 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 0.7% |
Dynamic/Decrypted Code Coverage: | 25% |
Signature Coverage: | 0% |
Total number of Nodes: | 32 |
Total number of Limit Nodes: | 1 |
Graph
Function 004C00B0 Relevance: 3.1, APIs: 2, Instructions: 81networkCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004018D6 Relevance: 1.4, APIs: 1, Instructions: 185memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401922 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040196E Relevance: 1.3, APIs: 1, Instructions: 28memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401946 Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004019BB Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401938 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401958 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004056E0 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |