Windows
Analysis Report
ZAXkflgLEq.exe
Overview
General Information
Sample name: | ZAXkflgLEq.exerenamed because original name is a hash value |
Original sample name: | 464ea1bd9930cd4ecae392d7214c3905.exe |
Analysis ID: | 1417252 |
MD5: | 464ea1bd9930cd4ecae392d7214c3905 |
SHA1: | 525be920ce25cf340d8e47a0f3fd993a908449fc |
SHA256: | cade479a0b203af759b0f82c80d4b95ca46abe3a4f665f365953eb5e25fe9284 |
Tags: | exe |
Infos: | |
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- ZAXkflgLEq.exe (PID: 7392 cmdline:
"C:\Users\ user\Deskt op\ZAXkflg LEq.exe" MD5: 464EA1BD9930CD4ECAE392D7214C3905) - dialer.exe (PID: 7436 cmdline:
"C:\Window s\system32 \dialer.ex e" MD5: E4BD77FB64DDE78F1A95ECE09F6A9B85)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
Click to see the 2 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary or memory string: | memstr_ce44904d-b |
Source: | Binary or memory string: | memstr_dd65927f-f |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_00C90AA0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Evasive API call chain: | graph_0-1272 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Code function: | 0_3_00C95B03 | |
Source: | Code function: | 0_3_00C9628A | |
Source: | Code function: | 0_3_00C97C5F | |
Source: | Code function: | 0_3_00C95DD5 | |
Source: | Code function: | 0_3_00C96F49 | |
Source: | Code function: | 0_3_00C92F4F | |
Source: | Code function: | 0_3_00C9417B | |
Source: | Code function: | 0_3_00C96580 | |
Source: | Code function: | 0_3_00C94137 | |
Source: | Code function: | 0_2_00C49565 | |
Source: | Code function: | 0_2_00C48965 | |
Source: | Code function: | 0_2_00C47517 | |
Source: | Code function: | 0_2_00C51422 | |
Source: | Code function: | 0_2_00C4FF2D | |
Source: | Code function: | 1_3_0328430A | |
Source: | Code function: | 1_3_03283B83 | |
Source: | Code function: | 1_3_032821B7 | |
Source: | Code function: | 1_3_032821FB | |
Source: | Code function: | 1_3_03284600 | |
Source: | Code function: | 1_3_03284FC9 | |
Source: | Code function: | 1_3_03280FCF | |
Source: | Code function: | 1_3_03283E55 | |
Source: | Code function: | 1_3_03285CDF |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_3_00C92277 | |
Source: | Code function: | 0_2_00C92277 | |
Source: | Code function: | 1_3_0328027F |
Source: | Code function: | 0_2_00C90AA0 |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Virtualization/Sandbox Evasion | 21 Input Capture | 131 Security Software Discovery | Remote Services | 21 Input Capture | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 2 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
71% | ReversingLabs | Win32.Trojan.Rhadamanthys | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.carssell.online | 91.92.254.230 | true | false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.92.254.230 | www.carssell.online | Bulgaria | 34368 | THEZONEBG | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1417252 |
Start date and time: | 2024-03-28 20:13:04 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 55s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | ZAXkflgLEq.exerenamed because original name is a hash value |
Original Sample Name: | 464ea1bd9930cd4ecae392d7214c3905.exe |
Detection: | MAL |
Classification: | mal72.troj.evad.winEXE@3/0@1/1 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target dialer.exe, PID 7436 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: ZAXkflgLEq.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
THEZONEBG | Get hash | malicious | Metasploit | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
caec7ddf6889590d999d7ca1b76373b6 | Get hash | malicious | RHADAMANTHYS | Browse |
| |
Get hash | malicious | PureCrypter, Amadey, PureLog Stealer, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | BitRAT, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
|
File type: | |
Entropy (8bit): | 4.843708182845879 |
TrID: |
|
File name: | ZAXkflgLEq.exe |
File size: | 363'520 bytes |
MD5: | 464ea1bd9930cd4ecae392d7214c3905 |
SHA1: | 525be920ce25cf340d8e47a0f3fd993a908449fc |
SHA256: | cade479a0b203af759b0f82c80d4b95ca46abe3a4f665f365953eb5e25fe9284 |
SHA512: | 73bcb3c6119a73ccd34d8300cf4e4fc3b4abf4f7cdbba49d9ad341931785e36dc98258b0e759fe999c31b56320533f228bee8755838cb7850797ef5f14ad3aa3 |
SSDEEP: | 6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqrsb:gf2R/EEkCQFYDwRqw |
TLSH: | 017423DFB69A5418ED3626F3DE5652383B1574580B460EFF9D7B6E20A010FA94E28F03 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]...............v...............v...................,.....................\.............Rich....................PE..L..._{_d... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4508ce |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x645F7B5F [Sat May 13 11:58:23 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | be49a2411263045f8ee0c442783b5f83 |
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 004697B0h |
push 004510BFh |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 68h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
xor ebx, ebx |
mov dword ptr [ebp-04h], ebx |
push 00000002h |
call dword ptr [00462040h] |
pop ecx |
or dword ptr [0046A038h], FFFFFFFFh |
or dword ptr [0046A03Ch], FFFFFFFFh |
call dword ptr [00462044h] |
mov ecx, dword ptr [0046A034h] |
mov dword ptr [eax], ecx |
call dword ptr [00462048h] |
mov ecx, dword ptr [0046A030h] |
mov dword ptr [eax], ecx |
mov eax, dword ptr [0046204Ch] |
mov eax, dword ptr [eax] |
mov dword ptr [0046A040h], eax |
call 00007F409D07B9B9h |
cmp dword ptr [0046A010h], ebx |
jne 00007F409D07B8BEh |
push 00450A3Eh |
call dword ptr [00462050h] |
pop ecx |
call 00007F409D07B98Bh |
push 0046A00Ch |
push 0046A008h |
call 00007F409D07C009h |
mov eax, dword ptr [0046A02Ch] |
mov dword ptr [ebp-6Ch], eax |
lea eax, dword ptr [ebp-6Ch] |
push eax |
push dword ptr [0046A028h] |
lea eax, dword ptr [ebp-64h] |
push eax |
lea eax, dword ptr [ebp-70h] |
push eax |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [00462058h] |
push 0046A004h |
push 0046A000h |
call 00007F409D07BFD6h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x69938 | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6b000 | 0x3e8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6c000 | 0xec | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x697bc | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x62000 | 0xe0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x500cb | 0x50200 | bdbcdd118c6e30fb53bf5111c1951d15 | False | 0.685620002925117 | data | 4.9977211758267455 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.textbss | 0x52000 | 0x10000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x62000 | 0x7de6 | 0x7e00 | 1709bd218ecea6c5cc61d8d6b305dc08 | False | 0.466827876984127 | data | 3.2818934390044032 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6a000 | 0x44 | 0x200 | 598e1aae6ecbd8237c4383f4be94b9f1 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x6b000 | 0x3e8 | 0x400 | f0f5533983957143427cb560728e8d9b | False | 0.43359375 | data | 3.2476078648555533 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x6c000 | 0xec | 0x200 | a556edc642fb4f2d688da12eb6e5cf04 | False | 0.490234375 | data | 3.440680260594041 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x6b060 | 0x384 | data | English | United States | 0.45555555555555555 |
DLL | Import |
---|---|
KERNEL32.dll | HeapAlloc, HeapFree, GetProcessHeap, WaitForSingleObject, HeapDestroy, MulDiv, lstrlenW, CreateEventA, GetModuleFileNameW, GetModuleHandleA, CloseHandle, HeapCreate, GetStartupInfoA |
USER32.dll | AdjustWindowRect, GetDlgItem, GetIconInfo, SendDlgItemMessageA, InflateRect, DialogBoxParamA, CreateIconFromResourceEx, SendMessageW, LookupIconIdFromDirectoryEx, LoadImageA, SetForegroundWindow, EndDialog, OffsetRect, GetWindowLongA, SetWindowPos, UnionRect, SetWindowTextW |
GDI32.dll | GetObjectA |
ole32.dll | CoCreateGuid, CoTaskMemFree, CoInitializeEx |
MSVCRT.dll | __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, memset, memcpy, wcsrchr, wcschr, _controlfp, _except_handler3 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 28, 2024 20:13:59.704015970 CET | 49732 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:13:59.704047918 CET | 443 | 49732 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:13:59.704125881 CET | 49732 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:13:59.704188108 CET | 49732 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:13:59.704195023 CET | 443 | 49732 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:00.274635077 CET | 443 | 49732 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:00.274702072 CET | 49732 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:00.282838106 CET | 49732 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:00.282850027 CET | 443 | 49732 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:00.283097029 CET | 443 | 49732 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:00.283150911 CET | 49732 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:00.285976887 CET | 49732 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:00.285995007 CET | 443 | 49732 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:05.271744013 CET | 49733 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:05.271779060 CET | 443 | 49733 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:05.271861076 CET | 49733 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:05.271958113 CET | 49733 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:05.271967888 CET | 443 | 49733 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:05.812031031 CET | 443 | 49733 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:05.812144995 CET | 49733 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:05.813637972 CET | 49733 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:05.813644886 CET | 443 | 49733 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:05.813880920 CET | 443 | 49733 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:05.813940048 CET | 49733 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:05.817764997 CET | 49733 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:05.817791939 CET | 443 | 49733 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:10.818871021 CET | 49734 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:10.818916082 CET | 443 | 49734 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:10.818981886 CET | 49734 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:10.819084883 CET | 49734 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:10.819097996 CET | 443 | 49734 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:11.382241964 CET | 443 | 49734 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:11.382353067 CET | 49734 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:11.383959055 CET | 49734 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:11.383969069 CET | 443 | 49734 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:11.387305975 CET | 49734 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:11.390552998 CET | 443 | 49734 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:11.390635014 CET | 49734 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.381176949 CET | 49740 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.381221056 CET | 443 | 49740 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:16.381347895 CET | 49740 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.381469011 CET | 49740 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.381479025 CET | 443 | 49740 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:16.944820881 CET | 443 | 49740 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:16.945071936 CET | 49740 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.946537971 CET | 49740 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.946547031 CET | 443 | 49740 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:16.946693897 CET | 443 | 49740 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:16.946757078 CET | 49740 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.950090885 CET | 49740 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:16.950114012 CET | 443 | 49740 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:21.943599939 CET | 49741 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:21.943635941 CET | 443 | 49741 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:21.943792105 CET | 49741 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:21.943880081 CET | 49741 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:21.943891048 CET | 443 | 49741 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:22.483638048 CET | 443 | 49741 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:22.483748913 CET | 49741 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:22.485389948 CET | 49741 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:22.485404015 CET | 443 | 49741 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:22.485615015 CET | 443 | 49741 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:22.485688925 CET | 49741 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:22.488742113 CET | 49741 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:22.488764048 CET | 443 | 49741 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:28.301003933 CET | 49742 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:28.301049948 CET | 443 | 49742 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:28.301142931 CET | 49742 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:28.301275969 CET | 49742 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:28.301285028 CET | 443 | 49742 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:28.865582943 CET | 443 | 49742 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:28.865709066 CET | 49742 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:28.867258072 CET | 49742 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:28.867266893 CET | 443 | 49742 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:28.867424965 CET | 443 | 49742 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:28.867468119 CET | 49742 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:28.870656967 CET | 49742 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:28.870673895 CET | 443 | 49742 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:33.881027937 CET | 49743 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:33.881078005 CET | 443 | 49743 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:33.881148100 CET | 49743 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:33.881263971 CET | 49743 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:33.881278992 CET | 443 | 49743 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:34.450644016 CET | 443 | 49743 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:34.450825930 CET | 49743 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:34.456334114 CET | 49743 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:34.456351995 CET | 443 | 49743 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:34.456654072 CET | 443 | 49743 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:34.456722975 CET | 49743 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:34.459772110 CET | 49743 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:34.459809065 CET | 443 | 49743 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:39.443681002 CET | 49744 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:39.443732023 CET | 443 | 49744 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:39.443825960 CET | 49744 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:39.443964005 CET | 49744 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:39.443980932 CET | 443 | 49744 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:40.006283045 CET | 443 | 49744 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:40.006407022 CET | 49744 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:40.007884026 CET | 49744 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:40.007890940 CET | 443 | 49744 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:40.008111954 CET | 443 | 49744 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:40.008203030 CET | 49744 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:40.010433912 CET | 49744 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:40.010445118 CET | 443 | 49744 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:45.661933899 CET | 49745 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:45.661972046 CET | 443 | 49745 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:45.662034035 CET | 49745 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:45.662118912 CET | 49745 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:45.662127972 CET | 443 | 49745 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:46.199973106 CET | 443 | 49745 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:46.200203896 CET | 49745 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:46.201570034 CET | 49745 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:46.201580048 CET | 443 | 49745 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:46.201750994 CET | 443 | 49745 | 91.92.254.230 | 192.168.2.4 |
Mar 28, 2024 20:14:46.201798916 CET | 49745 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:46.204579115 CET | 49745 | 443 | 192.168.2.4 | 91.92.254.230 |
Mar 28, 2024 20:14:46.204600096 CET | 443 | 49745 | 91.92.254.230 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 28, 2024 20:13:59.598016977 CET | 57294 | 53 | 192.168.2.4 | 1.1.1.1 |
Mar 28, 2024 20:13:59.701288939 CET | 53 | 57294 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 28, 2024 20:13:59.598016977 CET | 192.168.2.4 | 1.1.1.1 | 0x434a | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 28, 2024 20:13:59.701288939 CET | 1.1.1.1 | 192.168.2.4 | 0x434a | No error (0) | 91.92.254.230 | A (IP address) | IN (0x0001) | false | ||
Mar 28, 2024 20:13:59.701288939 CET | 1.1.1.1 | 192.168.2.4 | 0x434a | No error (0) | 91.92.255.217 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 20:13:53 |
Start date: | 28/03/2024 |
Path: | C:\Users\user\Desktop\ZAXkflgLEq.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc40000 |
File size: | 363'520 bytes |
MD5 hash: | 464EA1BD9930CD4ECAE392D7214C3905 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 20:13:56 |
Start date: | 28/03/2024 |
Path: | C:\Windows\SysWOW64\dialer.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa20000 |
File size: | 32'256 bytes |
MD5 hash: | E4BD77FB64DDE78F1A95ECE09F6A9B85 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Execution Graph
Execution Coverage: | 3.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 35.6% |
Total number of Nodes: | 59 |
Total number of Limit Nodes: | 1 |
Graph
Function 00C90AA0 Relevance: 28.8, APIs: 19, Instructions: 275memorysynchronizationCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C908CE Relevance: 16.6, APIs: 11, Instructions: 111COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C922CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C922CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C92098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C92098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C92277 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C92277 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 032802D4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167memoryfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 032800A0 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |