Windows
Analysis Report
bUAB.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- bUAB.exe (PID: 7532 cmdline:
"C:\Users\ user\Deskt op\bUAB.ex e" MD5: E3A50CD4B0D687DE0371979907EECEC8)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"Ports": ["2016"], "Server": ["window10.duckdns.org"], "Mutex": "DcRatMutex_qw6rgvfu6ruj67fere5fhy HJG", "Certificate": "MIICMDCCAZmgAwIBAgIVAOiowOgN5NQCLKxXZz1P8wPFyFGbMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTEyNzE5NTQzNloXDTMzMDkwNTE5NTQzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRrE0IxI4zvM+hQcd9c4/yjtBdQ09rGNkpsb08nsW4aceh/GHFWKWNHRyls+IUj6Kow5TCJXpFu6pm5I+96sGG68VLJEfoj3YXIakWD2G8tJPPpO/K+AgInNvriE+lJYAq1h8v4ZIiJjeCCAHt9BoASkTJURDBrpDXmIpmJth7dAgMBAAGjMjAwMB0GA1UdDgQWBBQ9+9t2HSqwv0IrSQzqdGSkt2dxiDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAKGk8bk2LLJ+VAz3F5R8eGjfhgE9gCOLW+R0LrM9TAxnZ41mNHCVXuDXSVB8sCst7u7xIsUZwCByYPWGFnxT5CrT32bsjZQ6SP1PVPs8bPuK7fdTlX4jbsHKaAM1spt8dWRMttkGQY7sOqCKNwCKmqfw/koPiv3wPpHBQIEUleKh", "Server Signature": "CfBGWgaZcSFbRY1ZjzIeyTGhsM2okmwQOujBLV9KdxvTK5nuKtxl0YRc2dkODk9hElCZE1bbstsI9BFpQuIkGa59o27bUU8qSGAak3ZjEIlIgtbTjjgbQCxSQToalikk8qsDvFS4CG/X5uWQ60CVgykbly7uvjFvKlV47JqVu1A="}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
JoeSecurity_DcRat_2 | Yara detected DcRat | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Click to see the 10 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
|
Timestamp: | 04/16/24-20:09:13.581089 |
SID: | 2034847 |
Source Port: | 2016 |
Destination Port: | 49731 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/16/24-20:09:13.581089 |
SID: | 2848152 |
Source Port: | 2016 |
Destination Port: | 49731 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | DNS query: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FFD9B8A6752 | |
Source: | Code function: | 0_2_00007FFD9B8A0600 | |
Source: | Code function: | 0_2_00007FFD9B8A59A6 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FFD9B8A00C1 |
Boot Survival |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: | Jump to behavior | ||
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | WMI Queries: |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 Scheduled Task/Job | 1 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 31 Virtualization/Sandbox Evasion | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 11 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 111 Obfuscated Files or Information | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
84% | ReversingLabs | ByteCode-MSIL.Backdoor.AsyncRAT | ||
100% | Avira | HEUR/AGEN.1307404 | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | unknown | |
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | 217.20.63.34 | true | false | unknown | |
window10.duckdns.org | 172.94.39.213 | true | true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.94.39.213 | window10.duckdns.org | United States | 9009 | M247GB | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1426963 |
Start date and time: | 2024-04-16 20:08:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | bUAB.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/2@5/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 217.20.63.34, 23.40.205.9, 23.40.205.83, 23.40.205.74, 23.40.205.26, 23.40.205.34, 23.40.205.41, 23.40.205.66, 23.40.205.56
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: bUAB.exe
Time | Type | Description |
---|---|---|
20:09:14 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | CobaltStrike | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | TechSupportScam | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
bg.microsoft.map.fastly.net | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | DarkCloud | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
window10.duckdns.org | Get hash | malicious | AsyncRAT, DcRat | Browse |
| |
Get hash | malicious | AsyncRAT, DcRat | Browse |
| ||
Get hash | malicious | AsyncRAT, DcRat | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
M247GB | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Amadey, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Users\user\Desktop\bUAB.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 69993 |
Entropy (8bit): | 7.99584879649948 |
Encrypted: | true |
SSDEEP: | 1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr |
MD5: | 29F65BA8E88C063813CC50A4EA544E93 |
SHA1: | 05A7040D5C127E68C25D81CC51271FFB8BEF3568 |
SHA-256: | 1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184 |
SHA-512: | E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Users\user\Desktop\bUAB.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 3.1414940076987787 |
Encrypted: | false |
SSDEEP: | 6:kKMs3llDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:j3llMkPlE99SNxAhUeVLVt |
MD5: | B744899B447B22033F3B9819A133E0A5 |
SHA1: | 6DE73F94A1FE4EB2590922C3F6E82267D4E33272 |
SHA-256: | C2E1BF18EC0A93E4D7AC2030827F07590D7C4CEA7E3A4A397B99F60E0BE6BBE8 |
SHA-512: | 42EC04C068322D912A136B12741859C32849061ABE3CF53ACC9068ADC848E8C8E14CDCD44B1F89401E526A816F9D1952A9CB62C7A9AC04379D7D75AB12E62C33 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.621111951451253 |
TrID: |
|
File name: | bUAB.exe |
File size: | 48'640 bytes |
MD5: | e3a50cd4b0d687de0371979907eecec8 |
SHA1: | a985891877f61b6b68b9584b3ebedad6941eb7ec |
SHA256: | bbfd0355383f8e0df1442c646737854bfccb138b9c89e86c64c3d49d31e5fbf8 |
SHA512: | 273454ea78c38ed570f90a818a471e13cad94849797cf83b3bd7533581d12b381331afbea428ab571f6efeb260c9ce6bcfbfea5b0df24918b8899b11fda76cb3 |
SSDEEP: | 768:l9GmxD6ILNCaS+Di+LFxh635OiY8Ybage19kOId0vEgK/JjZVc6KN:l9GAHW+RxkQzbNMkOQ0nkJjZVclN |
TLSH: | E9236D0037A8C536E6BD4BB4ADF292058375D6672D03CA5D7CC814AA2B13FC996136FE |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40cbde |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x60930A0B [Wed May 5 21:11:39 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xcb90 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe000 | 0xdf7 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x10000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xabe4 | 0xac00 | 98ecc3faf77d1b7b1f4fcd67cece6b5e | False | 0.5028161337209303 | data | 5.646482729064109 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xe000 | 0xdf7 | 0xe00 | 2083376922615c09cdda9acfd9305376 | False | 0.4017857142857143 | data | 5.110607648061562 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0xc | 0x200 | c10c3c0a0024ae64684ddd6e1f2ef429 | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0xe0a0 | 0x2d4 | data | 0.4350828729281768 | ||
RT_MANIFEST | 0xe374 | 0xa83 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.40245261984392416 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/16/24-20:09:13.581089 | TCP | 2034847 | ET TROJAN Observed Malicious SSL Cert (AsyncRAT) | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
04/16/24-20:09:13.581089 | TCP | 2848152 | ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 16, 2024 20:09:11.545137882 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:11.829696894 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:11.829914093 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:13.290158987 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:13.581089020 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:13.586394072 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:13.877599001 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:13.925678015 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:14.931826115 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:15.268254042 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:15.268326044 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:15.604186058 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:25.349845886 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:25.684798002 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:25.684854984 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:25.976406097 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:26.019712925 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:26.314876080 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:26.330209017 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:26.667982101 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:26.668174982 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:27.004148006 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:35.770510912 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:36.104140997 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:36.104351997 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:36.389823914 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:36.441445112 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:36.725717068 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:36.727828979 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:37.013562918 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:37.013684988 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:37.349874973 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:46.191838026 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:46.527070999 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:46.527187109 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:46.827687979 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:46.878844023 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:47.165591002 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:47.188452005 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:47.523216963 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:47.523418903 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:47.857820034 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:56.614272118 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:56.948973894 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:56.949095011 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:57.233623981 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:57.285355091 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:57.569694996 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:57.572041035 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:57.905760050 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:09:57.905874014 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:09:58.244359970 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:06.909666061 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:06.957004070 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:07.111643076 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:07.241916895 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:07.242044926 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:07.453695059 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:07.531512976 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:07.735269070 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:07.997719049 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:07.998066902 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:07.999752998 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:08.333821058 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:08.333913088 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:08.668375969 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:17.519988060 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:17.861838102 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:17.862040997 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:18.150441885 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:18.191593885 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:18.481952906 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:18.484051943 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:18.817692041 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:18.817822933 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:19.152959108 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:27.942434072 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:28.276479006 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:28.276628017 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:28.561669111 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:28.613332033 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:28.902815104 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:28.904644012 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:29.241741896 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:29.241993904 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:29.576586008 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:36.900762081 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:36.957144022 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:37.244194984 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:37.285193920 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:38.363703012 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:38.697941065 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:38.698272943 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:38.984798908 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:39.035290003 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:39.320408106 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:39.322999001 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:39.657561064 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:39.657790899 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:39.992302895 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:48.786475897 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:49.121330023 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:49.121681929 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:49.409384966 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:49.457226992 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:49.742156029 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:49.744981050 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:50.081258059 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:50.081525087 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:50.417262077 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:59.223135948 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:59.558089018 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:59.558371067 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:10:59.845397949 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:10:59.894840956 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:11:00.181771994 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:11:00.183665037 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:11:00.521356106 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Apr 16, 2024 20:11:00.521574020 CEST | 49731 | 2016 | 192.168.2.4 | 172.94.39.213 |
Apr 16, 2024 20:11:00.857449055 CEST | 2016 | 49731 | 172.94.39.213 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 16, 2024 20:09:02.089090109 CEST | 52816 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 16, 2024 20:09:03.097940922 CEST | 52816 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 16, 2024 20:09:04.097817898 CEST | 52816 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 16, 2024 20:09:06.097735882 CEST | 52816 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 16, 2024 20:09:06.197458029 CEST | 53 | 52816 | 1.1.1.1 | 192.168.2.4 |
Apr 16, 2024 20:09:06.197501898 CEST | 53 | 52816 | 1.1.1.1 | 192.168.2.4 |
Apr 16, 2024 20:09:06.197535992 CEST | 53 | 52816 | 1.1.1.1 | 192.168.2.4 |
Apr 16, 2024 20:09:06.202701092 CEST | 53 | 52816 | 1.1.1.1 | 192.168.2.4 |
Apr 16, 2024 20:09:11.209065914 CEST | 62891 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 16, 2024 20:09:11.539151907 CEST | 53 | 62891 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 16, 2024 20:09:02.089090109 CEST | 192.168.2.4 | 1.1.1.1 | 0x4a0d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:03.097940922 CEST | 192.168.2.4 | 1.1.1.1 | 0x4a0d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:04.097817898 CEST | 192.168.2.4 | 1.1.1.1 | 0x4a0d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:06.097735882 CEST | 192.168.2.4 | 1.1.1.1 | 0x4a0d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:11.209065914 CEST | 192.168.2.4 | 1.1.1.1 | 0xc965 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 16, 2024 20:09:06.197458029 CEST | 1.1.1.1 | 192.168.2.4 | 0x4a0d | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:06.197501898 CEST | 1.1.1.1 | 192.168.2.4 | 0x4a0d | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:06.197535992 CEST | 1.1.1.1 | 192.168.2.4 | 0x4a0d | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:06.202701092 CEST | 1.1.1.1 | 192.168.2.4 | 0x4a0d | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
Apr 16, 2024 20:09:11.539151907 CEST | 1.1.1.1 | 192.168.2.4 | 0xc965 | No error (0) | 172.94.39.213 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.63.34 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.50.40 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.50.39 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.55.36 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.51.27 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.50.41 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.48.36 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:09:14.077347994 CEST | 1.1.1.1 | 192.168.2.4 | 0xb508 | No error (0) | 217.20.53.34 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:10:14.312493086 CEST | 1.1.1.1 | 192.168.2.4 | 0x1844 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Apr 16, 2024 20:10:14.312493086 CEST | 1.1.1.1 | 192.168.2.4 | 0x1844 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 20:08:55 |
Start date: | 16/04/2024 |
Path: | C:\Users\user\Desktop\bUAB.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x3b0000 |
File size: | 48'640 bytes |
MD5 hash: | E3A50CD4B0D687DE0371979907EECEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 23.1% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 5 |
Total number of Limit Nodes: | 1 |
Graph
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFD9B8A59A6 Relevance: .5, Instructions: 472COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFD9B8A6752 Relevance: .5, Instructions: 458COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |