Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1429089 |
| MD5: | 0b4ad1c3b3f364c3d79fabdb47fe3385 |
| SHA1: | 85de5462d6342f03eaf3fb48176615fa6fa18508 |
| SHA256: | 21f247c6c84b114525d41500d54a63ab4bcea96d14ba8ca13be445acd72a081d |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 6816 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 0B4AD1C3B3F364C3D79FABDB47FE3385)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "greetclassifytalk.shop"], "Build id": "4sxFKu--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 04/20/24-19:20:56.333314 |
| SID: | 2052028 |
| Source Port: | 52332 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:21:01.309164 |
| SID: | 2052037 |
| Source Port: | 49735 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:20:56.483623 |
| SID: | 2052037 |
| Source Port: | 49730 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:20:57.310065 |
| SID: | 2052037 |
| Source Port: | 49731 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:21:00.168650 |
| SID: | 2052037 |
| Source Port: | 49734 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:20:58.261554 |
| SID: | 2052037 |
| Source Port: | 49732 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:21:03.516500 |
| SID: | 2052037 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:20:59.171078 |
| SID: | 2052037 |
| Source Port: | 49733 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-19:21:02.107071 |
| SID: | 2052037 |
| Source Port: | 49736 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_00FB5999 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FC2458 | |
| Source: | Code function: | 0_2_00FBC540 | |
| Source: | Code function: | 0_2_00FD57CA | |
| Source: | Code function: | 0_2_00FD59E2 | |
| Source: | Code function: | 0_2_00FD3D10 | |
| Source: | Code function: | 0_2_00FD3D10 | |
| Source: | Code function: | 0_2_00FC4084 | |
| Source: | Code function: | 0_2_00FC4087 | |
| Source: | Code function: | 0_2_00FAD140 | |
| Source: | Code function: | 0_2_00FB42F0 | |
| Source: | Code function: | 0_2_00FC3943 | |
| Source: | Code function: | 0_2_00FA3260 | |
| Source: | Code function: | 0_2_00FBF234 | |
| Source: | Code function: | 0_2_00FBE451 | |
| Source: | Code function: | 0_2_00FBA420 | |
| Source: | Code function: | 0_2_00FBA420 | |
| Source: | Code function: | 0_2_00FD5412 | |
| Source: | Code function: | 0_2_00FB4596 | |
| Source: | Code function: | 0_2_00FB46E6 | |
| Source: | Code function: | 0_2_00FBF640 | |
| Source: | Code function: | 0_2_00FB37C9 | |
| Source: | Code function: | 0_2_00FC271D | |
| Source: | Code function: | 0_2_00FBA8C0 | |
| Source: | Code function: | 0_2_00FC58A2 | |
| Source: | Code function: | 0_2_00FC58A2 | |
| Source: | Code function: | 0_2_00FCF890 | |
| Source: | Code function: | 0_2_00FBF828 | |
| Source: | Code function: | 0_2_00FC59D2 | |
| Source: | Code function: | 0_2_00FC59CD | |
| Source: | Code function: | 0_2_00FC594F | |
| Source: | Code function: | 0_2_00FBCAEC | |
| Source: | Code function: | 0_2_00FD1A70 | |
| Source: | Code function: | 0_2_00FAFA49 | |
| Source: | Code function: | 0_2_00FB1A44 | |
| Source: | Code function: | 0_2_00FB6CDD | |
| Source: | Code function: | 0_2_00FC1CC7 | |
| Source: | Code function: | 0_2_00FC4CB0 | |
| Source: | Code function: | 0_2_00FB4C49 | |
| Source: | Code function: | 0_2_00FD7C45 | |
| Source: | Code function: | 0_2_00FD7C47 | |
| Source: | Code function: | 0_2_00FB3C46 | |
| Source: | Code function: | 0_2_00FB5D7D | |
| Source: | Code function: | 0_2_00FB3E4A | |
| Source: | Code function: | 0_2_00FAEF2D | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FD2010 | |
| Source: | Code function: | 0_2_00FC04B7 | |
| Source: | Code function: | 0_2_00FA4740 | |
| Source: | Code function: | 0_2_00FC0CA0 | |
| Source: | Code function: | 0_2_00FA6030 | |
| Source: | Code function: | 0_2_00FA1000 | |
| Source: | Code function: | 0_2_00FA52F0 | |
| Source: | Code function: | 0_2_00FA3260 | |
| Source: | Code function: | 0_2_00FA65F0 | |
| Source: | Code function: | 0_2_00FD45F0 | |
| Source: | Code function: | 0_2_00FAF690 | |
| Source: | Code function: | 0_2_00FD97D0 | |
| Source: | Code function: | 0_2_00FA1700 | |
| Source: | Code function: | 0_2_00FC58A2 | |
| Source: | Code function: | 0_2_00FC59D2 | |
| Source: | Code function: | 0_2_0100387F | |
| Source: | Code function: | 0_2_00FC594F | |
| Source: | Code function: | 0_2_00FD9AF0 | |
| Source: | Code function: | 0_2_00FBCAEC | |
| Source: | Code function: | 0_2_00FD1A70 | |
| Source: | Code function: | 0_2_00FA7CB0 | |
| Source: | Code function: | 0_2_00FA3D70 | |
| Source: | Code function: | 0_2_00FA2E70 | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FEB2F8 | |
| Source: | Code function: | 0_2_00FEB2A1 | |
| Source: | Code function: | 0_2_00FE926B | |
| Source: | Code function: | 0_2_00FE924B | |
| Source: | Code function: | 0_2_00FEB79F | |
| Source: | Code function: | 0_2_00FE94FE | |
| Source: | Code function: | 0_2_00FE94FC | |
| Source: | Code function: | 0_2_00FE94A6 | |
| Source: | Code function: | 0_2_00FE95FC | |
| Source: | Code function: | 0_2_00FFF6A0 | |
| Source: | Code function: | 0_2_00FEC63F | |
| Source: | Code function: | 0_2_00FEC9F1 | |
| Source: | Code function: | 0_2_00FE997B | |
| Source: | Code function: | 0_2_00FECACF | |
| Source: | Code function: | 0_2_00FEAA3B | |
| Source: | Code function: | 0_2_00FEBA1C | |
| Source: | Code function: | 0_2_00FE9D99 | |
| Source: | Code function: | 0_2_00FEADBB | |
| Source: | Code function: | 0_2_00FFDFE3 | |
| Source: | Code function: | 0_2_00FEAF58 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FD3CC0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 321 Security Software Discovery | Remote Services | 1 Credential API Hooking | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Deobfuscate/Decode Files or Information | 1 Credential API Hooking | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 112 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 12% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 12% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| greetclassifytalk.shop | 172.67.177.98 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.177.98 | greetclassifytalk.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1429089 |
| Start date and time: | 2024-04-20 19:20:06 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 30s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Excluded IPs from analysis (whitelisted): 40.127.169.103
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 19:20:56 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.177.98 | Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse | ||
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| greetclassifytalk.shop | Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| |
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer, zgRAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MicroClip | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.9555626953806176 |
| TrID: |
|
| File name: | file.exe |
| File size: | 5'747'200 bytes |
| MD5: | 0b4ad1c3b3f364c3d79fabdb47fe3385 |
| SHA1: | 85de5462d6342f03eaf3fb48176615fa6fa18508 |
| SHA256: | 21f247c6c84b114525d41500d54a63ab4bcea96d14ba8ca13be445acd72a081d |
| SHA512: | c9f6ecb99786613113ae5e02bf9e4a00fcf7036a1bddd07c87f8cb66ce8f45b9515d4fc0321cbf20282556f16645818249d04390335f518afdc1d2253f8dab76 |
| SSDEEP: | 98304:ao3n7Qvg+PVALF8Ka+EQLkVBbrxkKmrMP2tOmzprZOCgNYWxMuxee4F6OzU7+bgb:aY84EALF8Ka+EUakLrMP2tDrQCg6Wxj5 |
| TLSH: | 1B46236323260545E6D68C3686277EEE31F3036A8783BC7D69E33DC634225E9B225D53 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....8#f..............................O...........@..........................`............@........................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x8f9bfe |
| Entrypoint Section: | .vmp1 |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x662338B6 [Sat Apr 20 03:38:30 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d435064ba91569f26a23505d954231af |
| Instruction |
|---|
| push A409FB29h |
| call 00007F6984EC4D55h |
| rol eax, 1 |
| xor eax, 0EAA540Ch |
| cmc |
| neg eax |
| cmc |
| sub eax, 48243F84h |
| xor ebx, eax |
| cmc |
| jmp 00007F6984E052ABh |
| not edx |
| bswap edx |
| jmp 00007F6984EEBA30h |
| test ebp, edi |
| not eax |
| jmp 00007F6984F80BE8h |
| dec ecx |
| stc |
| ror ecx, 1 |
| cmc |
| test dl, ah |
| neg ecx |
| add ecx, 0F1845A9h |
| jmp 00007F6984E74348h |
| mov ax, word ptr [ebp+00h] |
| mov cl, byte ptr [ebp+02h] |
| cmc |
| sub ebp, 00000002h |
| stc |
| test edi, ebx |
| jmp 00007F6984EFD649h |
| push esi |
| ret |
| not edx |
| jmp 00007F6984F9ECB1h |
| jmp 00007F6984ED6E13h |
| push A8F035E8h |
| call 00007F6985341C9Ch |
| bswap eax |
| jmp 00007F6984E1BE69h |
| not eax |
| cmc |
| ror eax, 1 |
| jmp 00007F6984E21D18h |
| jmp 00007F6984EE7921h |
| rep stosw |
| test ah, al |
| mov ecx, dword ptr [ebp+08h] |
| movzx ax, ch |
| dec eax |
| lea eax, dword ptr [ecx-01h] |
| mov dword ptr [ebp-40h], eax |
| xor esi, esi |
| test dx, bp |
| or eax, FFFFFFFFh |
| sub edi, edi |
| test ch, FFFFFFF9h |
| jmp 00007F6985021E0Ch |
| inc eax |
| cmp ch, 00000054h |
| xor ebx, eax |
| cmp ch, FFFFFF8Bh |
| add edi, eax |
| push edi |
| ret |
| dec edx |
| clc |
| test cl, 0000007Ah |
| xor ebx, edx |
| test cl, 00000000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8ebf94 | 0xdc | .vmp1 |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8f5000 | 0x5bc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x5b5000 | 0x80 | .vmp1 |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x39105 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x3b000 | 0x28fb | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3e000 | 0xa534 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .vmp0 | 0x49000 | 0x330141 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .vmp1 | 0x37a000 | 0x57a7c0 | 0x57a800 | 333653f67ef3ae4a0da443bd2daf79ef | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .reloc | 0x8f5000 | 0x5bc | 0x600 | 68a79c1c12512e8647f2e507d94281b6 | False | 0.529296875 | data | 4.224219147614464 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | ExitProcess |
| OLEAUT32.dll | SysAllocString |
| ole32.dll | CoCreateInstance |
| USER32.dll | CloseClipboard |
| GDI32.dll | BitBlt |
| WTSAPI32.dll | WTSSendMessageW |
| KERNEL32.dll | VirtualQuery |
| USER32.dll | GetProcessWindowStation |
| KERNEL32.dll | LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress |
| USER32.dll | GetProcessWindowStation, GetUserObjectInformationW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/20/24-19:20:56.333314 | UDP | 2052028 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (greetclassifytalk .shop) | 52332 | 53 | 192.168.2.4 | 1.1.1.1 |
| 04/20/24-19:21:01.309164 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/20/24-19:20:56.483623 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/20/24-19:20:57.310065 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/20/24-19:21:00.168650 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/20/24-19:20:58.261554 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/20/24-19:21:03.516500 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/20/24-19:20:59.171078 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/20/24-19:21:02.107071 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 20, 2024 19:20:56.479856968 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.479935884 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:56.480057001 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.483623028 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.483681917 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:56.717701912 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:56.717951059 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.720880032 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.720931053 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:56.721486092 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:56.775702953 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.810002089 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.810003042 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:56.810437918 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.291860104 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.291970968 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.292073965 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.295871973 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.295917034 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.309381008 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.309461117 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.309704065 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.310065031 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.310139894 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.529468060 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.529721022 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.530826092 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.530849934 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.531349897 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:57.532526970 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.532557011 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:57.532660007 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093123913 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093348026 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093429089 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093511105 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093571901 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.093573093 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.093590975 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093663931 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093724966 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.093740940 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093827963 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093904972 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.093982935 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.094048023 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.094048023 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.094068050 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.094095945 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.094146013 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.094228029 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.094358921 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.094556093 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.094556093 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.094556093 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.260979891 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.261065960 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.261156082 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.261554003 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.261579990 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.400762081 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.400823116 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.487245083 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.487328053 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.489479065 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.489490032 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.490022898 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.491862059 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.492017031 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.492054939 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:58.492140055 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:58.492146969 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.060959101 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.061259031 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.061336994 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.064482927 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.064505100 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.170698881 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.170732021 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.170790911 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.171077967 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.171092033 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.397903919 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.398010015 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.399862051 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.399876118 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.400398970 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.401578903 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.401696920 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.401757002 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.929457903 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.929727077 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:20:59.929835081 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.929861069 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:20:59.929883957 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.168056011 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.168112993 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.168220997 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.168649912 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.168662071 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.397979021 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.398078918 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.399665117 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.399688005 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.400201082 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.401731968 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.401942968 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.401978016 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.402059078 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.402075052 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.983414888 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.983673096 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:00.983675957 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:00.983753920 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.308715105 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.308764935 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:01.308875084 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.309164047 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.309176922 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:01.531259060 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:01.531353951 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.532850027 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.532865047 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:01.533389091 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:01.537728071 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.538269043 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:01.538327932 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.052558899 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.052826881 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.052864075 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.052932978 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.106456041 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.106535912 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.106934071 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.107070923 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.107105017 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.331387997 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.331621885 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.333353996 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.333405018 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.333977938 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.335058928 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.335154057 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.335253000 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.856508970 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.856791973 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:02.856911898 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:02.856913090 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.515516996 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.515624046 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.515741110 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.516499996 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.516575098 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.736799955 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.737082958 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.738657951 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.738709927 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.739063978 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.740623951 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.742044926 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.742093086 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.742239952 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.742280960 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.742419958 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.742463112 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.742633104 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.742671013 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.742863894 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.742924929 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.743155956 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.743210077 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.743228912 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.743439913 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.743494987 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.784169912 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.784579992 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.784672022 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.784697056 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.832130909 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.832354069 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.832413912 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.832453966 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.880212069 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:03.880431890 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:03.928129911 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:04.057712078 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:05.320393085 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:05.320668936 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 20, 2024 19:21:05.320980072 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:05.321064949 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 20, 2024 19:21:05.321101904 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 20, 2024 19:20:56.333313942 CEST | 52332 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 20, 2024 19:20:56.473897934 CEST | 53 | 52332 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 20, 2024 19:20:56.333313942 CEST | 192.168.2.4 | 1.1.1.1 | 0x4a42 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 20, 2024 19:20:56.473897934 CEST | 1.1.1.1 | 192.168.2.4 | 0x4a42 | No error (0) | 172.67.177.98 | A (IP address) | IN (0x0001) | false | ||
| Apr 20, 2024 19:20:56.473897934 CEST | 1.1.1.1 | 192.168.2.4 | 0x4a42 | No error (0) | 104.21.51.78 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:20:56 UTC | 269 | OUT | |
| 2024-04-20 17:20:56 UTC | 8 | OUT | |
| 2024-04-20 17:20:57 UTC | 806 | IN | |
| 2024-04-20 17:20:57 UTC | 7 | IN | |
| 2024-04-20 17:20:57 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:20:57 UTC | 270 | OUT | |
| 2024-04-20 17:20:57 UTC | 49 | OUT | |
| 2024-04-20 17:20:58 UTC | 804 | IN | |
| 2024-04-20 17:20:58 UTC | 565 | IN | |
| 2024-04-20 17:20:58 UTC | 727 | IN | |
| 2024-04-20 17:20:58 UTC | 1369 | IN | |
| 2024-04-20 17:20:58 UTC | 1369 | IN | |
| 2024-04-20 17:20:58 UTC | 1369 | IN | |
| 2024-04-20 17:20:58 UTC | 1369 | IN | |
| 2024-04-20 17:20:58 UTC | 1369 | IN | |
| 2024-04-20 17:20:58 UTC | 1369 | IN | |
| 2024-04-20 17:20:58 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:20:58 UTC | 288 | OUT | |
| 2024-04-20 17:20:58 UTC | 15331 | OUT | |
| 2024-04-20 17:20:58 UTC | 2827 | OUT | |
| 2024-04-20 17:20:59 UTC | 806 | IN | |
| 2024-04-20 17:20:59 UTC | 20 | IN | |
| 2024-04-20 17:20:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:20:59 UTC | 287 | OUT | |
| 2024-04-20 17:20:59 UTC | 8779 | OUT | |
| 2024-04-20 17:20:59 UTC | 810 | IN | |
| 2024-04-20 17:20:59 UTC | 20 | IN | |
| 2024-04-20 17:20:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:21:00 UTC | 288 | OUT | |
| 2024-04-20 17:21:00 UTC | 15331 | OUT | |
| 2024-04-20 17:21:00 UTC | 5101 | OUT | |
| 2024-04-20 17:21:00 UTC | 802 | IN | |
| 2024-04-20 17:21:00 UTC | 20 | IN | |
| 2024-04-20 17:21:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:21:01 UTC | 287 | OUT | |
| 2024-04-20 17:21:01 UTC | 7079 | OUT | |
| 2024-04-20 17:21:02 UTC | 804 | IN | |
| 2024-04-20 17:21:02 UTC | 20 | IN | |
| 2024-04-20 17:21:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:21:02 UTC | 287 | OUT | |
| 2024-04-20 17:21:02 UTC | 1389 | OUT | |
| 2024-04-20 17:21:02 UTC | 804 | IN | |
| 2024-04-20 17:21:02 UTC | 20 | IN | |
| 2024-04-20 17:21:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49737 | 172.67.177.98 | 443 | 6816 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-20 17:21:03 UTC | 289 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:03 UTC | 15331 | OUT | |
| 2024-04-20 17:21:05 UTC | 802 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 19:20:54 |
| Start date: | 20/04/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfa0000 |
| File size: | 5'747'200 bytes |
| MD5 hash: | 0B4AD1C3B3F364C3D79FABDB47FE3385 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 12.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 9.2% |
| Total number of Nodes: | 694 |
| Total number of Limit Nodes: | 20 |
Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA4740 Relevance: 5.5, Strings: 4, Instructions: 501COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FBC540 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD3CC0 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB37C9 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC04B7 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC0CA0 Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD2010 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD3D10 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC2458 Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD57CA Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD59E2 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD6041 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD6CD4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB7810 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC7F5A Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC7F84 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD6209 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD5F1F Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD3B50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD75CD Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD3C2A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FCD6B9 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA1700 Relevance: 10.6, Strings: 8, Instructions: 594COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FAEF2D Relevance: 6.4, Strings: 5, Instructions: 151COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA52F0 Relevance: 3.4, Strings: 2, Instructions: 851COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD9AF0 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB3E4A Relevance: 2.6, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD5412 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC58A2 Relevance: 2.1, Strings: 1, Instructions: 839COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA1000 Relevance: 1.8, Strings: 1, Instructions: 544COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB6CDD Relevance: 1.6, Strings: 1, Instructions: 374COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FBA8C0 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FBA420 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA65F0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB3C46 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB4C49 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA7CB0 Relevance: .9, Instructions: 863COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA3260 Relevance: .7, Instructions: 739COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD45F0 Relevance: .7, Instructions: 654COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA3D70 Relevance: .6, Instructions: 606COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA6030 Relevance: .5, Instructions: 506COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC594F Relevance: .4, Instructions: 439COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC59D2 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC59CD Relevance: .4, Instructions: 388COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD97D0 Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD1A70 Relevance: .2, Instructions: 186COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB42F0 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FAF690 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB5D7D Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB46E6 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FA2E70 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FBF234 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FBF828 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC271D Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FBF640 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC4CB0 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FCF890 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB1A44 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FC1CC7 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FBE451 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FAFA49 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FAD140 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FB4596 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD7C45 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD7C47 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010078E0 Relevance: 7.8, APIs: 5, Instructions: 263COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FFEAF5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FFEA7A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100284B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |