Edit tour
Windows
Analysis Report
1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
Overview
General Information
Sample name: | 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe |
Analysis ID: | 1430791 |
MD5: | 4cf8283349d416ede72e0d3775d23972 |
SHA1: | 1a9cf0bbae717aebabea0b6933ce67604ce91733 |
SHA256: | 15113629d65d474d78089e91ee269220b68fdcff8c4df46ea1da0af21cd559e3 |
Tags: | base64-decodedexe |
Infos: | |
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe (PID: 7324 cmdline:
"C:\Users\ user\Deskt op\1713934 6251943819 93b7036c2f 81df0c4f94 527f4e7bb4 3abdf90d09 e24f7ee13c f33c8d8678 .dat-decod ed.exe" MD5: 4CF8283349D416EDE72E0D3775D23972)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "jimbb.ydns.eu:6991:1", "Assigned name": "JIMBO", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcerytuyiuoio-2AOB3L", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
Click to see the 5 entries |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | URL Reputation: | ||
Source: | URL Reputation: | ||
Source: | URL Reputation: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00433837 |
Source: | Binary or memory string: | memstr_9565aca4-a |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Privilege Escalation |
---|
Source: | Code function: | 0_2_004074FD |
Source: | Static PE information: |
Source: | Code function: | 0_2_00409253 | |
Source: | Code function: | 0_2_0041C291 | |
Source: | Code function: | 0_2_0040C34D | |
Source: | Code function: | 0_2_00409665 | |
Source: | Code function: | 0_2_0044E879 | |
Source: | Code function: | 0_2_0040880C | |
Source: | Code function: | 0_2_0040783C | |
Source: | Code function: | 0_2_00419AF5 | |
Source: | Code function: | 0_2_0040BB30 | |
Source: | Code function: | 0_2_0040BD37 |
Source: | Code function: | 0_2_00407C97 |
Networking |
---|
Source: | URLs: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_0041B380 |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Code function: | 0_2_0040A2B8 |
Source: | Windows user hook set: | Jump to behavior |
Source: | Code function: | 0_2_0040B70E |
Source: | Code function: | 0_2_004168C1 |
Source: | Code function: | 0_2_0040B70E |
Source: | Code function: | 0_2_0040A3E0 |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | Code function: | 0_2_0041C9E2 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_004132D2 | |
Source: | Code function: | 0_2_0041BB09 | |
Source: | Code function: | 0_2_0041BB35 |
Source: | Code function: | 0_2_004167B4 |
Source: | Code function: | 0_2_0043E0CC | |
Source: | Code function: | 0_2_0041F0FA | |
Source: | Code function: | 0_2_00454159 | |
Source: | Code function: | 0_2_00438168 | |
Source: | Code function: | 0_2_004461F0 | |
Source: | Code function: | 0_2_0043E2FB | |
Source: | Code function: | 0_2_0045332B | |
Source: | Code function: | 0_2_0042739D | |
Source: | Code function: | 0_2_004374E6 | |
Source: | Code function: | 0_2_0043E558 | |
Source: | Code function: | 0_2_00438770 | |
Source: | Code function: | 0_2_004378FE | |
Source: | Code function: | 0_2_00433946 | |
Source: | Code function: | 0_2_0044D9C9 | |
Source: | Code function: | 0_2_00427A46 | |
Source: | Code function: | 0_2_0041DB62 | |
Source: | Code function: | 0_2_00427BAF | |
Source: | Code function: | 0_2_00437D33 | |
Source: | Code function: | 0_2_00435E5E | |
Source: | Code function: | 0_2_00426E0E | |
Source: | Code function: | 0_2_0043DE9D | |
Source: | Code function: | 0_2_00413FCA | |
Source: | Code function: | 0_2_00436FEA |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_00417952 |
Source: | Code function: | 0_2_0040F474 |
Source: | Code function: | 0_2_0041B4A8 |
Source: | Code function: | 0_2_0041AA4A |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 | |
Source: | Command line argument: | 0_2_0040E9C5 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0041CB50 |
Source: | Code function: | 0_2_00457119 | |
Source: | Code function: | 0_2_00457A46 | |
Source: | Code function: | 0_2_00434E69 |
Source: | Code function: | 0_2_00406EB0 |
Source: | Code function: | 0_2_0041AA4A |
Source: | Code function: | 0_2_0041CB50 |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_0040F7A7 |
Source: | Code function: | 0_2_0041A748 |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Code function: | 0_2_00409253 | |
Source: | Code function: | 0_2_0041C291 | |
Source: | Code function: | 0_2_0040C34D | |
Source: | Code function: | 0_2_00409665 | |
Source: | Code function: | 0_2_0044E879 | |
Source: | Code function: | 0_2_0040880C | |
Source: | Code function: | 0_2_0040783C | |
Source: | Code function: | 0_2_00419AF5 | |
Source: | Code function: | 0_2_0040BB30 | |
Source: | Code function: | 0_2_0040BD37 |
Source: | Code function: | 0_2_00407C97 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-48786 |
Source: | Code function: | 0_2_004349F9 |
Source: | Code function: | 0_2_0041CB50 |
Source: | Code function: | 0_2_004432B5 |
Source: | Code function: | 0_2_00412077 |
Source: | Code function: | 0_2_004349F9 | |
Source: | Code function: | 0_2_00434B47 | |
Source: | Code function: | 0_2_0043BB22 | |
Source: | Code function: | 0_2_00434FDC |
Source: | Code function: | 0_2_004120F7 |
Source: | Code function: | 0_2_00419627 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00434C52 |
Source: | Code function: | 0_2_0040F8D1 | |
Source: | Code function: | 0_2_00452036 | |
Source: | Code function: | 0_2_004520C3 | |
Source: | Code function: | 0_2_00452313 | |
Source: | Code function: | 0_2_00448404 | |
Source: | Code function: | 0_2_0045243C | |
Source: | Code function: | 0_2_00452543 | |
Source: | Code function: | 0_2_00452610 | |
Source: | Code function: | 0_2_004488ED | |
Source: | Code function: | 0_2_00451CD8 | |
Source: | Code function: | 0_2_00451F50 | |
Source: | Code function: | 0_2_00451F9B |
Source: | Code function: | 0_2_00404F51 |
Source: | Code function: | 0_2_0041B60D |
Source: | Code function: | 0_2_00449190 |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_0040BA12 |
Source: | Code function: | 0_2_0040BB30 | |
Source: | Code function: | 0_2_0040BB30 |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_0040569A |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 12 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 12 Command and Scripting Interpreter | 1 Windows Service | 1 Bypass User Account Control | 2 Obfuscated Files or Information | 211 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 211 Input Capture | 2 Encrypted Channel | Exfiltration Over Bluetooth | 1 Defacement |
Email Addresses | DNS Server | Domain Accounts | 2 Service Execution | Logon Script (Windows) | 1 Access Token Manipulation | 1 DLL Side-Loading | 2 Credentials In Files | 1 System Service Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Windows Service | 1 Bypass User Account Control | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 11 Process Injection | 1 Masquerading | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | 12 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Virtualization/Sandbox Evasion | Cached Domain Credentials | 21 Security Software Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 1 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 11 Process Injection | Proc Filesystem | 2 Process Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Owner/User Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
87% | ReversingLabs | Win32.Backdoor.Remcos | ||
86% | Virustotal | Browse | ||
100% | Avira | BDS/Backdoor.Gen | ||
100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | URL Reputation | phishing | ||
100% | URL Reputation | phishing | ||
100% | URL Reputation | phishing | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
4% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
jimbb.ydns.eu | 23.226.132.239 | true | true |
| unknown |
geoplugin.net | 178.237.33.50 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
23.226.132.239 | jimbb.ydns.eu | United States | 8100 | ASN-QUADRANET-GLOBALUS | true | |
178.237.33.50 | geoplugin.net | Netherlands | 8455 | ATOM86-ASATOM86NL | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1430791 |
Start date and time: | 2024-04-24 07:21:46 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe |
Detection: | MAL |
Classification: | mal100.rans.troj.spyw.expl.evad.winEXE@1/2@3/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
07:23:11 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
178.237.33.50 | Get hash | malicious | GuLoader, Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
geoplugin.net | Get hash | malicious | GuLoader, Remcos | Browse |
| |
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ATOM86-ASATOM86NL | Get hash | malicious | GuLoader, Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | GuLoader, Remcos | Browse |
| ||
ASN-QUADRANET-GLOBALUS | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | NetSupport RAT | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
Process: | C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144 |
Entropy (8bit): | 3.349210161123417 |
Encrypted: | false |
SSDEEP: | 3:rhlKl+hNA+lTlCl55JWRal2Jl+7R0DAlBG45klovDl6v:6l+9lpCl55YcIeeDAlOWAv |
MD5: | 2F73606F0E5563E208D273049C22BEBD |
SHA1: | 2E297E83C682FDA8A1B430BA0D802D5CF2F61014 |
SHA-256: | E361145E30509ECD0F4FFB35414829CD236185F013188D3F04E181102C2565A9 |
SHA-512: | 639ED816FA42311675A0ADC6516FABDB136A05F4AEFE5DF81BC791684976D53B004CD1203324560D74271232AF3EC9D3448AC13F16DED59E653F49D31B34AF0D |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 965 |
Entropy (8bit): | 5.005233927773532 |
Encrypted: | false |
SSDEEP: | 12:tkbOnd66GkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkw7T:qbCdbauKyGX85jrvXhNlT3/7sYDsro |
MD5: | DA0FD37CC49697181AE27DA4C9D3C308 |
SHA1: | A6555517791DFFC3DFD07C3A2467A957F90AA67C |
SHA-256: | 540275576574073DDE26A8FABECB51D8A60343AE2EFE289628093D0B84430F19 |
SHA-512: | D6E3EA3E4357FB1CF120405BEF882E4667F3D80A463C3FB8866F451CA55B2A78BF7EFF9F692814AFF436EE8DFD1073A5AD66D83DD7CA27CF2F78799F72B0F58F |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.599734035149821 |
TrID: |
|
File name: | 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe |
File size: | 494'592 bytes |
MD5: | 4cf8283349d416ede72e0d3775d23972 |
SHA1: | 1a9cf0bbae717aebabea0b6933ce67604ce91733 |
SHA256: | 15113629d65d474d78089e91ee269220b68fdcff8c4df46ea1da0af21cd559e3 |
SHA512: | 1b7fa83f80002dec7084e48358a4c20169baede2d06e75285fde53782d7a4fbffba2c420513458b39c71d467a33e8fa493693449f5711f38e197bf1b10c7c41e |
SSDEEP: | 6144:6XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcN/5Gv:6X7tPMK8ctGe4Dzl4h2QnuPs/ZDqcv |
TLSH: | CDB49E01BAD1C072D57524300D3AF776EAB8BD2028364A7B73D61D5BFE31190B62A6B7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH.. |
Icon Hash: | 95694d05214c1b33 |
Entrypoint: | 0x4349ef |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65EC315B [Sat Mar 9 09:52:27 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 8d5087ff5de35c3fbb9f212b47d63cad |
Instruction |
---|
call 00007FF4A891146Ch |
jmp 00007FF4A8910E83h |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push ebx |
push esi |
push 00000017h |
call 00007FF4A89336E4h |
test eax, eax |
je 00007FF4A8910FF7h |
mov ecx, dword ptr [ebp+08h] |
int 29h |
xor esi, esi |
lea eax, dword ptr [ebp-00000324h] |
push 000002CCh |
push esi |
push eax |
mov dword ptr [00471D14h], esi |
call 00007FF4A8913457h |
add esp, 0Ch |
mov dword ptr [ebp-00000274h], eax |
mov dword ptr [ebp-00000278h], ecx |
mov dword ptr [ebp-0000027Ch], edx |
mov dword ptr [ebp-00000280h], ebx |
mov dword ptr [ebp-00000284h], esi |
mov dword ptr [ebp-00000288h], edi |
mov word ptr [ebp-0000025Ch], ss |
mov word ptr [ebp-00000268h], cs |
mov word ptr [ebp-0000028Ch], ds |
mov word ptr [ebp-00000290h], es |
mov word ptr [ebp-00000294h], fs |
mov word ptr [ebp-00000298h], gs |
pushfd |
pop dword ptr [ebp-00000264h] |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [ebp-0000026Ch], eax |
lea eax, dword ptr [ebp+04h] |
mov dword ptr [ebp-00000260h], eax |
mov dword ptr [ebp-00000324h], 00010001h |
mov eax, dword ptr [eax-04h] |
push 00000050h |
mov dword ptr [ebp-00000270h], eax |
lea eax, dword ptr [ebp-58h] |
push esi |
push eax |
call 00007FF4A89133CEh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6eea8 | 0x104 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x79000 | 0x4b50 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7e000 | 0x3bcc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6d340 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x6d3d4 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6d378 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x59000 | 0x4fc | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x57175 | 0x57200 | f959ed65f49a903603bc150bbb7292aa | False | 0.571329694225251 | data | 6.62552167894442 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x59000 | 0x179b6 | 0x17a00 | dd9ac1735f016f0a84955e5637da2aad | False | 0.5005580357142857 | Zebra Metafile graphic (comment = \210\002\007) | 5.859387089901195 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x71000 | 0x5d44 | 0xe00 | fa1a169b9414830def88848af87110b5 | False | 0.22154017857142858 | data | 3.00580031855032 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x77000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.gfids | 0x78000 | 0x230 | 0x400 | 09e4699aa75951ab53e804fe4f9a3b6b | False | 0.3271484375 | data | 2.349075166240886 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x79000 | 0x4b50 | 0x4c00 | ef6a9789097f98993a0e89b46fb14095 | False | 0.28402549342105265 | data | 3.9914464468439705 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x7e000 | 0x3bcc | 0x3c00 | 0a6e61b09628beca43d4bf9604f65238 | False | 0.7639973958333334 | data | 6.718533933603825 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x7918c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3421985815602837 |
RT_ICON | 0x795f4 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.27704918032786885 |
RT_ICON | 0x79f7c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.23686679174484052 |
RT_ICON | 0x7b024 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.22977178423236513 |
RT_RCDATA | 0x7d5cc | 0x541 | data | 1.00817843866171 | ||
RT_GROUP_ICON | 0x7db10 | 0x3e | data | English | United States | 0.8064516129032258 |
DLL | Import |
---|---|
KERNEL32.dll | FindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile |
USER32.dll | GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW |
GDI32.dll | BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC |
ADVAPI32.dll | CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA |
SHELL32.dll | ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW |
ole32.dll | CoInitializeEx, CoUninitialize, CoGetObject |
SHLWAPI.dll | PathFileExistsW, PathFileExistsA, StrToIntA |
WINMM.dll | waveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader |
WS2_32.dll | gethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket |
urlmon.dll | URLOpenBlockingStreamW, URLDownloadToFileW |
gdiplus.dll | GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream |
WININET.dll | InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 07:22:38.758505106 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:38.978455067 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:38.978713989 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:39.003158092 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:39.233458996 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:39.276804924 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:39.496854067 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:39.501512051 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:39.767805099 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:39.767961979 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:40.033251047 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:40.190583944 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:40.192167044 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:40.412306070 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:40.464127064 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:41.036719084 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:22:41.344705105 CEST | 80 | 49707 | 178.237.33.50 | 192.168.2.9 |
Apr 24, 2024 07:22:41.344794989 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:22:41.345001936 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:22:41.657533884 CEST | 80 | 49707 | 178.237.33.50 | 192.168.2.9 |
Apr 24, 2024 07:22:41.657623053 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:22:41.692205906 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:41.970710039 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:42.657156944 CEST | 80 | 49707 | 178.237.33.50 | 192.168.2.9 |
Apr 24, 2024 07:22:42.657218933 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:22:54.589349985 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:22:54.590765953 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:22:54.861910105 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:23:24.590679884 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:23:24.592942953 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:23:24.876950026 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:23:54.591311932 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:23:54.592864037 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:23:54.877140999 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:24:24.605391979 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:24:24.607155085 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:24:24.876970053 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:24:30.855143070 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:24:31.776834011 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:24:33.386099100 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:24:36.429549932 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:24:42.592772007 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:24:54.607965946 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:24:54.610013962 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:24:54.738368988 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:24:54.876857042 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:25:19.089200020 CEST | 49707 | 80 | 192.168.2.9 | 178.237.33.50 |
Apr 24, 2024 07:25:24.608380079 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:25:24.632635117 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:25:24.908328056 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:25:54.621606112 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:25:54.626179934 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:25:54.908251047 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:26:24.636183023 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Apr 24, 2024 07:26:24.638171911 CEST | 49706 | 6991 | 192.168.2.9 | 23.226.132.239 |
Apr 24, 2024 07:26:24.908154964 CEST | 6991 | 49706 | 23.226.132.239 | 192.168.2.9 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 07:22:37.654803991 CEST | 59130 | 53 | 192.168.2.9 | 1.1.1.1 |
Apr 24, 2024 07:22:38.651674986 CEST | 59130 | 53 | 192.168.2.9 | 1.1.1.1 |
Apr 24, 2024 07:22:38.729048014 CEST | 53 | 59130 | 1.1.1.1 | 192.168.2.9 |
Apr 24, 2024 07:22:38.805634975 CEST | 53 | 59130 | 1.1.1.1 | 192.168.2.9 |
Apr 24, 2024 07:22:40.878376007 CEST | 60454 | 53 | 192.168.2.9 | 1.1.1.1 |
Apr 24, 2024 07:22:41.032845020 CEST | 53 | 60454 | 1.1.1.1 | 192.168.2.9 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 24, 2024 07:22:37.654803991 CEST | 192.168.2.9 | 1.1.1.1 | 0xd659 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 24, 2024 07:22:38.651674986 CEST | 192.168.2.9 | 1.1.1.1 | 0xd659 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 24, 2024 07:22:40.878376007 CEST | 192.168.2.9 | 1.1.1.1 | 0xda52 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 24, 2024 07:22:38.729048014 CEST | 1.1.1.1 | 192.168.2.9 | 0xd659 | No error (0) | 23.226.132.239 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 07:22:38.805634975 CEST | 1.1.1.1 | 192.168.2.9 | 0xd659 | No error (0) | 23.226.132.239 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 07:22:41.032845020 CEST | 1.1.1.1 | 192.168.2.9 | 0xda52 | No error (0) | 178.237.33.50 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.9 | 49707 | 178.237.33.50 | 80 | 7324 | C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 24, 2024 07:22:41.345001936 CEST | 71 | OUT | |
Apr 24, 2024 07:22:41.657533884 CEST | 1173 | IN |