Edit tour
Windows
Analysis Report
Skambenets.exe
Overview
General Information
| Sample name: | Skambenets.exe |
| Analysis ID: | 1629090 |
| MD5: | 0519c157d2d7450690a1cef20ea51e8f |
| SHA1: | bfe39774f356f799bd74649330ab7baecb95c052 |
| SHA256: | 7dca3dbf4a0d99e7c86edafb83698994e9f89d2ec51de988f0f8c7ec54e4f81b |
| Tags: | exeuser-lowmal3 |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 68 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Skambenets.exe (PID: 4392 cmdline:
"C:\Users\ user\Deskt op\Skamben ets.exe" MD5: 0519C157D2D7450690A1CEF20EA51E8F) "C:\Users\ user\Deskt op\Skamben ets.exe" MD5: 0519C157D2D7450690A1CEF20EA51E8F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-04T11:44:49.660363+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49990 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:45:48.364260+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49882 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:46:09.850930+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49984 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:46:31.363332+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49986 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:46:52.849789+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49988 | 64.227.9.228 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00405770 | |
| Source: | Code function: | 0_2_0040622B | |
| Source: | Code function: | 0_2_0040276E | |
| Source: | Code function: | 5_2_0040276E | |
| Source: | Code function: | 5_2_00405770 | |
| Source: | Code function: | 5_2_0040622B | |
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_004052D1 | |
| Source: | Code function: | 0_2_00403358 | |
| Source: | Code function: | 5_2_00403358 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00404B0E | |
| Source: | Code function: | 0_2_0040653D | |
| Source: | Code function: | 5_2_00404B0E | |
| Source: | Code function: | 5_2_0040653D | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004045C8 | |
| Source: | Code function: | 0_2_0040206A | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00406252 | |
| Source: | Code function: | 0_2_10002DDE | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00405770 | |
| Source: | Code function: | 0_2_0040622B | |
| Source: | Code function: | 0_2_0040276E | |
| Source: | Code function: | 5_2_0040276E | |
| Source: | Code function: | 5_2_00405770 | |
| Source: | Code function: | 5_2_0040622B | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4483 | ||
| Source: | API call chain: | graph_0-4487 | ||
| Source: | Code function: | 0_2_00406252 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405F0A | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 11 Process Injection | 11 Masquerading | OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Clipboard Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 23 System Information Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 36% | Virustotal | Browse | ||
| 24% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 64.227.9.228 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1629090 |
| Start date and time: | 2025-03-04 11:44:00 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 35s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Skambenets.exe |
| Detection: | MAL |
| Classification: | mal68.troj.evad.winEXE@3/9@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.60, 52.149.20.212
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Skambenets.exe, PID 2144 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 05:44:55 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| DIGITALOCEAN-ASNUS | Get hash | malicious | Mirai, Moobot | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsq4F0.tmp\System.dll | Get hash | malicious | Remcos, GuLoader | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | Mindspark | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1134748 |
| Entropy (8bit): | 4.395183120055972 |
| Encrypted: | false |
| SSDEEP: | 6144:gTrjoP9mczaRwF0911Ezy3ql9+mPTyuJa75rJBnTD6pcSYyKMMnpfRdlLV2/eMU6:gTrjaMwF0911BCpu5rLnTDWUUdQ+ |
| MD5: | 0DBC981E198B16B3A75F86623EB5AF0C |
| SHA1: | 389A5F638F29D0E0B1D21A1F623F545EBEC03F63 |
| SHA-256: | 32D399D7806AE3C9589F9AA4A29B5FE2516603039A470F18299AD49B160D2B11 |
| SHA-512: | 748DB6DC3448CAE8547EAF00CC9C29132430B76BCB49DB05B57A775189B90FBE581D7EEC78ADAC4A7491876D39CB0267AC49BC4282161BDFB3CBAC3DDF297DE4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11264 |
| Entropy (8bit): | 5.813979271513012 |
| Encrypted: | false |
| SSDEEP: | 192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP |
| MD5: | 7399323923E3946FE9140132AC388132 |
| SHA1: | 728257D06C452449B1241769B459F091AABCFFC5 |
| SHA-256: | 5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3 |
| SHA-512: | D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 279146 |
| Entropy (8bit): | 7.747371055879157 |
| Encrypted: | false |
| SSDEEP: | 6144:iP9mczaRwF0911Ezy3ql9+mPTyuJa75rJBnTD6pcSYyKH:YMwF0911BCpu5rLnTDWY |
| MD5: | 565B011B012ABCE64B9261C634C9569E |
| SHA1: | 3F790B36E2F297E02E0A5652C4A92F4FE103317C |
| SHA-256: | 02DAFF0D6BAFDA6D3E7DC5A156F7DC3CF8B9E1FD8739DDA0975B2E279D09A805 |
| SHA-512: | 33DFE3D84E9DFC2401A09C4F05FAC2AF1CE578962949453CB49B19C38520B1341033A90E47CFCDDA1AE1EE01E5E2A9F59DEAE6A4144B6FBA344B92CB910106D4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 284577 |
| Entropy (8bit): | 1.255078923587751 |
| Encrypted: | false |
| SSDEEP: | 6144:kMnpfRdlLV2/eMUsM3C7WcXAj8iJIRpofbRYAUpOYPJLL8DStXMkO6nsCm:lx |
| MD5: | E19CE796159C3BDE707DD283EC175450 |
| SHA1: | EFC8FA6D949A4939A01D9C380F6946AA311AA584 |
| SHA-256: | F742C0F0F0B306BBA3C99E7B3CBF13D8197AFA3DC8A26DEBCED77D894103A7A7 |
| SHA-512: | 84D6AA4A917C94CC4E17EBE4DCA6A8D2BC1AEB81D313EB7F07980D3CCBFF6134007CB7ECC3B9ABC00F0510AECD26E92AEE0634A1084813A18ACDD70E3952E9F4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 667 |
| Entropy (8bit): | 4.5176817284957815 |
| Encrypted: | false |
| SSDEEP: | 12:3vOruGoCjuWKfHb8aMt+JX4yESglsw1kKKh6BgOxuFlsFOsSsv:3bCUfnOCIZHGs0e |
| MD5: | 6C74C3D34F8CC5E305E5085FF917D020 |
| SHA1: | 20773526DBD9495B5E6D11E9B2AF205C81B49CC1 |
| SHA-256: | 1A953DC54649B2E6ED53F12C1B1AED83493E75C2068D3DB8206A87A0D1215E83 |
| SHA-512: | C7C7A68E64E151FD7AE069AA475CD1E0FC37C4C9251231CC73EA4B9EEFBB0EA3FFC65DC11BE8CF8D5FBCF270CCA12F658C23ABA5682DBAE87051515C080D7DF0 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 530 |
| Entropy (8bit): | 4.431710325153932 |
| Encrypted: | false |
| SSDEEP: | 12:4/k2m2UmKg9FKgDq+0G/UerFEJ6T9lfLfWqpTk+Nt7MZ:rdrmP930G/PFEJqrfFO+nIZ |
| MD5: | 8A7A9974B9C55BF8AC94710B477A662E |
| SHA1: | B7D0D00BB0FDFBC172B92C62464768CA630EB0C3 |
| SHA-256: | 7C448A6C8E8DE6460AC05834DE6F9042467ACDA9FFD9923352C42F2904C59782 |
| SHA-512: | B14074DD2E2255D106F18508649F38B3C30EF20CF5AAB8144A5E7EF22ADF329A3FE18A4B4D136A43F6E9C4ACB4CD0336672B1AC01384EA299C1382B211EFC4B0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 473258 |
| Entropy (8bit): | 1.248788570764183 |
| Encrypted: | false |
| SSDEEP: | 1536:cSG9iToxeAQXFzDmk6As6vQRMWHzm2OhzdipTMhKxPY+oi6ZeJ5Ejq2pYMm1C/i+:QcxsNNd4FOITURiN |
| MD5: | 336BDDA1E77424F8F50C8FF0AA64D146 |
| SHA1: | 5E475F772C80DDB47E3CEC3F181DC493D2C6D60D |
| SHA-256: | E7D5C4A66EAD0A6935C952CB287E6839BB68A44A1C8508C88CC5EC9AE4411D01 |
| SHA-512: | 3FBF475C651B94CCD5E645216864D264E032D6B5122B3759B1E78D606B24163395141DAE76F2362F413E313C4232DD4D2C884D4D6ED1BC3564781191CF125C8C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 70351 |
| Entropy (8bit): | 1.2598388117953725 |
| Encrypted: | false |
| SSDEEP: | 384:M37raR0TFnugVoTVnb93oEZw78Ih/izqcxB3S4Y:O3aR0TQgeTlNPwYIUzq6B3Sp |
| MD5: | 54E646BCD4B09075BE0D4ECE1ED62685 |
| SHA1: | 17A4525BC6FCEEA6B1A92536D23749E11619E96C |
| SHA-256: | D34CC96D389EDFAC6047EB41DC22EAA9A5EA26A64A36EB733BC95FC4ED570E72 |
| SHA-512: | 04A0B74320AD2131AE0113D35B5AF2CF3D76A81D560E46A7EB65C7C45FE907103F4B55645585E1632C5D691152DD536D9456FEB5954F26E91ECE11F595605DF1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Skambenets.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 661 |
| Entropy (8bit): | 4.502730296156622 |
| Encrypted: | false |
| SSDEEP: | 12:/Hi8sSTbFHPjdTJYQT44hR+ZgM0R3RIkWxz4dX6NOW1m4QwT2TbFTD2MoyEnV:/H+WPBT69rC5Qz+6N9rP2PFPo5 |
| MD5: | 04CE2396C7300E78E16AA6A3E1050BF4 |
| SHA1: | E0E3BE532ECD63E46C149751EB546752123F68BE |
| SHA-256: | 1B746C6A7D78152EFC91E1B7107E1EE013249ECC45023FA52D9022446BAF4224 |
| SHA-512: | B53DB842727156076DEB0345F506260A6A717C81411209B39BB99774D6862508DE95427078975FAC8220396B117469E30077D874B112AE8E8BCC3119B245FBFB |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.258779514998669 |
| TrID: |
|
| File name: | Skambenets.exe |
| File size: | 683'327 bytes |
| MD5: | 0519c157d2d7450690a1cef20ea51e8f |
| SHA1: | bfe39774f356f799bd74649330ab7baecb95c052 |
| SHA256: | 7dca3dbf4a0d99e7c86edafb83698994e9f89d2ec51de988f0f8c7ec54e4f81b |
| SHA512: | a0632a5bfc725e6e2ac323f58980f1a8889712c9f02381a094d0b64495b5dc9a78563c9e953ce2233e6c11fcf437f79ea8dba4fdf976c24df4e5da59ac771d5f |
| SSDEEP: | 6144:ttXZXAehlzqxBd9SzzPV04yXmq5N08J4S9jlxWoESbm/NKwu7tblLa/bdiRqg4lj:tt4DeGJIojIVKz7tbBa3AGtmMYSBEo3 |
| TLSH: | 60E412287ED9E877C28118790EB1D6BEE7F67D0809118F27B72D3FAE1D3085269191E0 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....f.R.................`...*......X3.......p....@ |
 | |
| Icon Hash: | 0d0e1f1d1b874f0c |
| Entrypoint: | 0x403358 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e221f4f7d36469d53810a4b5f9fc8966 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+14h], ebp |
| mov dword ptr [esp+10h], 00409230h |
| mov dword ptr [esp+1Ch], ebp |
| call dword ptr [00407034h] |
| push 00008001h |
| call dword ptr [004070BCh] |
| push ebp |
| call dword ptr [004072ACh] |
| push 00000008h |
| mov dword ptr [00429298h], eax |
| call 00007F9194F5EE4Ch |
| mov dword ptr [004291E4h], eax |
| push ebp |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebp |
| push 00420690h |
| call dword ptr [0040717Ch] |
| push 0040937Ch |
| push 004281E0h |
| call 00007F9194F5EAB7h |
| call dword ptr [00407134h] |
| mov ebx, 00434000h |
| push eax |
| push ebx |
| call 00007F9194F5EAA5h |
| push ebp |
| call dword ptr [0040710Ch] |
| cmp word ptr [00434000h], 0022h |
| mov dword ptr [004291E0h], eax |
| mov eax, ebx |
| jne 00007F9194F5BF9Ah |
| push 00000022h |
| mov eax, 00434002h |
| pop esi |
| push esi |
| push eax |
| call 00007F9194F5E4F6h |
| push eax |
| call dword ptr [00407240h] |
| mov dword ptr [esp+18h], eax |
| jmp 00007F9194F5C05Eh |
| push 00000020h |
| pop edx |
| cmp cx, dx |
| jne 00007F9194F5BF99h |
| inc eax |
| inc eax |
| cmp word ptr [eax], dx |
| je 00007F9194F5BF8Bh |
| add word ptr [eax], 0000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7494 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x50000 | 0x3b330 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x2b8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5e66 | 0x6000 | e8f12472e91b02deb619070e6ee7f1f4 | False | 0.6566569010416666 | data | 6.419409887460116 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x1354 | 0x1400 | 2222fe44ebbadbc32af32dfc9c88e48e | False | 0.4306640625 | data | 5.037511188789184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x202d8 | 0x600 | a5ec1b720d350c6303a7aba8d85072bf | False | 0.4733072916666667 | data | 3.7600484096214832 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x2a000 | 0x26000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x50000 | 0x3b330 | 0x3b400 | 2d2028b91a53c942835f80f84c194200 | False | 0.5409620582805907 | data | 5.258649495088397 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x50478 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x507e0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.3344522654678812 |
| RT_ICON | 0x61008 | 0x10637 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9980931666840467 |
| RT_ICON | 0x71640 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.3632278747109523 |
| RT_ICON | 0x7aae8 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | English | United States | 0.36206099815157117 |
| RT_ICON | 0x7ff70 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.3579357581483231 |
| RT_ICON | 0x84198 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.3853734439834025 |
| RT_ICON | 0x86740 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.4080675422138837 |
| RT_ICON | 0x877e8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.5439765458422174 |
| RT_ICON | 0x88690 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.4459016393442623 |
| RT_ICON | 0x89018 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.6583935018050542 |
| RT_ICON | 0x898c0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States | 0.5743087557603687 |
| RT_ICON | 0x89f88 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.4046242774566474 |
| RT_ICON | 0x8a4f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.49556737588652483 |
| RT_DIALOG | 0x8a958 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0x8aaa0 | 0x13c | data | English | United States | 0.5506329113924051 |
| RT_DIALOG | 0x8abe0 | 0x120 | data | English | United States | 0.5138888888888888 |
| RT_DIALOG | 0x8ad00 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x8ae20 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x8ae80 | 0xbc | data | English | United States | 0.6542553191489362 |
| RT_MANIFEST | 0x8af40 | 0x3ea | XML 1.0 document, ASCII text, with very long lines (1002), with no line terminators | English | United States | 0.5179640718562875 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte |
| USER32.dll | EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
| ADVAPI32.dll | RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-04T11:44:49.660363+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.6 | 49990 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:45:48.364260+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.6 | 49882 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:46:09.850930+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.6 | 49984 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:46:31.363332+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.6 | 49986 | 64.227.9.228 | 80 | TCP |
| 2025-03-04T11:46:52.849789+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.6 | 49988 | 64.227.9.228 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 4, 2025 11:45:26.969952106 CET | 49882 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:26.975018978 CET | 80 | 49882 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:45:26.975107908 CET | 49882 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:26.975678921 CET | 49882 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:26.980690956 CET | 80 | 49882 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:45:48.364136934 CET | 80 | 49882 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:45:48.364259958 CET | 49882 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:48.364892006 CET | 49882 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:48.369956970 CET | 80 | 49882 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:45:48.475228071 CET | 49984 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:48.480293989 CET | 80 | 49984 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:45:48.480619907 CET | 49984 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:48.480619907 CET | 49984 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:45:48.485666037 CET | 80 | 49984 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:09.850795984 CET | 80 | 49984 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:09.850929976 CET | 49984 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:09.851022959 CET | 49984 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:09.855974913 CET | 80 | 49984 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:09.959285021 CET | 49986 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:09.964378119 CET | 80 | 49986 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:09.964539051 CET | 49986 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:09.964755058 CET | 49986 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:09.969702959 CET | 80 | 49986 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:31.363156080 CET | 80 | 49986 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:31.363332033 CET | 49986 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:31.363360882 CET | 49986 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:31.368427992 CET | 80 | 49986 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:31.476591110 CET | 49988 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:31.481708050 CET | 80 | 49988 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:31.481815100 CET | 49988 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:31.481950045 CET | 49988 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:31.486912012 CET | 80 | 49988 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:52.849718094 CET | 80 | 49988 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:52.849788904 CET | 49988 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:52.849878073 CET | 49988 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:52.854909897 CET | 80 | 49988 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:52.959268093 CET | 49990 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:52.964539051 CET | 80 | 49990 | 64.227.9.228 | 192.168.2.6 |
| Mar 4, 2025 11:46:52.964709997 CET | 49990 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:52.964848042 CET | 49990 | 80 | 192.168.2.6 | 64.227.9.228 |
| Mar 4, 2025 11:46:52.969899893 CET | 80 | 49990 | 64.227.9.228 | 192.168.2.6 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49882 | 64.227.9.228 | 80 | 2144 | C:\Users\user\Desktop\Skambenets.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 4, 2025 11:45:26.975678921 CET | 177 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49984 | 64.227.9.228 | 80 | 2144 | C:\Users\user\Desktop\Skambenets.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 4, 2025 11:45:48.480619907 CET | 177 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49986 | 64.227.9.228 | 80 | 2144 | C:\Users\user\Desktop\Skambenets.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 4, 2025 11:46:09.964755058 CET | 177 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49988 | 64.227.9.228 | 80 | 2144 | C:\Users\user\Desktop\Skambenets.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 4, 2025 11:46:31.481950045 CET | 177 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49990 | 64.227.9.228 | 80 | 2144 | C:\Users\user\Desktop\Skambenets.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 4, 2025 11:46:52.964848042 CET | 177 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:44:53 |
| Start date: | 04/03/2025 |
| Path: | C:\Users\user\Desktop\Skambenets.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 683'327 bytes |
| MD5 hash: | 0519C157D2D7450690A1CEF20EA51E8F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 05:45:20 |
| Start date: | 04/03/2025 |
| Path: | C:\Users\user\Desktop\Skambenets.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 683'327 bytes |
| MD5 hash: | 0519C157D2D7450690A1CEF20EA51E8F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |