Edit tour
Windows
Analysis Report
13s1HMkHKv.exe
Overview
General Information
| Sample name: | 13s1HMkHKv.exerenamed because original name is a hash value |
| Original sample name: | f48ff9bc196aad68da3d4376c9649d9f.exe |
| Analysis ID: | 1636853 |
| MD5: | f48ff9bc196aad68da3d4376c9649d9f |
| SHA1: | 6e322f4efcc330514595db2b0d4b9c46f0947fa9 |
| SHA256: | 11195c6b0d9981a94bdab08b52d714a2298e4e0bf98a613d62179bef8a701d00 |
| Tags: | exeuser-abuse_ch |
| Infos: |   |
 | |
Detection
Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected DarkVision Rat
Yara detected Fallen Miner
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Binaries Write Suspicious Extensions
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates job files (autostart)
Creates or modifies windows services
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Spawns drivers
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
13s1HMkHKv.exe (PID: 6756 cmdline: "C:\Users\ user\Deskt op\13s1HMk HKv.exe" MD5: F48FF9BC196AAD68DA3D4376C9649D9F) - rapes.exe (PID: 5860 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\bb556c ff4a\rapes .exe" MD5: F48FF9BC196AAD68DA3D4376C9649D9F)
- rapes.exe (PID: 5288 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\bb556cf f4a\rapes. exe MD5: F48FF9BC196AAD68DA3D4376C9649D9F)
- rapes.exe (PID: 7960 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\bb556cf f4a\rapes. exe MD5: F48FF9BC196AAD68DA3D4376C9649D9F) - s7MG2VL.exe (PID: 8140 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101713 00101\s7MG 2VL.exe" MD5: 1255E23EA313BB1A6E71D78B2F829262) - ZqkKpwG.exe (PID: 412 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101819 80101\ZqkK pwG.exe" MD5: 73932EB7D7DF842D5F358700626BE68C) 
conhost.exe (PID: 2116 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ZqkKpwG.exe (PID: 6364 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101819 80101\ZqkK pwG.exe" MD5: 73932EB7D7DF842D5F358700626BE68C) 
WerFault.exe (PID: 7196 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 12 -s 404 MD5: C31336C1EFC2CCB44B4326EA793040F2) - eAzoDbY.exe (PID: 1416 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101843 40101\eAzo DbY.exe" MD5: 2002FDF412315D31FCDF5B6ACBCAA53C) - conhost.exe (PID: 1420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - eAzoDbY.exe (PID: 7668 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101843 40101\eAzo DbY.exe" MD5: 2002FDF412315D31FCDF5B6ACBCAA53C) - eAzoDbY.exe (PID: 7660 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101843 40101\eAzo DbY.exe" MD5: 2002FDF412315D31FCDF5B6ACBCAA53C) - eAzoDbY.exe (PID: 4224 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101843 40101\eAzo DbY.exe" MD5: 2002FDF412315D31FCDF5B6ACBCAA53C) - WerFault.exe (PID: 2108 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 416 -s 408 MD5: C31336C1EFC2CCB44B4326EA793040F2) 
8sb9w_003.exe (PID: 4840 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\101908 60101\8sb9 w_003.exe" MD5: 0571EBBB85445ED7C252D71B63A91F4E) - cmd.exe (PID: 7356 cmdline:
cmd.exe /c powershel l.exe Add- MpPreferen ce -Exclus ionPath 'C :' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 1868 cmdline: powershell .exe Add-M pPreferenc e -Exclusi onPath 'C: ' MD5: 04029E121A0CFA5991749937DD22A1D9) - svchost.exe (PID: 4260 cmdline:
"C:\Window s\system32 \svchost.e xe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - cmd.exe (PID: 3284 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Prog ramData\{6 6FE5BC5-AF B2-47E5-AD 94-EB93039 508DF}\ps. bat" """ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ps.exe (PID: 3616 cmdline:
"C:\Progra mData\{66F E5BC5-AFB2 -47E5-AD94 -EB9303950 8DF}\ps.ex e" "" MD5: 5E41FCBF3434B7408FE70D6D81A943B1) - powershell.exe (PID: 3232 cmdline:
powershell Add-MpPre ference -E xclusionPa th C:\ MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5052 cmdline:
powershell Remove-Mp Preference -Exclusio nPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
cls.exe (PID: 596 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\\{ED8B 0E24-294A- 4924-ABF6- 1B4F6433B7 70}\cls.ex e" "{66FE5 BC5-AFB2-4 7E5-AD94-E B93039508D F}" MD5: B9032767E054F3F99104B5B9D7E597C7) - yo7qmvz.exe (PID: 2240 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101912 30101\yo7q mvz.exe" MD5: 898521D79EBB6A67D80237F286E25177) - yo7qmvz.exe (PID: 2828 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101912 30101\yo7q mvz.exe" MD5: 898521D79EBB6A67D80237F286E25177) - st22BJg.exe (PID: 6620 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101914 70101\st22 BJg.exe" MD5: DBD46D6A4A15FAED18B20BE54BF49B40) - conhost.exe (PID: 1664 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 748 cmdline: "C:\Window s\System32 \wscript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\pa ck82.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
file.exe (PID: 2724 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\file.e xe" MD5: BCF10E3C07383D9400F0FA98F3F999D5) - ShortcutTaskAgent.exe (PID: 7764 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Shortc utTaskAgen t.exe" MD5: 7700F61BECA60DB53658C52A05B01941) - ShortcutTaskAgent.exe (PID: 5068 cmdline:
C:\Users\u ser\AppDat a\Roaming\ altuninsta ll_test\Sh ortcutTask Agent.exe MD5: 7700F61BECA60DB53658C52A05B01941) - cmd.exe (PID: 4560 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - EZs3CZC.exe (PID: 4216 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101914 90101\EZs3 CZC.exe" MD5: C6067CD3B970C7F932F73F4084DF78E8) - dx3hXS1.exe (PID: 3592 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\101922 70101\dx3h XS1.exe" MD5: 74870B85AC926C53E0EAF2C42265B939)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | No Attribution |
{"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "ddf4bb21335e58d5b0f7d6461dc868d9f8edb80615c104e1b714"}{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}{"C2": "82.29.67.160", "Port": 443}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FallenMiner | Yara detected Fallen Miner | Joe Security | ||
| JoeSecurity_FallenMiner | Yara detected Fallen Miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_Amadey_3 | Yara detected Amadey\'s Clipper DLL | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 27 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_Amadey_3 | Yara detected Amadey\'s Clipper DLL | Joe Security | ||
| JoeSecurity_Amadey_3 | Yara detected Amadey\'s Clipper DLL | Joe Security | ||
| Click to see the 16 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-13T08:08:16.568202+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61662 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:19.411692+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61664 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:21.176420+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61665 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:22.167222+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61666 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:23.893279+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61669 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:24.725021+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61670 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:26.397404+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61673 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:27.495236+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61674 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:28.097724+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61675 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:28.994643+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61678 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:31.044443+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61680 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:31.072851+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61681 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:31.930355+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61683 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:33.642775+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61684 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:33.716829+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61685 | 104.26.9.202 | 443 | TCP |
| 2025-03-13T08:08:34.828682+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61688 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:35.004635+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61686 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:36.513389+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61689 | 104.21.48.1 | 443 | TCP |
| 2025-03-13T08:08:36.811716+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61690 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:38.073665+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61693 | 104.26.9.202 | 443 | TCP |
| 2025-03-13T08:08:39.788467+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61694 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:40.103273+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61695 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:40.390343+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61697 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:44.398932+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61701 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:44.686840+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61702 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:47.451939+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61731 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:48.973755+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61732 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:50.531985+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61734 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:54.397087+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61737 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:08:57.721076+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61740 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:09:02.617872+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61742 | 188.114.96.3 | 443 | TCP |
| 2025-03-13T08:09:08.950895+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 61743 | 104.21.48.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-13T08:08:42.906545+0100 | 2001046 | 3 | Misc activity | 176.113.115.7 | 80 | 192.168.2.6 | 61700 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-13T08:08:35.180654+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61691 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:08:39.465600+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61698 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:08:43.493245+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61706 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:08:47.524509+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61733 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:08:51.571838+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61735 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:08:55.613972+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61739 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:08:59.859490+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61741 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:09:03.894632+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61745 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:09:08.105611+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61747 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:09:12.098828+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61750 | 82.29.67.160 | 443 | TCP |
| 2025-03-13T08:09:17.609377+0100 | 2045618 | 1 | A Network Trojan was detected | 192.168.2.6 | 61754 | 82.29.67.160 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-13T08:08:05.864701+0100 | 2856147 | 1 | A Network Trojan was detected | 192.168.2.6 | 61658 | 176.113.115.6 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-13T08:08:10.528216+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61660 | 176.113.115.7 | 80 | TCP |
| 2025-03-13T08:08:17.527086+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61663 | 176.113.115.7 | 80 | TCP |
| 2025-03-13T08:08:23.981887+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61671 | 176.113.115.7 | 80 | TCP |
| 2025-03-13T08:08:30.295922+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61682 | 107.174.192.179 | 80 | TCP |
| 2025-03-13T08:08:36.502396+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61692 | 176.113.115.7 | 80 | TCP |
| 2025-03-13T08:08:42.776863+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61700 | 176.113.115.7 | 80 | TCP |
| 2025-03-13T08:08:55.368746+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61738 | 176.113.115.7 | 80 | TCP |
| 2025-03-13T08:09:09.354288+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.6 | 61748 | 176.113.115.7 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 17_2_0041EE8D | |
| Source: | Code function: | 17_2_0041F9B0 | |
| Source: | Code function: | 17_2_0041B970 | |
| Source: | Binary or memory string: | memstr_201bcc45-e | |
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Bitcoin Miner | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 15_2_00C2FCDE | |
| Source: | Code function: | 15_2_00C2FD8F | |
| Source: | Code function: | 17_2_00C2FCDE | |
| Source: | Code function: | 17_2_00C2FD8F | |
| Source: | Code function: | 17_2_0044D840 | |
| Source: | Code function: | 17_2_004208E0 | |
| Source: | Code function: | 17_2_0041094F | |
| Source: | Code function: | 17_2_0043892B | |
| Source: | Code function: | 17_2_0043892B | |
| Source: | Code function: | 17_2_0040D9E0 | |
| Source: | Code function: | 17_2_0040F200 | |
| Source: | Code function: | 17_2_0042F3D0 | |
| Source: | Code function: | 17_2_0044E390 | |
| Source: | Code function: | 17_2_004374BA | |
| Source: | Code function: | 17_2_00412CBC | |
| Source: | Code function: | 17_2_0044EE50 | |
| Source: | Code function: | 17_2_00444F20 | |
| Source: | Code function: | 17_2_0044D730 | |
| Source: | Code function: | 17_2_00412FAF | |
| Source: | Code function: | 17_2_00449000 | |
| Source: | Code function: | 17_2_0042C820 | |
| Source: | Code function: | 17_2_004490C0 | |
| Source: | Code function: | 17_2_004490C0 | |
| Source: | Code function: | 17_2_004360D3 | |
| Source: | Code function: | 17_2_0040F8D9 | |
| Source: | Code function: | 17_2_004300E1 | |
| Source: | Code function: | 17_2_0043309C | |
| Source: | Code function: | 17_2_0042F960 | |
| Source: | Code function: | 17_2_0040A1F0 | |
| Source: | Code function: | 17_2_0040A1F0 | |
| Source: | Code function: | 17_2_0041C1F0 | |
| Source: | Code function: | 17_2_004291A0 | |
| Source: | Code function: | 17_2_0041B9A7 | |
| Source: | Code function: | 17_2_004359B3 | |
| Source: | Code function: | 17_2_00421A20 | |
| Source: | Code function: | 17_2_0042EA30 | |
| Source: | Code function: | 17_2_00444AE0 | |
| Source: | Code function: | 17_2_0041C2E8 | |
| Source: | Code function: | 17_2_00446AF9 | |
| Source: | Code function: | 17_2_00434AB0 | |
| Source: | Code function: | 17_2_0041E2BE | |
| Source: | Code function: | 17_2_0042CB50 | |
| Source: | Code function: | 17_2_00435B7F | |
| Source: | Code function: | 17_2_004113C6 | |
| Source: | Code function: | 17_2_004493E0 | |
| Source: | Code function: | 17_2_00437B85 | |
| Source: | Code function: | 17_2_00436389 | |
| Source: | Code function: | 17_2_00436389 | |
| Source: | Code function: | 17_2_004423B0 | |
| Source: | Code function: | 17_2_00435C04 | |
| Source: | Code function: | 17_2_00428C10 | |
| Source: | Code function: | 17_2_00435B56 | |
| Source: | Code function: | 17_2_0042243F | |
| Source: | Code function: | 17_2_004284D0 | |
| Source: | Code function: | 17_2_004284D0 | |
| Source: | Code function: | 17_2_004284D0 | |
| Source: | Code function: | 17_2_004364FA | |
| Source: | Code function: | 17_2_004364FA | |
| Source: | Code function: | 17_2_00430C93 | |
| Source: | Code function: | 17_2_0041CC9C | |
| Source: | Code function: | 17_2_0040D4A0 | |
| Source: | Code function: | 17_2_004334A0 | |
| Source: | Code function: | 17_2_004364A5 | |
| Source: | Code function: | 17_2_004364A5 | |
| Source: | Code function: | 17_2_0042CD41 | |
| Source: | Code function: | 17_2_00437D7B | |
| Source: | Code function: | 17_2_00436509 | |
| Source: | Code function: | 17_2_00436509 | |
| Source: | Code function: | 17_2_0042CD30 | |
| Source: | Code function: | 17_2_0044DD30 | |
| Source: | Code function: | 17_2_004325C0 | |
| Source: | Code function: | 17_2_0040C5D0 | |
| Source: | Code function: | 17_2_0041E5D2 | |
| Source: | Code function: | 17_2_0041A650 | |
| Source: | Code function: | 17_2_0042DE29 | |
| Source: | Code function: | 17_2_00431681 | |
| Source: | Code function: | 17_2_00402760 | |
| Source: | Code function: | 17_2_0040F775 | |
| Source: | Code function: | 17_2_00437F16 | |
| Source: | Code function: | 17_2_0041BFCF | |
| Source: | Code function: | 17_2_0044EFD0 | |
| Source: | Code function: | 17_2_0041D7FB | |
| Source: | Code function: | 17_2_0041D7FB | |
| Source: | Code function: | 17_2_0044CF80 | |
| Source: | Code function: | 17_2_00445FA0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||