Analysis Report HMPEX_PO201120112.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | Florian Roth |
| |
JoeSecurity_Nanocore | Yara detected Nanocore RAT | Joe Security | ||
NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Click to see the 4 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: NanoCore | Show sources |
Source: | Author: Joe Security: |
Sigma detected: Scheduled temp file as task from temp location | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File opened: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | File opened / queried: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: |
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information: |
---|
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Detected Nanocore Rat | Show sources |
Source: | String found in binary or memory: |
Yara detected Nanocore RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation1 | Scheduled Task/Job1 | Process Injection311 | Masquerading1 | Input Capture1 | Security Software Discovery221 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Virtualization/Sandbox Evasion3 | LSASS Memory | Virtualization/Sandbox Evasion3 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Disable or Modify Tools1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Remote Access Software1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection311 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol1 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol12 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing2 | Cached Domain Credentials | System Information Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
25% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
25% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse |
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
jackpiaau.ddns.net | 185.19.85.136 | true | true |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.19.85.136 | unknown | Switzerland | 48971 | DATAWIRE-ASCH | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 320997 |
Start date: | 20.11.2020 |
Start time: | 08:49:24 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | HMPEX_PO201120112.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@6/8@1/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
08:50:16 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.19.85.136 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
jackpiaau.ddns.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
DATAWIRE-ASCH | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\HMPEX_PO201120112.exe |
File Type: | |
Category: | modified |
Size (bytes): | 664 |
Entropy (8bit): | 5.288448637977022 |
Encrypted: | false |
SSDEEP: | 12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9 |
MD5: | B1DB55991C3DA14E35249AEA1BC357CA |
SHA1: | 0DD2D91198FDEF296441B12F1A906669B279700C |
SHA-256: | 34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC |
SHA-512: | BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\HMPEX_PO201120112.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1646 |
Entropy (8bit): | 5.189276839355399 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG4Btn:cbhK79lNQR/rydbz9I3YODOLNdq31T |
MD5: | 6A01901DB1A09D95B612B3756AE873EB |
SHA1: | 306D211BCABA87B4775D7AC3E50C8C785AEE2EDB |
SHA-256: | 5CD2734F46C28BCE65DC53CB22D0883F23092505CBB07D229C13F9ABA4C5C67C |
SHA-512: | 5A5767CC6B0BE33DE8EA0F74D6F65A8A458EF1556552571C73571D285165A0C218452D96A0A2790D95E585B1F908B44732422D12876F60AAA500C0731BF0225D |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 232 |
Entropy (8bit): | 7.024371743172393 |
Encrypted: | false |
SSDEEP: | 6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9 |
MD5: | 32D0AAE13696FF7F8AF33B2D22451028 |
SHA1: | EF80C4E0DB2AE8EF288027C9D3518E6950B583A4 |
SHA-256: | 5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29 |
SHA-512: | 1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8 |
Entropy (8bit): | 3.0 |
Encrypted: | false |
SSDEEP: | 3:Or:Or |
MD5: | F08B37A6FEC6A11BD207F4EC62242C08 |
SHA1: | C7D52DFE3E5C9CFD74FCBF0C7E78C36530F68F20 |
SHA-256: | 3DA33814894DB347B1E54379EAA7EAC8DD2AF8608BA4D08754910052D29D71CA |
SHA-512: | C9F5A50CB3C05365E3E10C9EC678864B3872031C5E4A5DDC7DEAD3F05902713FB90DD0699A7266F37D5CA348D013ACE433B61E1F035D2F4F08B5C552FB1F945D |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40 |
Entropy (8bit): | 5.153055907333276 |
Encrypted: | false |
SSDEEP: | 3:9bzY6oRDT6P2bfVn1:RzWDT621 |
MD5: | 4E5E92E2369688041CC82EF9650EDED2 |
SHA1: | 15E44F2F3194EE232B44E9684163B6F66472C862 |
SHA-256: | F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48 |
SHA-512: | 1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 426840 |
Entropy (8bit): | 7.999608491116724 |
Encrypted: | true |
SSDEEP: | 12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg |
MD5: | 963D5E2C9C0008DFF05518B47C367A7F |
SHA1: | C183D601FABBC9AC8FBFA0A0937DECC677535E74 |
SHA-256: | 5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0 |
SHA-512: | 0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\HMPEX_PO201120112.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 738304 |
Entropy (8bit): | 7.641995912781941 |
Encrypted: | false |
SSDEEP: | 12288:qCSdtqM2YwhOTidsW2yL6yftafMUN8TUpErRRbnxvbyDuHWwYW40KpLa6TfkT4T6:uOD8XW2yNafM1TUpu9nZbvX |
MD5: | 466374834392DDB16028E2E90A695E22 |
SHA1: | 7BBDF8489EFDE85FC286A9E1E74D1105FA92E09A |
SHA-256: | 413071284C887DC820673640FEF4D8C0F3EB4E23DB3EF3F3C4B10C4E76B531A8 |
SHA-512: | 7D36F338E1D976DA3B3B2FD169BDA797A60E0A4F132313C9083E46FC13DBA674D086FBB6FC49D0D31E4745928E71AC19B9EAE50DB86C0685FB462A025C0E83EB |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\HMPEX_PO201120112.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.641995912781941 |
TrID: |
|
File name: | HMPEX_PO201120112.exe |
File size: | 738304 |
MD5: | 466374834392ddb16028e2e90a695e22 |
SHA1: | 7bbdf8489efde85fc286a9e1e74d1105fa92e09a |
SHA256: | 413071284c887dc820673640fef4d8c0f3eb4e23db3ef3f3c4b10c4e76b531a8 |
SHA512: | 7d36f338e1d976da3b3b2fd169bda797a60e0a4f132313c9083e46fc13dba674d086fbb6fc49d0d31e4745928e71ac19b9eae50db86c0685fb462a025c0e83eb |
SSDEEP: | 12288:qCSdtqM2YwhOTidsW2yL6yftafMUN8TUpErRRbnxvbyDuHWwYW40KpLa6TfkT4T6:uOD8XW2yNafM1TUpu9nZbvX |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..............3... ...@....@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | d2928ca69a9a8eca |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4b33ae |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5FB6FAB3 [Thu Nov 19 23:07:31 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v2.0.50727 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb3360 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb4000 | 0x2be8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb8000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xb13b4 | 0xb1400 | False | 0.805991878967 | data | 7.65544559702 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xb4000 | 0x2be8 | 0x2c00 | False | 0.4677734375 | data | 5.6739803528 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xb8000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xb4130 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4278255873, next used block 4278255873 | ||
RT_GROUP_ICON | 0xb66d8 | 0x14 | data | ||
RT_VERSION | 0xb66ec | 0x30c | data | ||
RT_MANIFEST | 0xb69f8 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 2014 |
Assembly Version | 1.0.0.0 |
InternalName | sACe.exe |
FileVersion | 1.0.0.0 |
CompanyName | |
LegalTrademarks | |
Comments | |
ProductName | Blackjack |
ProductVersion | 1.0.0.0 |
FileDescription | Blackjack |
OriginalFilename | sACe.exe |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
11/20/20-08:50:22.505556 | TCP | 2025019 | ET TROJAN Possible NanoCore C2 60B | 49733 | 1120 | 192.168.2.4 | 185.19.85.136 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 20, 2020 08:50:11.001831055 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.141361952 CET | 49726 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.141477108 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.507730961 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.508441925 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.508469105 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.508929968 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.508949041 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.509027004 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.509056091 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.509871006 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.509893894 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.510016918 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.510025978 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.510442972 CET | 443 | 49726 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.510584116 CET | 443 | 49726 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.510838032 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.510941029 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.511008024 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.511019945 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.511070967 CET | 443 | 49726 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.511089087 CET | 443 | 49726 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.511105061 CET | 443 | 49726 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.511121988 CET | 443 | 49726 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.511132956 CET | 49726 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.511171103 CET | 49726 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.511219025 CET | 49726 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.511811018 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.511831045 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.512715101 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.512738943 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.512790918 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.512804985 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.513200045 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.513660908 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.513792038 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.513886929 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.513895988 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.513922930 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.514647007 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.514671087 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.515113115 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.515598059 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.515665054 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.515736103 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.515746117 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.516122103 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.516141891 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.516217947 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.516488075 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.516508102 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.516519070 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.516551971 CET | 443 | 49720 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.516567945 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.517241001 CET | 49720 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.517349005 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.517369032 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.518062115 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.518229008 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.518249035 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.518320084 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.519023895 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.519052982 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.519119024 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.519179106 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.519833088 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.519855022 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.519943953 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.520629883 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.520651102 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.520742893 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.521475077 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.521502018 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.521564960 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.521619081 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.522284985 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.522305965 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.522388935 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.523123026 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.523144007 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.523225069 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.523957014 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.523977041 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.524049997 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.524787903 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.524811029 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.524883986 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.525593042 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.525613070 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.525706053 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.526433945 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.526456118 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.526529074 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.527266979 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.527290106 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.527375937 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.528116941 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.528136969 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
Nov 20, 2020 08:50:11.528224945 CET | 49719 | 443 | 192.168.2.4 | 92.122.145.220 |
Nov 20, 2020 08:50:11.528911114 CET | 443 | 49719 | 92.122.145.220 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 20, 2020 08:50:14.027911901 CET | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:14.055264950 CET | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:14.841887951 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:14.877671957 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:15.896670103 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:15.923748016 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:19.302386999 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:19.329267979 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:22.055627108 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:22.092417955 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:31.830106974 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:31.865914106 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:35.828738928 CET | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:35.855731964 CET | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:36.439858913 CET | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:36.466962099 CET | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:37.472125053 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:37.499294043 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:55.910186052 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:55.945593119 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:56.387243986 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:56.422710896 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:56.900177002 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:56.935645103 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:57.230073929 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:57.265727043 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:57.587590933 CET | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:57.623008966 CET | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:58.000662088 CET | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:58.013211966 CET | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:58.027832985 CET | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:58.048953056 CET | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:58.493382931 CET | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:58.528815031 CET | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:59.064446926 CET | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:59.099709988 CET | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:59.675956964 CET | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:59.703383923 CET | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:50:59.715678930 CET | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:50:59.751122952 CET | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:00.274235964 CET | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:00.309642076 CET | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:11.357513905 CET | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:11.392838001 CET | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:12.155478001 CET | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:12.182476044 CET | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:12.296574116 CET | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:12.323632956 CET | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:12.498621941 CET | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:12.525890112 CET | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:13.670691967 CET | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:13.697659969 CET | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:14.405373096 CET | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:14.432368040 CET | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:15.228859901 CET | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:15.255908966 CET | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:15.595971107 CET | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:15.634232998 CET | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:33.863043070 CET | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:33.890135050 CET | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:49.114958048 CET | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:49.142155886 CET | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Nov 20, 2020 08:51:51.060523033 CET | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 20, 2020 08:51:51.087660074 CET | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 20, 2020 08:50:22.055627108 CET | 192.168.2.4 | 8.8.8.8 | 0xc9e8 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 20, 2020 08:50:22.092417955 CET | 8.8.8.8 | 192.168.2.4 | 0xc9e8 | No error (0) | 185.19.85.136 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 08:50:16 |
Start date: | 20/11/2020 |
Path: | C:\Users\user\Desktop\HMPEX_PO201120112.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x470000 |
File size: | 738304 bytes |
MD5 hash: | 466374834392DDB16028E2E90A695E22 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 08:50:18 |
Start date: | 20/11/2020 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd00000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:50:19 |
Start date: | 20/11/2020 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff724c50000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:50:19 |
Start date: | 20/11/2020 |
Path: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xaf0000 |
File size: | 69632 bytes |
MD5 hash: | 88BBB7610152B48C2B3879473B17857E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|