Play interactive tour
Edit tourAnalysis Report mcsrXx9lfD.exe
Overview
General Information
| Sample Name: | mcsrXx9lfD.exe |
| Analysis ID: | 321297 |
| MD5: | 3d549885e44863c57f59eab47f2271cc |
| SHA1: | 76c51be921ef41ff2596f3f882b91c8ede3713c7 |
| SHA256: | 1d9c8ee9be6e0ee20b600c71989292aa2efd0849611389e3121bae364d9d6adf |
| Tags: | AgentTeslaexe |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Username: ": "In9AcPpFuU", "URL: ": "http://Gwd19zMdFbudWhUhS.net", "To: ": "sales1@tzdieep.net", "ByHost: ": "smtp.tzdieep.net:587", "Password: ": "Ttlj1OTOO1N4A", "From: ": "sales1@tzdieep.net"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 11 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 4 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| May check the online IP address of the machine | Show sources | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Window created: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Classification label: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | ||
| Source: | Section loaded: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | File opened: | ||
| Source: | Key opened: | ||
Data Obfuscation: | |
|---|
| Detected unpacking (changes PE section rights) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Detected unpacking (overwrites its own PE header) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Registry key monitored for changes: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
Malware Analysis System Evasion: | |
|---|
| Contains functionality to detect sleep reduction / modifications | Show sources | ||
| Source: | Code function: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | ||
| Source: | Thread delayed: | ||
| Source: | Window / User API: | ||
| Source: | Code function: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | ||
| Source: | Process queried: | ||
| Source: | Process queried: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Process token adjusted: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Memory protected: | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Maps a DLL or memory area into another process | Show sources | ||
| Source: | Section loaded: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Key value queried: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | DLL Side-Loading1 | DLL Side-Loading1 | Disable or Modify Tools1 | OS Credential Dumping2 | System Time Discovery11 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Native API1 | Application Shimming1 | Application Shimming1 | Deobfuscate/Decode Files or Information1 | Input Capture21 | File and Directory Discovery1 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Process Injection112 | Obfuscated Files or Information2 | Credentials in Registry1 | System Information Discovery128 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing21 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture21 | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | DLL Side-Loading1 | LSA Secrets | Security Software Discovery251 | SSH | Clipboard Data3 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Masquerading1 | Cached Domain Credentials | Virtualization/Sandbox Evasion14 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Virtualization/Sandbox Evasion14 | DCSync | Process Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection112 | Proc Filesystem | Application Window Discovery11 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | System Network Configuration Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | Virustotal | Browse | ||
| 79% | ReversingLabs | Win32.Trojan.LokiBot | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1138205 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | HEUR/AGEN.1131223 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138205 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138205 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| elb097307-934924932.us-east-1.elb.amazonaws.com | 54.235.83.248 | true | false | high | |
| us2.smtp.mailhostbox.com | 208.91.199.225 | true | false | high | |
| smtp.tzdieep.net | unknown | unknown | true | unknown | |
| api.ipify.org | unknown | unknown | false | high |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| low | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 54.235.83.248 | unknown | United States | 14618 | AMAZON-AESUS | false | |
| 208.91.199.225 | unknown | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Red Diamond |
| Analysis ID: | 321297 |
| Start date: | 20.11.2020 |
| Start time: | 20:03:26 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Sample file name: | mcsrXx9lfD.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 14 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/1@4/2 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 20:04:42 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 54.235.83.248 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| 208.91.199.225 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| elb097307-934924932.us-east-1.elb.amazonaws.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| AMAZON-AESUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\mcsrXx9lfD.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.7006690334145785 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ |
| MD5: | A7FE10DA330AD03BF22DC9AC76BBB3E4 |
| SHA1: | 1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803 |
| SHA-256: | 8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8 |
| SHA-512: | 1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.87101358003814 |
| TrID: |
|
| File name: | mcsrXx9lfD.exe |
| File size: | 945664 |
| MD5: | 3d549885e44863c57f59eab47f2271cc |
| SHA1: | 76c51be921ef41ff2596f3f882b91c8ede3713c7 |
| SHA256: | 1d9c8ee9be6e0ee20b600c71989292aa2efd0849611389e3121bae364d9d6adf |
| SHA512: | 60d415743a8212cfc649ed20670d2ee4dff060cbf93475a7bc5f8d273bbbed5e472fb9d5ea055fa126d6986b250ca3203894b0454e6162fbd14e2dceeca40fc9 |
| SSDEEP: | 24576:j6j4rvrKwang6WCxVA0d6yxE6iw2lKK0D/YNN:92wa5xB62ElJubYNN |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
File Icon |
|---|
 | |
| Icon Hash: | 6861f0969ee86882 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4707f8 |
| Entrypoint Section: | CODE |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
| DLL Characteristics: | |
| Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f19034443dbba8ae65cae64d05fef57a |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00470608h |
| call 00007F1990EA8A01h |
| mov eax, dword ptr [0048E6ECh] |
| mov eax, dword ptr [eax] |
| call 00007F1990EFAE65h |
| mov ecx, dword ptr [0048E7D8h] |
| mov eax, dword ptr [0048E6ECh] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [004700F4h] |
| call 00007F1990EFAE65h |
| mov eax, dword ptr [0048E6ECh] |
| mov eax, dword ptr [eax] |
| call 00007F1990EFAED9h |
| call 00007F1990EA64F8h |
| lea eax, dword ptr [eax+00h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x90000 | 0x247a | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9d000 | 0x4f5f4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x95000 | 0x77c8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x94000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| CODE | 0x1000 | 0x6f840 | 0x6fa00 | False | 0.523629969205 | data | 6.51435589822 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| DATA | 0x71000 | 0x1d868 | 0x1da00 | False | 0.161260548523 | data | 2.59870276116 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| BSS | 0x8f000 | 0xcc1 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .idata | 0x90000 | 0x247a | 0x2600 | False | 0.349403782895 | data | 4.92563231128 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .tls | 0x93000 | 0x10 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rdata | 0x94000 | 0x18 | 0x200 | False | 0.05078125 | data | 0.206920017787 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .reloc | 0x95000 | 0x77c8 | 0x7800 | False | 0.582259114583 | data | 6.64226915187 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .rsrc | 0x9d000 | 0x4f5f4 | 0x4f600 | False | 0.908793676181 | data | 7.56970916741 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_CURSOR | 0x9db0c | 0x134 | data | ||
| RT_CURSOR | 0x9dc40 | 0x134 | data | ||
| RT_CURSOR | 0x9dd74 | 0x134 | data | ||
| RT_CURSOR | 0x9dea8 | 0x134 | data | ||
| RT_CURSOR | 0x9dfdc | 0x134 | data | ||
| RT_CURSOR | 0x9e110 | 0x134 | data | ||
| RT_CURSOR | 0x9e244 | 0x134 | data | ||
| RT_BITMAP | 0x9e378 | 0x1d0 | data | ||
| RT_BITMAP | 0x9e548 | 0x1e4 | data | ||
| RT_BITMAP | 0x9e72c | 0x1d0 | data | ||
| RT_BITMAP | 0x9e8fc | 0x1d0 | data | ||
| RT_BITMAP | 0x9eacc | 0x1d0 | data | ||
| RT_BITMAP | 0x9ec9c | 0x1d0 | data | ||
| RT_BITMAP | 0x9ee6c | 0x1d0 | data | ||
| RT_BITMAP | 0x9f03c | 0x1d0 | data | ||
| RT_BITMAP | 0x9f20c | 0x49d04 | data | English | United States |
| RT_BITMAP | 0xe8f10 | 0x1d0 | data | ||
| RT_BITMAP | 0xe90e0 | 0xd8 | data | ||
| RT_BITMAP | 0xe91b8 | 0xd8 | data | ||
| RT_BITMAP | 0xe9290 | 0xd8 | data | ||
| RT_BITMAP | 0xe9368 | 0xd8 | data | ||
| RT_BITMAP | 0xe9440 | 0xd8 | data | ||
| RT_ICON | 0xe9518 | 0x1e8 | data | English | United States |
| RT_STRING | 0xe9700 | 0x1c4 | data | ||
| RT_STRING | 0xe98c4 | 0x210 | data | ||
| RT_STRING | 0xe9ad4 | 0xec | data | ||
| RT_STRING | 0xe9bc0 | 0x24c | data | ||
| RT_STRING | 0xe9e0c | 0x140 | data | ||
| RT_STRING | 0xe9f4c | 0x4c0 | data | ||
| RT_STRING | 0xea40c | 0x378 | data | ||
| RT_STRING | 0xea784 | 0x378 | data | ||
| RT_STRING | 0xeaafc | 0x418 | data | ||
| RT_STRING | 0xeaf14 | 0xf4 | data | ||
| RT_STRING | 0xeb008 | 0xc4 | data | ||
| RT_STRING | 0xeb0cc | 0x2e0 | data | ||
| RT_STRING | 0xeb3ac | 0x35c | data | ||
| RT_STRING | 0xeb708 | 0x2b4 | data | ||
| RT_RCDATA | 0xeb9bc | 0x10 | data | ||
| RT_RCDATA | 0xeb9cc | 0x290 | data | ||
| RT_RCDATA | 0xebc5c | 0x85d | Delphi compiled form 'TForm1' | ||
| RT_GROUP_CURSOR | 0xec4bc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0xec4d0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0xec4e4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0xec4f8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0xec50c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0xec520 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0xec534 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_ICON | 0xec548 | 0x14 | data | English | United States |
| RT_HTML | 0xec55c | 0x98 | data | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle |
| user32.dll | GetKeyboardType, LoadStringA, MessageBoxA, CharNextA |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
| kernel32.dll | lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle |
| gdi32.dll | UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt |
| opengl32.dll | wglDeleteContext |
| user32.dll | WindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout |
| kernel32.dll | Sleep |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit |
| comctl32.dll | ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create |
| kernel32.dll | MulDiv |
| kernel32.dll | AddVectoredExceptionHandler |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 11/20/20-20:06:14.054607 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| 11/20/20-20:06:19.529008 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 20, 2020 20:06:02.867763042 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:02.970710039 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:02.970840931 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:03.048233032 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:03.151184082 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.151365995 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.151412010 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.151449919 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.151488066 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.151523113 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:03.151604891 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:03.152462959 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.193653107 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:03.296808958 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.337061882 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:03.527725935 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:03.650266886 CET | 443 | 49765 | 54.235.83.248 | 192.168.2.4 |
| Nov 20, 2020 20:06:03.696402073 CET | 49765 | 443 | 192.168.2.4 | 54.235.83.248 |
| Nov 20, 2020 20:06:12.046245098 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:12.195732117 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:12.195873022 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:12.812896967 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:12.813532114 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:12.963042974 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:12.963083982 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:12.965086937 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:13.117259979 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:13.118549109 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:13.272712946 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:13.273732901 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:13.426875114 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:13.427592993 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:13.587024927 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:13.587740898 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:13.900435925 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:13.970786095 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:13.970876932 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:14.052644968 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:14.054606915 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:14.054723978 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:14.054792881 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:14.054862022 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:14.206177950 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:14.206207037 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:14.304539919 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:14.353532076 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:15.132817984 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:15.285135031 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:15.285177946 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:15.285315037 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:15.285629988 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:15.287194967 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:15.437752962 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:18.291451931 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:18.443504095 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:18.443722963 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:18.597949028 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:18.598503113 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:18.750886917 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:18.750929117 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:18.751543045 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:18.905124903 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:18.905966997 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.059966087 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.060359955 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.213042021 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.213613987 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.372828960 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.373275995 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.526504993 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.528677940 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.529007912 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.529237986 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.529467106 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.529825926 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.530020952 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.530205011 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.530380964 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
| Nov 20, 2020 20:06:19.682955027 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.683171988 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.683890104 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.683937073 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.723391056 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.782569885 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 |
| Nov 20, 2020 20:06:19.822771072 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 20, 2020 20:04:25.524873972 CET | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:25.551821947 CET | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:26.320063114 CET | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:26.346997976 CET | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:27.294008017 CET | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:27.321191072 CET | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:28.159040928 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:28.194726944 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:29.805763960 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:29.832993984 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:30.656399012 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:30.683475018 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:31.821947098 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:31.848968029 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:33.008469105 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:33.035512924 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:33.855465889 CET | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:33.885452986 CET | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:34.672504902 CET | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:34.699506998 CET | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:35.485847950 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:36.471452951 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:37.468499899 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:37.468878031 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:38.335410118 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:38.371105909 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:39.222748995 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:39.249989986 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:48.703561068 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:48.730670929 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:56.614922047 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:56.650635958 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:57.426611900 CET | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:57.462377071 CET | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:04:58.906955004 CET | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:04:58.934135914 CET | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:05.601068020 CET | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:05.638362885 CET | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:06.045974970 CET | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:06.188076019 CET | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:06.658164024 CET | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:06.694003105 CET | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:07.053534031 CET | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:07.091173887 CET | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:07.443414927 CET | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:07.479268074 CET | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:07.865032911 CET | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:07.885739088 CET | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:07.900911093 CET | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:07.912983894 CET | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:08.316250086 CET | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:08.351902962 CET | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:08.967999935 CET | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:09.004004955 CET | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:09.666666985 CET | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:09.693757057 CET | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:10.107448101 CET | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:10.145284891 CET | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:24.209593058 CET | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:24.236658096 CET | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:24.264631033 CET | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:24.300369024 CET | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:27.762192965 CET | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:27.799884081 CET | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:05:59.897576094 CET | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:05:59.926115036 CET | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:06:01.692032099 CET | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:06:01.719229937 CET | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:06:02.679915905 CET | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:06:02.715765953 CET | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:06:02.738959074 CET | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:06:02.766254902 CET | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:06:11.700295925 CET | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:06:11.864727974 CET | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
| Nov 20, 2020 20:06:11.878782034 CET | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 20, 2020 20:06:12.043437004 CET | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Nov 20, 2020 20:06:02.679915905 CET | 192.168.2.4 | 8.8.8.8 | 0x390f | Standard query (0) | A (IP address) | IN (0x0001) | |
| Nov 20, 2020 20:06:02.738959074 CET | 192.168.2.4 | 8.8.8.8 | 0xd2a2 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Nov 20, 2020 20:06:11.700295925 CET | 192.168.2.4 | 8.8.8.8 | 0x6c4 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Nov 20, 2020 20:06:11.878782034 CET | 192.168.2.4 | 8.8.8.8 | 0xa6f5 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | nagano-19599.herokussl.com | CNAME (Canonical name) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | elb097307-934924932.us-east-1.elb.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 54.235.83.248 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 174.129.214.20 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 54.235.182.194 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 50.19.252.36 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 54.225.66.103 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 54.235.142.93 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 54.243.164.148 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.715765953 CET | 8.8.8.8 | 192.168.2.4 | 0x390f | No error (0) | 23.21.126.66 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | nagano-19599.herokussl.com | CNAME (Canonical name) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | elb097307-934924932.us-east-1.elb.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 54.235.83.248 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 174.129.214.20 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 54.235.182.194 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 50.19.252.36 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 54.225.66.103 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 54.235.142.93 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 54.243.164.148 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:02.766254902 CET | 8.8.8.8 | 192.168.2.4 | 0xd2a2 | No error (0) | 23.21.126.66 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:11.864727974 CET | 8.8.8.8 | 192.168.2.4 | 0x6c4 | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Nov 20, 2020 20:06:11.864727974 CET | 8.8.8.8 | 192.168.2.4 | 0x6c4 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:11.864727974 CET | 8.8.8.8 | 192.168.2.4 | 0x6c4 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:11.864727974 CET | 8.8.8.8 | 192.168.2.4 | 0x6c4 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:11.864727974 CET | 8.8.8.8 | 192.168.2.4 | 0x6c4 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:12.043437004 CET | 8.8.8.8 | 192.168.2.4 | 0xa6f5 | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Nov 20, 2020 20:06:12.043437004 CET | 8.8.8.8 | 192.168.2.4 | 0xa6f5 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:12.043437004 CET | 8.8.8.8 | 192.168.2.4 | 0xa6f5 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:12.043437004 CET | 8.8.8.8 | 192.168.2.4 | 0xa6f5 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Nov 20, 2020 20:06:12.043437004 CET | 8.8.8.8 | 192.168.2.4 | 0xa6f5 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) |
HTTPS Packets |
|---|
| Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 20, 2020 20:06:03.152462959 CET | 54.235.83.248 | 443 | 192.168.2.4 | 49765 | CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Wed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010 | Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 3b5074b1b5d032e5620f69f9f700ff0e |
| CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Wed Feb 12 01:00:00 CET 2014 | Mon Feb 12 00:59:59 CET 2029 | |||||||
| CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Tue Jan 19 01:00:00 CET 2010 | Tue Jan 19 00:59:59 CET 2038 |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Nov 20, 2020 20:06:12.812896967 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Nov 20, 2020 20:06:12.813532114 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | EHLO 928100 |
| Nov 20, 2020 20:06:12.963083982 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Nov 20, 2020 20:06:12.965086937 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | AUTH login c2FsZXMxQHR6ZGllZXAubmV0 |
| Nov 20, 2020 20:06:13.117259979 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Nov 20, 2020 20:06:13.272712946 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Nov 20, 2020 20:06:13.273732901 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | MAIL FROM:<sales1@tzdieep.net> |
| Nov 20, 2020 20:06:13.426875114 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 250 2.1.0 Ok |
| Nov 20, 2020 20:06:13.427592993 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | RCPT TO:<sales1@tzdieep.net> |
| Nov 20, 2020 20:06:13.587024927 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 250 2.1.5 Ok |
| Nov 20, 2020 20:06:13.587740898 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | DATA |
| Nov 20, 2020 20:06:13.900435925 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | DATA |
| Nov 20, 2020 20:06:13.970786095 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 250 2.1.5 Ok |
| Nov 20, 2020 20:06:14.052644968 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Nov 20, 2020 20:06:14.054862022 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | . |
| Nov 20, 2020 20:06:14.304539919 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 250 2.0.0 Ok: queued as 7CC42D5F69 |
| Nov 20, 2020 20:06:15.132817984 CET | 49766 | 587 | 192.168.2.4 | 208.91.199.225 | QUIT |
| Nov 20, 2020 20:06:15.285135031 CET | 587 | 49766 | 208.91.199.225 | 192.168.2.4 | 221 2.0.0 Bye |
| Nov 20, 2020 20:06:18.597949028 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Nov 20, 2020 20:06:18.598503113 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 | EHLO 928100 |
| Nov 20, 2020 20:06:18.750929117 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Nov 20, 2020 20:06:18.751543045 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 | AUTH login c2FsZXMxQHR6ZGllZXAubmV0 |
| Nov 20, 2020 20:06:18.905124903 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Nov 20, 2020 20:06:19.059966087 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Nov 20, 2020 20:06:19.060359955 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 | MAIL FROM:<sales1@tzdieep.net> |
| Nov 20, 2020 20:06:19.213042021 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 250 2.1.0 Ok |
| Nov 20, 2020 20:06:19.213613987 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 | RCPT TO:<sales1@tzdieep.net> |
| Nov 20, 2020 20:06:19.372828960 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 250 2.1.5 Ok |
| Nov 20, 2020 20:06:19.373275995 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 | DATA |
| Nov 20, 2020 20:06:19.526504993 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Nov 20, 2020 20:06:19.530380964 CET | 49767 | 587 | 192.168.2.4 | 208.91.199.225 | . |
| Nov 20, 2020 20:06:19.782569885 CET | 587 | 49767 | 208.91.199.225 | 192.168.2.4 | 250 2.0.0 Ok: queued as 484E9D6132 |
Code Manipulations |
|---|
Statistics |
|---|
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 20:04:29 |
| Start date: | 20/11/2020 |
| Path: | C:\Users\user\Desktop\mcsrXx9lfD.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 945664 bytes |
| MD5 hash: | 3D549885E44863C57F59EAB47F2271CC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 20:04:30 |
| Start date: | 20/11/2020 |
| Path: | C:\Users\user\Desktop\mcsrXx9lfD.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 945664 bytes |
| MD5 hash: | 3D549885E44863C57F59EAB47F2271CC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|