Analysis Report swift copy.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Username: ": "1n6oW8N", "URL: ": "http://KGcFUsjPPNQUPKk.net", "To: ": "", "ByHost: ": "mail.cglgumrukleme.com:587", "Password: ": "7QggoKZ0", "From: ": ""}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 7 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
May check the online IP address of the machine | Show sources |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Spam, unwanted Advertisements and Ransom Demands: |
---|
Modifies the hosts file | Show sources |
Source: | File written: | Jump to behavior |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Dropped File: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File opened: |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: |
Modifies the hosts file | Show sources |
Source: | File written: | Jump to behavior |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
Modifies the hosts file | Show sources |
Source: | File written: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Registry Run Keys / Startup Folder1 | Process Injection212 | File and Directory Permissions Modification1 | OS Credential Dumping2 | Account Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Registry Run Keys / Startup Folder1 | Disable or Modify Tools1 | Credentials in Registry1 | System Information Discovery114 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Security Software Discovery211 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information3 | NTDS | Virtualization/Sandbox Evasion13 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing2 | LSA Secrets | Process Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Masquerading1 | Cached Domain Credentials | Application Window Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Virtualization/Sandbox Evasion13 | DCSync | System Owner/User Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection212 | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Hidden Files and Directories1 | /etc/passwd and /etc/shadow | System Network Configuration Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
31% | Virustotal | Browse | ||
56% | ReversingLabs | ByteCode-MSIL.Trojan.NanoBot | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
elb097307-934924932.us-east-1.elb.amazonaws.com | 23.21.42.25 | true | false | high | |
cglgumrukleme.com | 78.142.210.93 | true | true |
| unknown |
mail.cglgumrukleme.com | unknown | unknown | true | unknown | |
api.ipify.org | unknown | unknown | false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| low | ||
false | high | |||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
23.21.42.25 | unknown | United States | 14618 | AMAZON-AESUS | false | |
78.142.210.93 | unknown | Turkey | 209853 | VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 323804 |
Start date: | 27.11.2020 |
Start time: | 15:20:21 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | swift copy.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.adwa.spyw.evad.winEXE@7/6@4/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:21:22 | API Interceptor | |
15:21:36 | API Interceptor | |
15:21:47 | Autostart | |
15:21:55 | Autostart |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
23.21.42.25 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
elb097307-934924932.us-east-1.elb.amazonaws.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
AMAZON-AESUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe |
File Type: | |
Category: | modified |
Size (bytes): | 142 |
Entropy (8bit): | 5.090621108356562 |
Encrypted: | false |
SSDEEP: | 3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw |
MD5: | 8C0458BB9EA02D50565175E38D577E35 |
SHA1: | F0B50702CD6470F3C17D637908F83212FDBDB2F2 |
SHA-256: | C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53 |
SHA-512: | 804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\swift copy.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1314 |
Entropy (8bit): | 5.350128552078965 |
Encrypted: | false |
SSDEEP: | 24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR |
MD5: | 8198C64CE0786EABD4C792E7E6FC30E5 |
SHA1: | 71E1676126F4616B18C751A0A775B2D64944A15A |
SHA-256: | C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4 |
SHA-512: | EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45152 |
Entropy (8bit): | 6.149629800481177 |
Encrypted: | false |
SSDEEP: | 768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC |
MD5: | 2867A3817C9245F7CF518524DFD18F28 |
SHA1: | D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC |
SHA-256: | 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50 |
SHA-512: | 7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File Type: | |
Category: | modified |
Size (bytes): | 11 |
Entropy (8bit): | 2.663532754804255 |
Encrypted: | false |
SSDEEP: | 3:iLE:iLE |
MD5: | B24D295C1F84ECBFB566103374FB91C5 |
SHA1: | 6A750D3F8B45C240637332071D34B403FA1FF55A |
SHA-256: | 4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4 |
SHA-512: | 9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1141 |
Entropy (8bit): | 4.44831826838854 |
Encrypted: | false |
SSDEEP: | 24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC |
MD5: | 1AEB3A784552CFD2AEDEDC1D43A97A4F |
SHA1: | 804286AB9F8B3DE053222826A69A7CDA3492411A |
SHA-256: | 0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293 |
SHA-512: | 5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.279280036808082 |
TrID: |
|
File name: | swift copy.exe |
File size: | 948224 |
MD5: | d1173f90f82de7d1730939bd45027f6e |
SHA1: | 02dab2d2e93317cf1eee0eba45d8ef6bc3641f74 |
SHA256: | 43d68057ba4990638dbfe0cf81f0fc6078d431e5574624d1a0ecd7abc413f90f |
SHA512: | ea9ea2cc84d9f176b2195921ac700095c5a8fa55c4b181252fe35a3bde1b1e6aebcd064f6cfd9c464c70f64ba4a8a482b6832de379abf37a9ffedc730fd71adb |
SSDEEP: | 24576:GXXQPd4DnRiXiCAXfp1JnmYedj5LvEI3bvQm:GwPenRCiXXfUxiI |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..l..........~.... ........@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4e8b7e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5FBF05A0 [Thu Nov 26 01:32:16 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xe8b30 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xea000 | 0x610 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xec000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xe6b84 | 0xe6c00 | False | 0.685777525731 | data | 7.2849303293 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xea000 | 0x610 | 0x800 | False | 0.33251953125 | data | 3.44617295119 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xec000 | 0xc | 0x200 | False | 0.044921875 | data | 0.0980041756627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xea0a0 | 0x380 | data | ||
RT_MANIFEST | 0xea420 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright Hewlett-Packard 2017 |
Assembly Version | 1.0.0.0 |
InternalName | u0LV.exe |
FileVersion | 1.0.0.0 |
CompanyName | Hewlett-Packard |
LegalTrademarks | |
Comments | |
ProductName | Arizona Lottery Numbers |
ProductVersion | 1.0.0.0 |
FileDescription | Arizona Lottery Numbers |
OriginalFilename | u0LV.exe |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
11/27/20-15:23:24.958792 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 27, 2020 15:22:57.029541969 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.131767035 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.131903887 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.200814009 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.303051949 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.303113937 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.303132057 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.303155899 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.303210020 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.303220987 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.304078102 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.304320097 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.345762014 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.349543095 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.452027082 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:22:57.511297941 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.756239891 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:22:57.901874065 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:23:05.745234013 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:23:05.848155022 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:23:05.848197937 CET | 443 | 49717 | 23.21.42.25 | 192.168.2.6 |
Nov 27, 2020 15:23:05.848253012 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:23:05.848321915 CET | 49717 | 443 | 192.168.2.6 | 23.21.42.25 |
Nov 27, 2020 15:23:14.068008900 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:14.161113977 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:14.161282063 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.354101896 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.354325056 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.447261095 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.448476076 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.542258024 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.542555094 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.658055067 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.658705950 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.751693010 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.752012968 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.864866972 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.865117073 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.957688093 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.957963943 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:24.958791971 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.959012985 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.959558010 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:24.959641933 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
Nov 27, 2020 15:23:25.051637888 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:25.052388906 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:25.095014095 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 |
Nov 27, 2020 15:23:25.146408081 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 27, 2020 15:21:10.733506918 CET | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:21:10.769074917 CET | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:21:11.697088003 CET | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:21:11.724452019 CET | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:21:12.551386118 CET | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:21:12.579778910 CET | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:21:13.526365042 CET | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:21:13.553769112 CET | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:21:14.641419888 CET | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:21:14.668838024 CET | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:21:15.648099899 CET | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:21:15.675266027 CET | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:21:16.459136963 CET | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:21:16.486483097 CET | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:22:00.580624104 CET | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:22:00.607983112 CET | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:22:00.697251081 CET | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:22:00.724375010 CET | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:22:43.312519073 CET | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:22:43.360272884 CET | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:22:56.612416983 CET | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:22:56.639441967 CET | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:22:56.885485888 CET | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:22:56.912430048 CET | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:23:13.519532919 CET | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:23:13.632555008 CET | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
Nov 27, 2020 15:23:13.951560020 CET | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 27, 2020 15:23:14.066370010 CET | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 27, 2020 15:22:56.612416983 CET | 192.168.2.6 | 8.8.8.8 | 0x3f9a | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 27, 2020 15:22:56.885485888 CET | 192.168.2.6 | 8.8.8.8 | 0x78ed | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 27, 2020 15:23:13.519532919 CET | 192.168.2.6 | 8.8.8.8 | 0x2108 | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 27, 2020 15:23:13.951560020 CET | 192.168.2.6 | 8.8.8.8 | 0x529b | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | nagano-19599.herokussl.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | elb097307-934924932.us-east-1.elb.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 23.21.42.25 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 23.21.126.66 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 54.235.142.93 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 54.225.66.103 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 54.225.220.115 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 174.129.214.20 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 23.21.252.4 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.639441967 CET | 8.8.8.8 | 192.168.2.6 | 0x3f9a | No error (0) | 50.19.252.36 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | nagano-19599.herokussl.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | elb097307-934924932.us-east-1.elb.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 54.243.164.148 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 23.21.126.66 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 174.129.214.20 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 54.225.220.115 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 54.225.169.28 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 54.243.161.145 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 54.225.66.103 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:22:56.912430048 CET | 8.8.8.8 | 192.168.2.6 | 0x78ed | No error (0) | 54.204.14.42 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:23:13.632555008 CET | 8.8.8.8 | 192.168.2.6 | 0x2108 | No error (0) | cglgumrukleme.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 27, 2020 15:23:13.632555008 CET | 8.8.8.8 | 192.168.2.6 | 0x2108 | No error (0) | 78.142.210.93 | A (IP address) | IN (0x0001) | ||
Nov 27, 2020 15:23:14.066370010 CET | 8.8.8.8 | 192.168.2.6 | 0x529b | No error (0) | cglgumrukleme.com | CNAME (Canonical name) | IN (0x0001) | ||
Nov 27, 2020 15:23:14.066370010 CET | 8.8.8.8 | 192.168.2.6 | 0x529b | No error (0) | 78.142.210.93 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Nov 27, 2020 15:22:57.304320097 CET | 23.21.42.25 | 443 | 192.168.2.6 | 49717 | CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Wed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010 | Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 3b5074b1b5d032e5620f69f9f700ff0e |
CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Wed Feb 12 01:00:00 CET 2014 | Mon Feb 12 00:59:59 CET 2029 | |||||||
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Tue Jan 19 01:00:00 CET 2010 | Tue Jan 19 00:59:59 CET 2038 |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Nov 27, 2020 15:23:24.354101896 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 220-rona.veridyen.com ESMTP Exim 4.93 #2 Fri, 27 Nov 2020 17:23:24 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Nov 27, 2020 15:23:24.354325056 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 | EHLO 841618 |
Nov 27, 2020 15:23:24.447261095 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 250-rona.veridyen.com Hello 841618 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Nov 27, 2020 15:23:24.448476076 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 | AUTH login b3prYW5nZW5jQGNnbGd1bXJ1a2xlbWUuY29t |
Nov 27, 2020 15:23:24.542258024 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 334 UGFzc3dvcmQ6 |
Nov 27, 2020 15:23:24.658055067 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 235 Authentication succeeded |
Nov 27, 2020 15:23:24.658705950 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 | MAIL FROM:<ozkangenc@cglgumrukleme.com> |
Nov 27, 2020 15:23:24.751693010 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 250 OK |
Nov 27, 2020 15:23:24.752012968 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 | RCPT TO:<ozkangenc@cglgumrukleme.com> |
Nov 27, 2020 15:23:24.864866972 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 250 Accepted |
Nov 27, 2020 15:23:24.865117073 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 | DATA |
Nov 27, 2020 15:23:24.957963943 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 354 Enter message, ending with "." on a line by itself |
Nov 27, 2020 15:23:24.959641933 CET | 49718 | 587 | 192.168.2.6 | 78.142.210.93 | . |
Nov 27, 2020 15:23:25.095014095 CET | 587 | 49718 | 78.142.210.93 | 192.168.2.6 | 250 OK id=1kieei-0001HA-To |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:21:15 |
Start date: | 27/11/2020 |
Path: | C:\Users\user\Desktop\swift copy.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x870000 |
File size: | 948224 bytes |
MD5 hash: | D1173F90F82DE7D1730939BD45027F6E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 15:21:23 |
Start date: | 27/11/2020 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x960000 |
File size: | 45152 bytes |
MD5 hash: | 2867A3817C9245F7CF518524DFD18F28 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 15:21:55 |
Start date: | 27/11/2020 |
Path: | C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xdf0000 |
File size: | 45152 bytes |
MD5 hash: | 2867A3817C9245F7CF518524DFD18F28 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Antivirus matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 15:21:56 |
Start date: | 27/11/2020 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61de10000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:04 |
Start date: | 27/11/2020 |
Path: | C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x5f0000 |
File size: | 45152 bytes |
MD5 hash: | 2867A3817C9245F7CF518524DFD18F28 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | moderate |
General |
---|
Start time: | 15:22:04 |
Start date: | 27/11/2020 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61de10000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|