Analysis Report New Order Inquiry.PDF.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Username: ": "thMm2wh2OXe", "URL: ": "https://8vhVWmhsLg6p.com", "To: ": "billyfunds@divasvalves.com", "ByHost: ": "smtp.divasvalves.com:587", "Password: ": "dz2o9HgMmb", "From: ": "billyfunds@divasvalves.com"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 4 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious Double Extension | Show sources |
Source: | Author: Florian Roth (rule), @blu3_team (idea): |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: |
Source: | Window created: |
System Summary: |
---|
.NET source code contains very large strings | Show sources |
Source: | Long String: | ||
Source: | Long String: | ||
Source: | Long String: | ||
Source: | Long String: | ||
Source: | Long String: |
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File opened: |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection: |
---|
Moves itself to temp directory | Show sources |
Source: | File moved: | Jump to behavior |
Uses an obfuscated file name to hide its real file extension (double extension) | Show sources |
Source: | Static PE information: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Memory allocated: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection12 | Masquerading21 | OS Credential Dumping2 | Query Registry1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion13 | Input Capture11 | Security Software Discovery211 | Remote Desktop Protocol | Input Capture11 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Disable or Modify Tools1 | Credentials in Registry1 | Virtualization/Sandbox Evasion13 | SMB/Windows Admin Shares | Archive Collected Data1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection12 | NTDS | Process Discovery2 | Distributed Component Object Model | Data from Local System2 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information12 | LSA Secrets | Application Window Discovery1 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing3 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery114 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
us2.smtp.mailhostbox.com | 208.91.198.143 | true | false | high | |
smtp.divasvalves.com | unknown | unknown | true | unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 326328 |
Start date: | 03.12.2020 |
Start time: | 09:55:52 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 9s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | New Order Inquiry.PDF.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/2@2/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
09:56:50 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
208.91.198.143 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
us2.smtp.mailhostbox.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\New Order Inquiry.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 792 |
Entropy (8bit): | 5.331449916613832 |
Encrypted: | false |
SSDEEP: | 24:MLKE4K5E4Ks29E4Kx1qE4x84qXKDE4KhK3VZ9pKhk:MuHK5HKX9HKx1qHxviYHKhQnok |
MD5: | 48C35637F4E5AE32A768BDF159A4B32E |
SHA1: | C27B5E37426D6496AF195A39B7882DF50341EE4A |
SHA-256: | 43567270C0C1C1BCD458595B138034B2A6F6DC4B2DFFA475AE7D629BE4C93BD2 |
SHA-512: | B4E98A592CC5EDB8E3379283756A01B7712922748BF4FC19E41B1205DD404367C11357BB17824419A2C4B2CE007BEAA55EBA97F602BC5B361EABC222CBC0374D |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\New Order Inquiry.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 0.6970840431455908 |
Encrypted: | false |
SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.9921837086019565 |
TrID: |
|
File name: | New Order Inquiry.PDF.exe |
File size: | 678912 |
MD5: | a0ce94d59dc8204e8cdbce7c4d635d32 |
SHA1: | 8599d6d2c48067e3c29cd751dba94ed06313fd75 |
SHA256: | 415e3b94a339a45d036814c1bfbae3a24befccaf6bbba44a5265613f3aec3ef7 |
SHA512: | 727df172278b6efb0b6659c51502f76e2d2d9288691796244d8a2719f54c8d87436c37cc2ac1c08edd2e084cbe0e252fc9ac7494a74304836efdd9e3b95b5cea |
SSDEEP: | 12288:dCwIOQkVSTBzKLpq5ymZviBzXCBkfSdT7MvZgwu22qPVGNbTuMuKBD7hpvA:dDfkBzoA5ymYZx6VAmwuKST0sDd |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................P...........o... ........@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4a6f2e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5FC88D2E [Thu Dec 3 07:01:02 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa6ed4 | 0x57 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa8000 | 0x800 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xaa000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xa4f34 | 0xa5000 | False | 0.703693181818 | data | 7.00471391573 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xa8000 | 0x800 | 0x800 | False | 0.32763671875 | data | 3.42290303979 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xaa000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xa8090 | 0x374 | data | ||
RT_MANIFEST | 0xa8414 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 2011 |
Assembly Version | 1.0.0.0 |
InternalName | ContinuationTaskFromTask.exe |
FileVersion | 1.0.0.0 |
CompanyName | |
LegalTrademarks | |
Comments | |
ProductName | LoginWindowsApp |
ProductVersion | 1.0.0.0 |
FileDescription | LoginWindowsApp |
OriginalFilename | ContinuationTaskFromTask.exe |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
12/03/20-09:58:38.637407 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
12/03/20-09:58:41.432598 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 3, 2020 09:58:37.322230101 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:37.461915970 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:37.462390900 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:37.775552034 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:37.776420116 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:37.916065931 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:37.916114092 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:37.918484926 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.058747053 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.061753988 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.203701019 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.204740047 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.345262051 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.346117020 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.493155003 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.493746996 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.633471966 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.637407064 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.637665033 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.638276100 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.638465881 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:38.777288914 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.777864933 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.832415104 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:38.873779058 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.145986080 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.285917997 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.285938025 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.286468983 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.287077904 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.289532900 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.426557064 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.428800106 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.428898096 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.571547985 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.571976900 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.711266994 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.711296082 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.712019920 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.851943970 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.852921009 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:40.994543076 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:40.995024920 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.135726929 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.136359930 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.289124966 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.289815903 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.429452896 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.432312012 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.432598114 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.432821989 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.433048964 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.433401108 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.433559895 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.433722973 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.433903933 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
Dec 3, 2020 09:58:41.571940899 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.572151899 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.572629929 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.572997093 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.612982035 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.626679897 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 |
Dec 3, 2020 09:58:41.671094894 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 3, 2020 09:56:48.413141966 CET | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:48.440310001 CET | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:49.669513941 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:49.697546005 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:51.843302011 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:51.881151915 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:53.498092890 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:53.533838987 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:54.551094055 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:54.586663961 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:55.626498938 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:55.653539896 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:56.557205915 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:56.584311962 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:57.588658094 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:57.615704060 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:58.660268068 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:58.687514067 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:56:59.742705107 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:56:59.769891977 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:00.550704956 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:00.577928066 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:02.920561075 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:02.947576046 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:04.738662004 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:04.765906096 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:08.357239008 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:08.384326935 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:10.999969006 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:11.027070045 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:11.334321976 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:11.361403942 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:31.371471882 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:31.417356968 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:32.592148066 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:32.629029989 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:46.007513046 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:46.034692049 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:57:50.918421030 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:57:50.955744982 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:58:22.869045019 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:58:22.895895958 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:58:24.926687002 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:58:24.962284088 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:58:36.954673052 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:58:37.120395899 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 09:58:37.145148039 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 09:58:37.182770014 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dec 3, 2020 09:58:36.954673052 CET | 192.168.2.3 | 8.8.8.8 | 0x70bb | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 3, 2020 09:58:37.145148039 CET | 192.168.2.3 | 8.8.8.8 | 0x9d6e | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dec 3, 2020 09:58:37.120395899 CET | 8.8.8.8 | 192.168.2.3 | 0x70bb | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.120395899 CET | 8.8.8.8 | 192.168.2.3 | 0x70bb | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.120395899 CET | 8.8.8.8 | 192.168.2.3 | 0x70bb | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.120395899 CET | 8.8.8.8 | 192.168.2.3 | 0x70bb | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.120395899 CET | 8.8.8.8 | 192.168.2.3 | 0x70bb | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.182770014 CET | 8.8.8.8 | 192.168.2.3 | 0x9d6e | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.182770014 CET | 8.8.8.8 | 192.168.2.3 | 0x9d6e | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.182770014 CET | 8.8.8.8 | 192.168.2.3 | 0x9d6e | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.182770014 CET | 8.8.8.8 | 192.168.2.3 | 0x9d6e | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 09:58:37.182770014 CET | 8.8.8.8 | 192.168.2.3 | 0x9d6e | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Dec 3, 2020 09:58:37.775552034 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
Dec 3, 2020 09:58:37.776420116 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 | EHLO 818225 |
Dec 3, 2020 09:58:37.916114092 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
Dec 3, 2020 09:58:37.918484926 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 | AUTH login YmlsbHlmdW5kc0BkaXZhc3ZhbHZlcy5jb20= |
Dec 3, 2020 09:58:38.058747053 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Dec 3, 2020 09:58:38.203701019 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 235 2.7.0 Authentication successful |
Dec 3, 2020 09:58:38.204740047 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 | MAIL FROM:<billyfunds@divasvalves.com> |
Dec 3, 2020 09:58:38.345262051 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 250 2.1.0 Ok |
Dec 3, 2020 09:58:38.346117020 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 | RCPT TO:<billyfunds@divasvalves.com> |
Dec 3, 2020 09:58:38.493155003 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 250 2.1.5 Ok |
Dec 3, 2020 09:58:38.493746996 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 | DATA |
Dec 3, 2020 09:58:38.633471966 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 354 End data with <CR><LF>.<CR><LF> |
Dec 3, 2020 09:58:38.638465881 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 | . |
Dec 3, 2020 09:58:38.832415104 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 250 2.0.0 Ok: queued as 67E531C2528 |
Dec 3, 2020 09:58:40.145986080 CET | 49743 | 587 | 192.168.2.3 | 208.91.198.143 | QUIT |
Dec 3, 2020 09:58:40.285917997 CET | 587 | 49743 | 208.91.198.143 | 192.168.2.3 | 221 2.0.0 Bye |
Dec 3, 2020 09:58:40.571547985 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
Dec 3, 2020 09:58:40.571976900 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 | EHLO 818225 |
Dec 3, 2020 09:58:40.711296082 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
Dec 3, 2020 09:58:40.712019920 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 | AUTH login YmlsbHlmdW5kc0BkaXZhc3ZhbHZlcy5jb20= |
Dec 3, 2020 09:58:40.851943970 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Dec 3, 2020 09:58:40.994543076 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 235 2.7.0 Authentication successful |
Dec 3, 2020 09:58:40.995024920 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 | MAIL FROM:<billyfunds@divasvalves.com> |
Dec 3, 2020 09:58:41.135726929 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 250 2.1.0 Ok |
Dec 3, 2020 09:58:41.136359930 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 | RCPT TO:<billyfunds@divasvalves.com> |
Dec 3, 2020 09:58:41.289124966 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 250 2.1.5 Ok |
Dec 3, 2020 09:58:41.289815903 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 | DATA |
Dec 3, 2020 09:58:41.429452896 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 354 End data with <CR><LF>.<CR><LF> |
Dec 3, 2020 09:58:41.433903933 CET | 49744 | 587 | 192.168.2.3 | 208.91.198.143 | . |
Dec 3, 2020 09:58:41.626679897 CET | 587 | 49744 | 208.91.198.143 | 192.168.2.3 | 250 2.0.0 Ok: queued as 361741C188F |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 09:56:48 |
Start date: | 03/12/2020 |
Path: | C:\Users\user\Desktop\New Order Inquiry.PDF.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x70000 |
File size: | 678912 bytes |
MD5 hash: | A0CE94D59DC8204E8CDBCE7C4D635D32 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 09:56:51 |
Start date: | 03/12/2020 |
Path: | C:\Users\user\Desktop\New Order Inquiry.PDF.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xed0000 |
File size: | 678912 bytes |
MD5 hash: | A0CE94D59DC8204E8CDBCE7C4D635D32 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|