Play interactive tour
Edit tourAnalysis Report Halkbank_Ekstre_20210113_162325_384771.exe
Overview
General Information
| Sample Name: | Halkbank_Ekstre_20210113_162325_384771.exe |
| Analysis ID: | 339368 |
| MD5: | 8bdf3d3cb7c7680df5b8d6385dc5db82 |
| SHA1: | 442eaa27d23dc72fd96c9d2d984068669afbeb5d |
| SHA256: | a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b |
| Tags: | AgentTeslaexegeoHalkbankTUR |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Username: ": "VVkDExoCFG4o1k", "URL: ": "http://2cRhONggGD4U87PUSY.com", "To: ": "muhasebe@ceotech.com.tr", "ByHost: ": "mail.ceotech.com.tr:587", "Password: ": "JRuuV68u86gFWkr", "From: ": "muhasebe@ceotech.com.tr"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 5 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 2 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_00404A29 | |
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| C2 URLs / IPs found in malware configuration | Show sources | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Code function: | 0_2_00ED60C0 | |
| Source: | Code function: | 0_2_00ED683C | |
| Source: | Code function: | 0_2_00ED0432 | |
| Source: | Code function: | 0_2_00ED55E0 | |
| Source: | Code function: | 0_2_00ED51BC | |
| Source: | Code function: | 0_2_00ED7991 | |
| Source: | Code function: | 0_2_00ECA951 | |
| Source: | Code function: | 0_2_00ECD929 | |
| Source: | Code function: | 0_2_00ED5B50 | |
| Source: | Code function: | 1_2_0040A2A5 | |
| Source: | Code function: | 1_2_00ED60C0 | |
| Source: | Code function: | 1_2_00ED683C | |
| Source: | Code function: | 1_2_00ED0432 | |
| Source: | Code function: | 1_2_00ED55E0 | |
| Source: | Code function: | 1_2_00ED51BC | |
| Source: | Code function: | 1_2_00ED7991 | |
| Source: | Code function: | 1_2_00ECA951 | |
| Source: | Code function: | 1_2_00ECD929 | |
| Source: | Code function: | 1_2_00ED5B50 | |
| Source: | Code function: | 1_2_010060C8 | |
| Source: | Code function: | 1_2_01002A08 | |
| Source: | Code function: | 1_2_01004A50 | |
| Source: | Code function: | 1_2_0100AAA0 | |
| Source: | Code function: | 1_2_01005428 | |
| Source: | Code function: | 1_2_01007F58 | |
| Source: | Code function: | 1_2_0100C050 | |
| Source: | Code function: | 1_2_0100E698 | |
| Source: | Code function: | 1_2_01012D50 | |
| Source: | Code function: | 1_2_0101F4E8 | |
| Source: | Code function: | 1_2_01011FE2 | |
| Source: | Code function: | 1_2_01012618 | |
| Source: | Code function: | 1_2_01019DB8 | |
| Source: | Code function: | 1_2_0101F489 | |
| Source: | Code function: | 1_2_01019AC3 | |
| Source: | Code function: | 1_2_012E99E0 | |
| Source: | Code function: | 1_2_012E6068 | |
| Source: | Code function: | 1_2_012EE318 | |
| Source: | Code function: | 1_2_012EBA38 | |
| Source: | Code function: | 1_2_012E5E48 | |
| Source: | Code function: | 1_2_012E7190 | |
| Source: | Code function: | 1_2_012ED817 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_00401489 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | 0_2_00EC1040 | |
| Source: | Command line argument: | 0_2_00EC1040 | |
| Source: | Command line argument: | 0_2_00EC1040 | |
| Source: | Command line argument: | 0_2_00EC1040 | |
| Source: | Command line argument: | 1_2_00EC1040 | |
| Source: | Command line argument: | 1_2_00EC1040 | |
| Source: | Command line argument: | 1_2_00EC1040 | |
| Source: | Command line argument: | 1_2_00EC1040 | |
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00ED1B13 | |
| Source: | Code function: | 0_2_00EC91B8 | |
| Source: | Code function: | 1_2_00401F29 | |
| Source: | Code function: | 1_2_00EC91B8 | |
| Source: | Code function: | 1_2_01017A39 | |
| Source: | Code function: | 1_2_012ED5C0 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 1_2_00404A29 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_012EE0CF | |
| Source: | Code function: | 0_2_00EC8A1C | |
| Source: | Code function: | 0_2_00ED1B13 | |
| Source: | Code function: | 0_2_00ED1B13 | |
| Source: | Code function: | 0_2_00EC6A00 | |
| Source: | Code function: | 0_2_00CFF40D | |
| Source: | Code function: | 0_2_00CFE9B6 | |
| Source: | Code function: | 0_2_00CFF2C5 | |
| Source: | Code function: | 0_2_00CFF262 | |
| Source: | Code function: | 0_2_00CFF225 | |
| Source: | Code function: | 1_2_004035F1 | |
| Source: | Code function: | 1_2_00EC6A00 | |
| Source: | Code function: | 0_2_00EC6B80 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_00ECC0A3 | |
| Source: | Code function: | 0_2_00ECC080 | |
| Source: | Code function: | 1_2_00401E1D | |
| Source: | Code function: | 1_2_0040446F | |
| Source: | Code function: | 1_2_00401C88 | |
| Source: | Code function: | 1_2_00401F30 | |
| Source: | Code function: | 1_2_00ECC0A3 | |
| Source: | Code function: | 1_2_00ECC080 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Maps a DLL or memory area into another process | Show sources | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00ECD7B7 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00ECFC48 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | System Time Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Deobfuscate/Decode Files or Information11 | Credentials in Registry1 | File and Directory Discovery1 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | Command and Scripting Interpreter2 | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | System Information Discovery125 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing1 | NTDS | Security Software Discovery141 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol111 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Virtualization/Sandbox Evasion13 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion13 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection112 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 36% | Virustotal | Browse | ||
| 45% | ReversingLabs | Win32.Trojan.AgentTesla | ||
| 100% | Avira | TR/ATRAPS.Gen | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/ATRAPS.Gen | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/ATRAPS.Gen | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/ATRAPS.Gen | Download File | ||
| 100% | Avira | TR/ATRAPS.Gen | Download File |
Domains |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse |
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ceotech.com.tr | 109.232.220.251 | true | true |
| unknown |
| mail.ceotech.com.tr | unknown | unknown | true | unknown |
Contacted URLs |
|---|
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 109.232.220.251 | unknown | Turkey | 42807 | AEROTEK-ASTR | true |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Red Diamond |
| Analysis ID: | 339368 |
| Start date: | 13.01.2021 |
| Start time: | 21:45:38 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 10s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Halkbank_Ekstre_20210113_162325_384771.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 13 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/1@2/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 21:46:47 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 109.232.220.251 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
|
Domains |
|---|
| No context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| AEROTEK-ASTR | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\Halkbank_Ekstre_20210113_162325_384771.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.6969296358976265 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ |
| MD5: | A9DBC7B8E523ABE3B02D77DBF2FCD645 |
| SHA1: | DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8 |
| SHA-256: | 39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE |
| SHA-512: | 3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.435198963754783 |
| TrID: |
|
| File name: | Halkbank_Ekstre_20210113_162325_384771.exe |
| File size: | 517632 |
| MD5: | 8bdf3d3cb7c7680df5b8d6385dc5db82 |
| SHA1: | 442eaa27d23dc72fd96c9d2d984068669afbeb5d |
| SHA256: | a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b |
| SHA512: | 7356a0586c565076d71ae75e77287d8d10a6636d4e789a078f4ba5b493288dcda0ccfbe721b5a05ea0dbaf37e0b428c0eeb19b77390e3239a3f7baccbfb5896b |
| SSDEEP: | 6144:Lr1I5DbAQcHAORYANc73CoNUkJYUTIHRghDfeIenXA87i+uLJl98xCoxCB:/1I5fAPHQNUdHID9Yb7PO9YCB |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tj.m'j.m'j.m'.Q.'k.m'.4.'I.m'.4.'r.m'.4.'..m'j.l'..m'...'..m'M7.'k.m'M7.'k.m'M7.'k.m'Richj.m'................PE..L......_... |
File Icon |
|---|
 | |
| Icon Hash: | 0f470d0d0d09470c |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4088a7 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x5FFEB4E8 [Wed Jan 13 08:52:56 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e7da020c2fad0c59a3d5e97971484548 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| call 00007F934CBF00A1h |
| jmp 00007F934CBE8D05h |
| push 00000014h |
| push 0041D838h |
| call 00007F934CBE95A8h |
| call 00007F934CBEC456h |
| movzx esi, ax |
| push 00000002h |
| call 00007F934CBF0034h |
| pop ecx |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| je 00007F934CBE8D06h |
| xor ebx, ebx |
| jmp 00007F934CBE8D35h |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007F934CBE8CEDh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007F934CBE8CDFh |
| xor ebx, ebx |
| cmp dword ptr [eax+00400074h], 0Eh |
| jbe 00007F934CBE8D0Bh |
| cmp dword ptr [eax+004000E8h], ebx |
| setne bl |
| mov dword ptr [ebp-1Ch], ebx |
| call 00007F934CBED443h |
| test eax, eax |
| jne 00007F934CBE8D0Ah |
| push 0000001Ch |
| call 00007F934CBE8DD5h |
| pop ecx |
| call 00007F934CBEDAACh |
| test eax, eax |
| jne 00007F934CBE8D0Ah |
| push 00000010h |
| call 00007F934CBE8DC4h |
| pop ecx |
| call 00007F934CBEC1E8h |
| and dword ptr [ebp-04h], 00000000h |
| call 00007F934CBEA983h |
| call dword ptr [004180C8h] |
| mov dword ptr [00424080h], eax |
| call 00007F934CBF0092h |
| mov dword ptr [00422284h], eax |
| call 00007F934CBEFC93h |
| test eax, eax |
| jns 00007F934CBE8D0Ah |
| push 00000008h |
| call 00007F934CBE78BAh |
| pop ecx |
| call 00007F934CBEFEAFh |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1db94 | 0xdc | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x25000 | 0x14908 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3a000 | 0x1150 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1d6e0 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x18000 | 0x1c8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x16d9a | 0x16e00 | False | 0.571016905738 | data | 6.67353254408 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x18000 | 0x64f8 | 0x6600 | False | 0.572227328431 | data | 6.01779519415 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x1f000 | 0x5098 | 0x3400 | False | 0.285531850962 | data | 4.70097691284 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x25000 | 0x14908 | 0x14a00 | False | 0.180705492424 | data | 4.28205034385 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x3a000 | 0x1856 | 0x1a00 | False | 0.560546875 | data | 5.24804526054 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x251c0 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0x25628 | 0x988 | data | English | United States |
| RT_ICON | 0x25fb0 | 0x10a8 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295 | English | United States |
| RT_ICON | 0x27058 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295 | English | United States |
| RT_ICON | 0x29600 | 0xe8ac | data | English | United States |
| RT_RCDATA | 0x37f00 | 0x1a05 | data | English | United States |
| RT_GROUP_ICON | 0x37eb0 | 0x4c | data | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | RaiseException, ReadConsoleW, ReadFile, CreateFileW, WriteConsoleW, GetStringTypeW, LCMapStringEx, SetConsoleCursorPosition, LoadLibraryW, GetModuleHandleW, HeapReAlloc, HeapSize, OutputDebugStringW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetStdHandle, WideCharToMultiByte, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetProcessHeap, HeapAlloc, GetStdHandle, GetTickCount64, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleFileNameA, GetCurrentThreadId, SetLastError, GetCPInfo, GetOEMCP, GetACP, EncodePointer, DecodePointer, GetLastError, InterlockedDecrement, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, GetLocalTime, GetCommandLineA, IsDebuggerPresent, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, CloseHandle, HeapFree, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetFileType, DeleteCriticalSection, InitOnceExecuteOnce, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetCurrentProcess, TerminateProcess, WriteFile, GetModuleFileNameW, Sleep, LoadLibraryExW, InterlockedIncrement, IsValidCodePage, SetEndOfFile |
| msi.dll | |
| loadperf.dll | LoadPerfCounterTextStringsA, UnloadPerfCounterTextStringsW, UnloadPerfCounterTextStringsA |
| MSVFW32.dll | StretchDIB |
| AVIFIL32.dll | AVIFileExit, AVIStreamReadData |
| pdh.dll | PdhEnumObjectsW, PdhSetQueryTimeRange, PdhGetDllVersion |
| WSOCK32.dll | WSASetBlockingHook, WSACancelAsyncRequest, bind, ord1104, ord1108, ord1130 |
| GDI32.dll | StartDocW, GdiGetSpoolFileHandle, PolyBezier |
| MAPI32.dll | |
| MSACM32.dll | acmDriverPriority, acmFilterTagDetailsA |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 01/13/21-21:48:24.132757 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| 01/13/21-21:48:25.921637 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 13, 2021 21:48:23.310643911 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:23.391347885 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:23.391645908 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:23.601947069 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:23.602631092 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:23.683430910 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:23.685769081 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:23.767661095 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:23.768654108 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:23.861720085 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:23.862680912 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:23.943025112 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:23.943578005 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:24.043967962 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:24.044297934 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:24.124954939 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:24.125097990 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:24.132756948 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:24.133276939 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:24.133873940 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:24.134016991 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:24.213766098 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:24.214521885 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:24.236974001 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:24.277636051 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.226833105 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.309237957 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.309633970 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.309801102 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.310714960 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.383346081 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.383452892 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.390098095 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.459893942 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.460177898 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.532881021 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.533261061 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.606108904 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.606667042 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.684650898 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.687062025 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.761615038 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.761971951 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.842509031 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.844945908 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.920116901 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.920146942 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.921427011 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.921637058 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.921734095 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.921817064 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.921986103 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.922058105 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.922123909 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.922286987 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
| Jan 13, 2021 21:48:25.994154930 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.994611979 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:25.994637966 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:26.023324013 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 |
| Jan 13, 2021 21:48:26.074748039 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 13, 2021 21:46:29.657373905 CET | 56590 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:29.705615044 CET | 53 | 56590 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:30.480578899 CET | 60501 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:30.528429031 CET | 53 | 60501 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:31.331312895 CET | 53775 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:31.379257917 CET | 53 | 53775 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:32.790518045 CET | 51837 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:32.838291883 CET | 53 | 51837 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:34.691339970 CET | 55411 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:34.739322901 CET | 53 | 55411 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:35.673193932 CET | 63668 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:35.723819971 CET | 53 | 63668 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:36.466608047 CET | 54640 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:36.517349005 CET | 53 | 54640 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:38.135898113 CET | 58739 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:38.186909914 CET | 53 | 58739 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:39.445326090 CET | 60338 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:39.504596949 CET | 53 | 60338 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:41.700320959 CET | 58717 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:41.751512051 CET | 53 | 58717 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:44.782391071 CET | 59762 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:44.838838100 CET | 53 | 59762 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:46.812696934 CET | 54329 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:46.860708952 CET | 53 | 54329 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:47.769114971 CET | 58052 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:47.816962004 CET | 53 | 58052 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:54.259582996 CET | 54008 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:54.309675932 CET | 53 | 54008 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:55.723229885 CET | 59451 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:55.771421909 CET | 53 | 59451 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:46:57.217106104 CET | 52914 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:46:57.265522957 CET | 53 | 52914 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:47:19.243168116 CET | 64569 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:47:19.306643009 CET | 53 | 64569 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:47:19.401158094 CET | 52816 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:47:19.457763910 CET | 53 | 52816 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:48:22.759804964 CET | 50781 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:48:22.858607054 CET | 53 | 50781 | 8.8.8.8 | 192.168.2.7 |
| Jan 13, 2021 21:48:22.876439095 CET | 54230 | 53 | 192.168.2.7 | 8.8.8.8 |
| Jan 13, 2021 21:48:23.220669985 CET | 53 | 54230 | 8.8.8.8 | 192.168.2.7 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jan 13, 2021 21:48:22.759804964 CET | 192.168.2.7 | 8.8.8.8 | 0x5085 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jan 13, 2021 21:48:22.876439095 CET | 192.168.2.7 | 8.8.8.8 | 0xb9fa | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jan 13, 2021 21:48:22.858607054 CET | 8.8.8.8 | 192.168.2.7 | 0x5085 | No error (0) | ceotech.com.tr | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 13, 2021 21:48:22.858607054 CET | 8.8.8.8 | 192.168.2.7 | 0x5085 | No error (0) | 109.232.220.251 | A (IP address) | IN (0x0001) | ||
| Jan 13, 2021 21:48:23.220669985 CET | 8.8.8.8 | 192.168.2.7 | 0xb9fa | No error (0) | ceotech.com.tr | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 13, 2021 21:48:23.220669985 CET | 8.8.8.8 | 192.168.2.7 | 0xb9fa | No error (0) | 109.232.220.251 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jan 13, 2021 21:48:23.601947069 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 220-cpanel8.webadam.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 23:48:25 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jan 13, 2021 21:48:23.602631092 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 | EHLO 226533 |
| Jan 13, 2021 21:48:23.683430910 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 250-cpanel8.webadam.com Hello 226533 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jan 13, 2021 21:48:23.685769081 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 | AUTH login bXVoYXNlYmVAY2VvdGVjaC5jb20udHI= |
| Jan 13, 2021 21:48:23.767661095 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 334 UGFzc3dvcmQ6 |
| Jan 13, 2021 21:48:23.861720085 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 235 Authentication succeeded |
| Jan 13, 2021 21:48:23.862680912 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 | MAIL FROM:<muhasebe@ceotech.com.tr> |
| Jan 13, 2021 21:48:23.943025112 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 250 OK |
| Jan 13, 2021 21:48:23.943578005 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 | RCPT TO:<muhasebe@ceotech.com.tr> |
| Jan 13, 2021 21:48:24.043967962 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 250 Accepted |
| Jan 13, 2021 21:48:24.044297934 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 | DATA |
| Jan 13, 2021 21:48:24.125097990 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 354 Enter message, ending with "." on a line by itself |
| Jan 13, 2021 21:48:24.134016991 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 | . |
| Jan 13, 2021 21:48:24.236974001 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 250 OK id=1kzn45-003L46-Pb |
| Jan 13, 2021 21:48:25.226833105 CET | 49711 | 587 | 192.168.2.7 | 109.232.220.251 | QUIT |
| Jan 13, 2021 21:48:25.309237957 CET | 587 | 49711 | 109.232.220.251 | 192.168.2.7 | 221 cpanel8.webadam.com closing connection |
| Jan 13, 2021 21:48:25.459893942 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 220-cpanel8.webadam.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 23:48:27 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jan 13, 2021 21:48:25.460177898 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 | EHLO 226533 |
| Jan 13, 2021 21:48:25.532881021 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 250-cpanel8.webadam.com Hello 226533 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jan 13, 2021 21:48:25.533261061 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 | AUTH login bXVoYXNlYmVAY2VvdGVjaC5jb20udHI= |
| Jan 13, 2021 21:48:25.606108904 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 334 UGFzc3dvcmQ6 |
| Jan 13, 2021 21:48:25.684650898 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 235 Authentication succeeded |
| Jan 13, 2021 21:48:25.687062025 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 | MAIL FROM:<muhasebe@ceotech.com.tr> |
| Jan 13, 2021 21:48:25.761615038 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 250 OK |
| Jan 13, 2021 21:48:25.761971951 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 | RCPT TO:<muhasebe@ceotech.com.tr> |
| Jan 13, 2021 21:48:25.842509031 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 250 Accepted |
| Jan 13, 2021 21:48:25.844945908 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 | DATA |
| Jan 13, 2021 21:48:25.920146942 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 354 Enter message, ending with "." on a line by itself |
| Jan 13, 2021 21:48:25.922286987 CET | 49712 | 587 | 192.168.2.7 | 109.232.220.251 | . |
| Jan 13, 2021 21:48:26.023324013 CET | 587 | 49712 | 109.232.220.251 | 192.168.2.7 | 250 OK id=1kzn47-003L4J-JA |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 21:46:34 |
| Start date: | 13/01/2021 |
| Path: | C:\Users\user\Desktop\Halkbank_Ekstre_20210113_162325_384771.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xec0000 |
| File size: | 517632 bytes |
| MD5 hash: | 8BDF3D3CB7C7680DF5B8D6385DC5DB82 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 21:46:36 |
| Start date: | 13/01/2021 |
| Path: | C:\Users\user\Desktop\Halkbank_Ekstre_20210113_162325_384771.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xec0000 |
| File size: | 517632 bytes |
| MD5 hash: | 8BDF3D3CB7C7680DF5B8D6385DC5DB82 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 00EC1040, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 187librarymemoryCOMMON
Download Yara Rule
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC6B80, Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON
Download Yara Rule
| C-Code - Quality: 41% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC88A7, Relevance: 16.6, APIs: 11, Instructions: 84COMMON
Download Yara Rule
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00ECC0A3, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECD929, Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECC080, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CFF225, Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CFF262, Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC6A00, Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CFF2C5, Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CFE9B6, Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CFF40D, Relevance: .0, Instructions: 3COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC3610, Relevance: 91.3, APIs: 27, Strings: 25, Instructions: 313COMMON
Download Yara Rule
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC49E0, Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 328COMMON
Download Yara Rule
| C-Code - Quality: 43% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC22F0, Relevance: 57.9, APIs: 17, Strings: 16, Instructions: 198COMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC4640, Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 252COMMON
Download Yara Rule
| C-Code - Quality: 44% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC2B10, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 243COMMON
Download Yara Rule
| C-Code - Quality: 80% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC2800, Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 223COMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 80% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECA5E2, Relevance: 16.7, APIs: 11, Instructions: 229COMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC8E23, Relevance: 13.6, APIs: 9, Instructions: 66COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC1380, Relevance: 10.6, APIs: 7, Instructions: 126COMMON
Download Yara Rule
| C-Code - Quality: 76% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECBB6C, Relevance: 9.1, APIs: 6, Instructions: 134COMMON
Download Yara Rule
| C-Code - Quality: 88% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ED1D26, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| C-Code - Quality: 96% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 83% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ED1673, Relevance: 6.1, APIs: 4, Instructions: 96COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECECB1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECCC10, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| C-Code - Quality: 92% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 83% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01012D50, Relevance: .9, Instructions: 863COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101F489, Relevance: .6, Instructions: 624COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101F4E8, Relevance: .6, Instructions: 604COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01011FE2, Relevance: .5, Instructions: 536COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01012618, Relevance: .4, Instructions: 444COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004001CC, Relevance: 26.9, APIs: 13, Strings: 1, Instructions: 2442memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100E2B8, Relevance: 1.6, APIs: 1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100BB88, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101D258, Relevance: 1.4, Strings: 1, Instructions: 102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101D268, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01013E28, Relevance: .8, Instructions: 830COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101DC30, Relevance: .6, Instructions: 601COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101BA70, Relevance: .5, Instructions: 543COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101AC6F, Relevance: .4, Instructions: 430COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010116C8, Relevance: .3, Instructions: 342COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01014C78, Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01014B57, Relevance: .3, Instructions: 313COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01012D40, Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101A720, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101F10F, Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01011AC0, Relevance: .2, Instructions: 234COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01013AC8, Relevance: .2, Instructions: 185COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101AA9F, Relevance: .2, Instructions: 150COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101CB67, Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010138D8, Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010114A8, Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010132D8, Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01013D08, Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010154F1, Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01013D18, Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01013C10, Relevance: .1, Instructions: 84COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101D13F, Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101EE70, Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101F160, Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010119E0, Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101EF90, Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101544F, Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010114F0, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101A770, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01015458, Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01011632, Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101A699, Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01011D72, Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101D1F9, Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101EF1F, Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101A6A8, Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01015710, Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01011D80, Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00EC1040, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 187libraryCOMMON
Download Yara Rule
| C-Code - Quality: 55% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 72% |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC3610, Relevance: 91.3, APIs: 27, Strings: 25, Instructions: 313COMMON
Download Yara Rule
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC49E0, Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 328COMMON
Download Yara Rule
| C-Code - Quality: 43% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC22F0, Relevance: 57.9, APIs: 17, Strings: 16, Instructions: 198COMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC4640, Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 252COMMON
Download Yara Rule
| C-Code - Quality: 44% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC2B10, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 243COMMON
Download Yara Rule
| C-Code - Quality: 80% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC2800, Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 223COMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 80% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECA5E2, Relevance: 16.7, APIs: 11, Instructions: 229COMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC88A7, Relevance: 16.6, APIs: 11, Instructions: 84COMMON
Download Yara Rule
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC8E23, Relevance: 13.6, APIs: 9, Instructions: 66COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC1380, Relevance: 10.6, APIs: 7, Instructions: 126COMMON
Download Yara Rule
| C-Code - Quality: 76% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECBB6C, Relevance: 9.1, APIs: 6, Instructions: 134COMMON
Download Yara Rule
| C-Code - Quality: 88% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 27% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
Download Yara Rule
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ED1D26, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| C-Code - Quality: 96% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 83% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ED1673, Relevance: 6.1, APIs: 4, Instructions: 96COMMON
Download Yara Rule
| C-Code - Quality: 98% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 95% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| C-Code - Quality: 71% |
|
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECECB1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00ECCC10, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| C-Code - Quality: 92% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 83% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EC6B80, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
Download Yara Rule
| C-Code - Quality: 41% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |