Analysis Report PO13132021.scr
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Username: ": "q8yz7CCwgQfF", "URL: ": "http://8fEo7xWGmGml.org", "To: ": "", "ByHost: ": "polar.argondns.net:587", "Password: ": "dKUidybLVbHYBgI", "From: ": ""}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 7 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 3 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Compliance: |
---|
Detected unpacking (creates a PE file in dynamic memory) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: | Static PE information: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
System Summary: |
---|
.NET source code contains very large array initializations | Show sources |
Source: | Large array initialization: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File opened: |
Source: | Key opened: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (creates a PE file in dynamic memory) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources |
Source: | Function Chain: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Source: | File opened / queried: |
Source: | Thread delayed: |
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: |
Sample uses process hollowing technique | Show sources |
Source: | Section unmapped: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts2 | Windows Management Instrumentation211 | Valid Accounts2 | Exploitation for Privilege Escalation1 | Disable or Modify Tools11 | OS Credential Dumping2 | System Time Discovery2 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
Default Accounts | Native API11 | Boot or Logon Initialization Scripts | Valid Accounts2 | Deobfuscate/Decode Files or Information11 | Input Capture21 | File and Directory Discovery2 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Shared Modules1 | Logon Script (Windows) | Access Token Manipulation21 | Obfuscated Files or Information2 | Credentials in Registry1 | System Information Discovery128 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Process Injection212 | Software Packing31 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture21 | Scheduled Transfer | Application Layer Protocol111 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Valid Accounts2 | LSA Secrets | Security Software Discovery251 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion14 | Cached Domain Credentials | Virtualization/Sandbox Evasion14 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Access Token Manipulation21 | DCSync | Process Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection212 | Proc Filesystem | Application Window Discovery11 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
27% | Virustotal | Browse | ||
28% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | Metadefender | Browse | ||
0% | ReversingLabs | |||
21% | ReversingLabs | Win32.PUA.Wacapew |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1130366 | Download File | ||
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1130366 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
polar.argondns.net | 91.210.107.22 | true | true |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.210.107.22 | unknown | Russian Federation | 49335 | NCONNECT-ASRU | true | |
91.210.107.54 | unknown | Russian Federation | 49335 | NCONNECT-ASRU | false | |
91.210.107.62 | unknown | Russian Federation | 49335 | NCONNECT-ASRU | false | |
91.210.107.53 | unknown | Russian Federation | 49335 | NCONNECT-ASRU | false | |
91.210.107.52 | unknown | Russian Federation | 49335 | NCONNECT-ASRU | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 344901 |
Start date: | 27.01.2021 |
Start time: | 12:32:48 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 1s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | PO13132021.scr (renamed file extension from scr to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@5/5@1/5 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:33:46 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
91.210.107.22 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
91.210.107.54 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
91.210.107.62 | Get hash | malicious | Browse | ||
91.210.107.53 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
91.210.107.52 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
polar.argondns.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
NCONNECT-ASRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
NCONNECT-ASRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
NCONNECT-ASRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\PO13132021.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 893608 |
Entropy (8bit): | 6.620131693023677 |
Encrypted: | false |
SSDEEP: | 12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01 |
MD5: | C56B5F0201A3B3DE53E561FE76912BFD |
SHA1: | 2A4062E10A5DE813F5688221DBEB3F3FF33EB417 |
SHA-256: | 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D |
SHA-512: | 195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\PO13132021.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 291840 |
Entropy (8bit): | 7.999300065062373 |
Encrypted: | true |
SSDEEP: | 6144:kIFKOy7s3oaqBaQu90yiRK6TRjM9n0z+QfDZnd9R/kBMnF6ZbIfWwxHAz:MP7s3zqc54Kv0zbdnd9eBMnFi6/m |
MD5: | E2805AA2B24333EA055CB4524255CCDD |
SHA1: | 58715C4C2B07B940B8EF975EB4ABCCA218B7882B |
SHA-256: | 6508B1408DB51A4C59210FDEE7703D284A675460185A3BA70E060F890D7C2EA0 |
SHA-512: | C6BFE4EF983EA000FC9E9A6E6B0EAC43A1D52C2648FCC68B6DC07A3F0F6CB24D61FAC116D4ACEC76C876EAD47ED97B64D3F03BC3DC7A044F6C319314C139BD6D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 893608 |
Entropy (8bit): | 6.570843086702839 |
Encrypted: | false |
SSDEEP: | 12288:apVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M0:aT3E53Myyzl0hMf1tr7Caw8M0 |
MD5: | 535DD1329AEF11BF4654B3270F026D5B |
SHA1: | 9C84DE0BDE8333F852120AB40710545B3F799300 |
SHA-256: | B31445FC4B8803D1B7122A6563002CFE3E925FFD1FDC9B84FBA6FC78F6A8B955 |
SHA-512: | A552E20A09A796A6E3E18DECE308880069C958CF9136BB4FC3EE726D6BC9B2F8EDDBCFF06FF9F9DED4DD268F5D0F39D516AD42ECCE6455A4BF5CF4F3CB4C4ECC |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\PO13132021.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 385136 |
Entropy (8bit): | 4.040875529182386 |
Encrypted: | false |
SSDEEP: | 96:D6fyJOogeGFlIvMxquc9JH71Qu1SqETSCmQG5mqpUJguXNR2022OdOQqOxFx7IRU:D6fggwMAuKpWIJB |
MD5: | 2FF4031E23DF3BA8CA445C0CC35B472C |
SHA1: | 97AB1DA04AB0A6DA94207C0B6BBF453520A6E615 |
SHA-256: | F2208559DB506C7F145B43755C42D4F57118A0E26CE9FC5ED60AFFE05066BFC9 |
SHA-512: | 2E675BC7838F47ABC2F3A3E3B28E49A2F7CAD449550B18EE2132503F19AE9CA6E6B6AE9EF0BA7568D03F4032BB15DE9049D97204A6B831CA730E9A31C684071E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\PO13132021.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1573047 |
Entropy (8bit): | 6.999007197019042 |
Encrypted: | false |
SSDEEP: | 24576:aT3E53Myyzl0hMf1tr7Caw8M0TgDFczdT/m:43EZpBh211Waw30TgDFcBC |
MD5: | C1DB9615BCC91F1C6F24F23CE98704BF |
SHA1: | AF374C57B8B9D416FAEFA381B4B99D677FB77150 |
SHA-256: | 8AEDAE19F4A93BBA5822454BC6B06CF2D4650FA44B842DA9EEEBD6DF5B4F7DC3 |
SHA-512: | DE3D0832ACCF2A8582709D02C37DEAF25A7ED29CBAC29A841CB5965A8AF1C50E115A38FF1C8902D037DE50106463A13AE4EA2F531468BDF8CB7C9377A50178FD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.98445424363155 |
TrID: |
|
File name: | PO13132021.exe |
File size: | 725929 |
MD5: | 7c4c3a12f367dcd154accce5948ebaeb |
SHA1: | b0a7b80ddd9b86a20d3a41e3423cedb341b6220c |
SHA256: | 1a1e74fbe89bed37913351432c163e204018655e51811aabb9e5fc6a06cf5887 |
SHA512: | 3309ff4fa38aca1d791683f80de67ed2ab720dab034dcb997e9985623eb57f350959ea2ae5bd542f118b703793630a6002b38356716819ef9c28b0ce704dc5a4 |
SSDEEP: | 12288:cqOdWKrdSUiJruF2ahX/gjTCSxJMbAbYTqLqPqxG9sCQPb45Yxsy:cZYA2W2QX/cTfw0sTOq/9sPbLxsy |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@ |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x403461 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5F24D6E4 [Sat Aug 1 02:43:48 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | ea4e67a31ace1a72683a99b80cf37830 |
Entrypoint Preview |
---|
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 0040A130h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004080B0h] |
call dword ptr [004080C0h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042474Ch], eax |
je 00007F1FC9279883h |
push ebx |
call 00007F1FC927C9FEh |
cmp eax, ebx |
je 00007F1FC9279879h |
push 00000C00h |
call eax |
mov esi, 004082A0h |
push esi |
call 00007F1FC927C97Ah |
push esi |
call dword ptr [004080B8h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007F1FC927985Dh |
push 0000000Bh |
call 00007F1FC927C9D2h |
push 00000009h |
call 00007F1FC927C9CBh |
push 00000007h |
mov dword ptr [00424744h], eax |
call 00007F1FC927C9BFh |
cmp eax, ebx |
je 00007F1FC9279881h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F1FC9279879h |
or byte ptr [0042474Fh], 00000040h |
push ebp |
call dword ptr [00408038h] |
push ebx |
call dword ptr [00408288h] |
mov dword ptr [00424818h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 0041FD10h |
call dword ptr [0040816Ch] |
push 0040A1ECh |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8438 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2d000 | 0x6bc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x29c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x623c | 0x6400 | False | 0.65859375 | data | 6.40257705324 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1274 | 0x1400 | False | 0.43359375 | data | 5.05749598324 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x1a858 | 0x600 | False | 0.445963541667 | data | 4.08975001509 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x25000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x2d000 | 0x6bc | 0x800 | False | 0.41259765625 | data | 4.23827605847 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_DIALOG | 0x2d100 | 0x100 | data | English | United States |
RT_DIALOG | 0x2d200 | 0x11c | data | English | United States |
RT_DIALOG | 0x2d31c | 0x60 | data | English | United States |
RT_MANIFEST | 0x2d37c | 0x340 | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA |
SHELL32.dll | SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA |
ole32.dll | IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2021 12:35:08.558293104 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.22 |
Jan 27, 2021 12:35:11.559736013 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.22 |
Jan 27, 2021 12:35:17.591324091 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.22 |
Jan 27, 2021 12:35:29.609376907 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.62 |
Jan 27, 2021 12:35:32.624046087 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.62 |
Jan 27, 2021 12:35:38.640366077 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.62 |
Jan 27, 2021 12:35:50.657453060 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.53 |
Jan 27, 2021 12:35:53.656806946 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.53 |
Jan 27, 2021 12:35:59.673070908 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.53 |
Jan 27, 2021 12:36:11.731405973 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.54 |
Jan 27, 2021 12:36:14.736784935 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.54 |
Jan 27, 2021 12:36:20.745368004 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.54 |
Jan 27, 2021 12:36:32.758579016 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.52 |
Jan 27, 2021 12:36:35.774386883 CET | 49743 | 587 | 192.168.2.3 | 91.210.107.52 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2021 12:33:30.401842117 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:30.450095892 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:31.753947973 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:31.804760933 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:34.602005005 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:34.652759075 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:35.790699959 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:35.841535091 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:37.147110939 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:37.195096016 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:38.458867073 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:38.509751081 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:39.758410931 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:39.808118105 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:40.941373110 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:40.989288092 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:42.166100025 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:42.213928938 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:43.387100935 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:43.444571018 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:44.650142908 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:44.698065996 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:45.778295994 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:45.826289892 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:46.959475994 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:47.009632111 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:33:58.304991961 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:33:58.357912064 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:34:05.511758089 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:34:05.571175098 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:34:18.137455940 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:34:18.207076073 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:34:19.361601114 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:34:19.423527956 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:34:20.439914942 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:34:20.487991095 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:34:23.978684902 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:34:24.039310932 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:35:04.093718052 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:35:04.145981073 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:35:06.202208996 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:35:06.265650034 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:35:08.458524942 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:35:08.517349958 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:21.292306900 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:21.348989964 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:21.976433992 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:22.024369001 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:22.723779917 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:22.771917105 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:23.305397034 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:23.362088919 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:23.980076075 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:24.041855097 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:24.724802971 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:24.783817053 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:25.531107903 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:25.582056046 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:26.658972979 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:26.718672037 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:28.413674116 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:28.470185995 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 12:36:28.968753099 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 12:36:29.025866032 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 27, 2021 12:35:08.458524942 CET | 192.168.2.3 | 8.8.8.8 | 0x5157 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 27, 2021 12:35:08.517349958 CET | 8.8.8.8 | 192.168.2.3 | 0x5157 | No error (0) | 91.210.107.22 | A (IP address) | IN (0x0001) | ||
Jan 27, 2021 12:35:08.517349958 CET | 8.8.8.8 | 192.168.2.3 | 0x5157 | No error (0) | 91.210.107.62 | A (IP address) | IN (0x0001) | ||
Jan 27, 2021 12:35:08.517349958 CET | 8.8.8.8 | 192.168.2.3 | 0x5157 | No error (0) | 91.210.107.53 | A (IP address) | IN (0x0001) | ||
Jan 27, 2021 12:35:08.517349958 CET | 8.8.8.8 | 192.168.2.3 | 0x5157 | No error (0) | 91.210.107.54 | A (IP address) | IN (0x0001) | ||
Jan 27, 2021 12:35:08.517349958 CET | 8.8.8.8 | 192.168.2.3 | 0x5157 | No error (0) | 91.210.107.52 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 12:33:35 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\Desktop\PO13132021.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 725929 bytes |
MD5 hash: | 7C4C3A12F367DCD154ACCCE5948EBAEB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 12:33:36 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xab0000 |
File size: | 893608 bytes |
MD5 hash: | C56B5F0201A3B3DE53E561FE76912BFD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 12:33:37 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 893608 bytes |
MD5 hash: | 535DD1329AEF11BF4654B3270F026D5B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|