Analysis Report NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Scheduled temp file as task from temp location | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: | Static PE information: |
Source: | Code function: | 0_2_0586D820 |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | FTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: | Jump to behavior |
Source: | Window created: | Jump to behavior |
System Summary: |
---|
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: |
Source: | Code function: | 0_2_02D4C2B0 | |
Source: | Code function: | 0_2_02D49990 | |
Source: | Code function: | 0_2_0586E058 | |
Source: | Code function: | 0_2_05867140 | |
Source: | Code function: | 0_2_0586303D | |
Source: | Code function: | 0_2_05860C80 | |
Source: | Code function: | 0_2_05860C90 | |
Source: | Code function: | 0_2_05860A28 | |
Source: | Code function: | 0_2_05860A38 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: | Jump to behavior |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection11 | Disable or Modify Tools1 | OS Credential Dumping2 | File and Directory Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Alternative Protocol1 | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Obfuscated Files or Information2 | Input Capture11 | System Information Discovery114 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Software Packing2 | Credentials in Registry1 | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Masquerading1 | NTDS | Security Software Discovery321 | Distributed Component Object Model | Input Capture11 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Virtualization/Sandbox Evasion14 | LSA Secrets | Virtualization/Sandbox Evasion14 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Process Injection11 | Cached Domain Credentials | Process Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | Virustotal | Browse | ||
13% | ReversingLabs | Win32.Trojan.Pwsx | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
32% | Virustotal | Browse | ||
13% | ReversingLabs | Win32.Trojan.Pwsx |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ftp.softg.com.ng | 104.194.10.93 | true | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.194.10.93 | unknown | United States | 23470 | RELIABLESITEUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 344914 |
Start date: | 27.01.2021 |
Start time: | 13:08:58 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 40s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 34 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@8/5@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
13:09:50 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
104.194.10.93 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ftp.softg.com.ng | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RELIABLESITEUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1400 |
Entropy (8bit): | 5.344635889251176 |
Encrypted: | false |
SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEg:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHV |
MD5: | 394E646B019FF472CE37EE76A647A27F |
SHA1: | BD5872D88EE9CD2299B5F0E462C53D9E7040D6DA |
SHA-256: | 2295A0B1F6ACD75FB5D038ADE65725EDF3DDF076107AEA93E4A864E35974AE2A |
SHA-512: | 7E95510C85262998AECC9A06A73A5BF6352304AF6EE143EC7E48A17473773F33A96A2F4146446444789B8BCC9B83372A227DC89C3D326A2E142BCA1E1A9B4809 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1643 |
Entropy (8bit): | 5.195182470319441 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBcGNtn:cbh47TlNQ//rydbz9I3YODOLNdq33 |
MD5: | ADEE0252C1A3D7ED8D4CB921540B6F23 |
SHA1: | 4D56F7BC41FC5E4FE77CBBB918438F3F94106A0D |
SHA-256: | F7BB8C231A66C342AFC46F0548E6566C64C5B303A2697AD75C35898B098AB4F2 |
SHA-512: | 0C33F4A493DDA164AAC9F7D72DDA95BEBD6CA3507A7DDAE21E30B32011932812AA18AF9DC4810DC560DD0AB63F2A5C58C626F2FDFE881DA4149944F79A7CE924 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 0.6970840431455908 |
Encrypted: | false |
SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1047040 |
Entropy (8bit): | 7.618993069202847 |
Encrypted: | false |
SSDEEP: | 12288:6Uv/K5l68aT0CEaZtyakQ/wuBYPsIoHb+nlzZsWsE2SfnGLf/VwbN4+vtE+LtZ/W:9v/K5l68aT8aknsGoE2SOLlwqYTfV |
MD5: | 6AC388BC55E9B10F193B3E0BC0FF4AF6 |
SHA1: | C3C2E865B6B41AD7AF8108EFCE76F1623E9B248E |
SHA-256: | B813D2ED2581E4E3A454152E2DBD93C522583E4274D0523C8E3D424D9D192342 |
SHA-512: | 0D55B2EDD43412143F38BAD132C3A3A2219610C874B0C2CD4F293CB1692D6FA7283DECAD76FD0AE3B00C4596454A389C454FBF5F0E5B73AD8F88E22F7FA591A5 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.618993069202847 |
TrID: |
|
File name: | NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
File size: | 1047040 |
MD5: | 6ac388bc55e9b10f193b3e0bc0ff4af6 |
SHA1: | c3c2e865b6b41ad7af8108efce76f1623e9b248e |
SHA256: | b813d2ed2581e4e3a454152e2dbd93c522583e4274d0523c8e3d424d9d192342 |
SHA512: | 0d55b2edd43412143f38bad132c3a3a2219610c874b0c2cd4f293cb1692d6fa7283decad76fd0ae3b00c4596454a389c454fbf5f0e5b73ad8f88e22f7fa591a5 |
SSDEEP: | 12288:6Uv/K5l68aT0CEaZtyakQ/wuBYPsIoHb+nlzZsWsE2SfnGLf/VwbN4+vtE+LtZ/W:9v/K5l68aT8aknsGoE2SOLlwqYTfV |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ... ....@.. .......................`............@................................ |
File Icon |
---|
Icon Hash: | 92929e929e9e8ee2 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4f048e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x601102C5 [Wed Jan 27 06:05:57 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf043c | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf2000 | 0x10f8c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x104000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xee494 | 0xee600 | False | 0.777965431633 | data | 7.67475810691 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xf2000 | 0x10f8c | 0x11000 | False | 0.177418428309 | data | 5.41082924128 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x104000 | 0xc | 0x200 | False | 0.044921875 | data | 0.0815394123432 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xf2130 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 318767104, next used block 117440512 | ||
RT_GROUP_ICON | 0x102958 | 0x14 | data | ||
RT_VERSION | 0x10296c | 0x434 | data | ||
RT_MANIFEST | 0x102da0 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | 2021 (C) AuditFlags International |
Assembly Version | 11.84.0.0 |
InternalName | LCIDConversionAttribute.exe |
FileVersion | 11.84.0.0 |
CompanyName | AuditFlags International |
LegalTrademarks | AuditFlags |
Comments | Non Versionable Attribute |
ProductName | Non Versionable Attribute |
ProductVersion | 11.84.0.0 |
FileDescription | Non Versionable Attribute |
OriginalFilename | LCIDConversionAttribute.exe |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
01/27/21-13:11:36.340839 | TCP | 2029927 | ET TROJAN AgentTesla Exfil via FTP | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
01/27/21-13:11:36.474169 | TCP | 2029928 | ET TROJAN AgentTesla HTML System Info Report Exfil via FTP | 49748 | 52972 | 192.168.2.3 | 104.194.10.93 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2021 13:11:35.085513115 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:35.213593006 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.213752031 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:35.343816996 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.345099926 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:35.472048044 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.472098112 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.472773075 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:35.641906023 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.686135054 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.686456919 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:35.813783884 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.813811064 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.814070940 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:35.941620111 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:35.942395926 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.069355965 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:36.069767952 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.197118044 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:36.200633049 CET | 49748 | 52972 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.241496086 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.340318918 CET | 52972 | 49748 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:36.340486050 CET | 49748 | 52972 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.340838909 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.469507933 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:36.474169016 CET | 49748 | 52972 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.475358963 CET | 49748 | 52972 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.522949934 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.602929115 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:36.613097906 CET | 52972 | 49748 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:36.614379883 CET | 52972 | 49748 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:36.614541054 CET | 49748 | 52972 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:36.647816896 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.340321064 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.469654083 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:37.470866919 CET | 49749 | 62110 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.522872925 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.602408886 CET | 62110 | 49749 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:37.602633953 CET | 49749 | 62110 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.602966070 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.732239008 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:37.733433008 CET | 49749 | 62110 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.733495951 CET | 49749 | 62110 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.772897959 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.865151882 CET | 62110 | 49749 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:37.865200043 CET | 62110 | 49749 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:37.865230083 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 |
Jan 27, 2021 13:11:37.865267038 CET | 49749 | 62110 | 192.168.2.3 | 104.194.10.93 |
Jan 27, 2021 13:11:37.913544893 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2021 13:09:43.696324110 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:43.744245052 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:44.657226086 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:44.708415031 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:45.613053083 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:45.663837910 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:46.983957052 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:47.037990093 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:48.398194075 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:48.448151112 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:49.714911938 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:49.765640020 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:50.927064896 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:50.977127075 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:51.875458002 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:51.923460960 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:53.004487038 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:53.063175917 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:54.353805065 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:54.403966904 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:55.412123919 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:55.469188929 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:56.404776096 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:56.452795029 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:09:57.370848894 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:09:57.420466900 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:11.790249109 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:11.842590094 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:16.369446039 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:16.432280064 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:22.367731094 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:22.427658081 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:32.740448952 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:32.813951015 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:32.843992949 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:32.893315077 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:34.375591993 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:34.426392078 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:37.813103914 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:37.873816013 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:39.467014074 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:39.515470982 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:10:40.021414995 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:10:40.086673975 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:11:17.730375051 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:11:18.723169088 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:11:34.787712097 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:11:34.965647936 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:35.638895988 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:35.697612047 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:36.330755949 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:36.389739990 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:37.556020021 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:37.618256092 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:38.274713993 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:38.334306002 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:38.893723965 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:38.953238964 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:39.670677900 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:39.730005980 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:40.632364035 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:40.696209908 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:41.681993008 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:41.744244099 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:43.102271080 CET | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:43.166619062 CET | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 13:12:43.747852087 CET | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 13:12:43.804404020 CET | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 27, 2021 13:11:34.787712097 CET | 192.168.2.3 | 8.8.8.8 | 0xe293 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 27, 2021 13:11:34.965647936 CET | 8.8.8.8 | 192.168.2.3 | 0xe293 | No error (0) | 104.194.10.93 | A (IP address) | IN (0x0001) |
FTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jan 27, 2021 13:11:35.343816996 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity. |
Jan 27, 2021 13:11:35.345099926 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | USER ogd@blessedxmhk.com.ng |
Jan 27, 2021 13:11:35.472098112 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 331 User ogd@blessedxmhk.com.ng OK. Password required |
Jan 27, 2021 13:11:35.472773075 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | PASS wealth@123455@@ |
Jan 27, 2021 13:11:35.686135054 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 230 OK. Current restricted directory is / |
Jan 27, 2021 13:11:35.813811064 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 504 Unknown command |
Jan 27, 2021 13:11:35.814070940 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | PWD |
Jan 27, 2021 13:11:35.941620111 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 257 "/" is your current location |
Jan 27, 2021 13:11:35.942395926 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | TYPE I |
Jan 27, 2021 13:11:36.069355965 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 200 TYPE is now 8-bit binary |
Jan 27, 2021 13:11:36.069767952 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | PASV |
Jan 27, 2021 13:11:36.197118044 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 227 Entering Passive Mode (104,194,10,93,206,236) |
Jan 27, 2021 13:11:36.340838909 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | STOR PW_user-960781_2021_01_27_16_10_24.html |
Jan 27, 2021 13:11:36.469507933 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 150 Accepted data connection |
Jan 27, 2021 13:11:36.602929115 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 226-File successfully transferred 226-File successfully transferred226 0.133 seconds (measured here), 3.28 Kbytes per second |
Jan 27, 2021 13:11:37.340321064 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | PASV |
Jan 27, 2021 13:11:37.469654083 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 227 Entering Passive Mode (104,194,10,93,242,158) |
Jan 27, 2021 13:11:37.602966070 CET | 49747 | 21 | 192.168.2.3 | 104.194.10.93 | STOR CO_user-960781_2021_01_27_16_10_59.zip |
Jan 27, 2021 13:11:37.732239008 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 150 Accepted data connection |
Jan 27, 2021 13:11:37.865230083 CET | 21 | 49747 | 104.194.10.93 | 192.168.2.3 | 226-File successfully transferred 226-File successfully transferred226 0.131 seconds (measured here), 9.84 Kbytes per second |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 13:09:49 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x920000 |
File size: | 1047040 bytes |
MD5 hash: | 6AC388BC55E9B10F193B3E0BC0FF4AF6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 13:09:52 |
Start date: | 27/01/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1350000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:09:52 |
Start date: | 27/01/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:09:53 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 1047040 bytes |
MD5 hash: | 6AC388BC55E9B10F193B3E0BC0FF4AF6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 13:09:53 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xed0000 |
File size: | 1047040 bytes |
MD5 hash: | 6AC388BC55E9B10F193B3E0BC0FF4AF6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 0586E058, Relevance: .6, Instructions: 612COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D4B0D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D4C028, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 0586303D, Relevance: 1.4, Strings: 1, Instructions: 199COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D4C2B0, Relevance: .5, Instructions: 520COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D49990, Relevance: .3, Instructions: 265COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05867140, Relevance: .2, Instructions: 236COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05860A28, Relevance: .2, Instructions: 151COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05860A38, Relevance: .1, Instructions: 145COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05860C90, Relevance: .1, Instructions: 101COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05860C80, Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0586D820, Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |