Play interactive tour
Edit tourAnalysis Report BL Draft Copy #747470.exe
Overview
General Information
| Sample Name: | BL Draft Copy #747470.exe |
| Analysis ID: | 344998 |
| MD5: | 125158a5cec004ba7ee2910b6a835292 |
| SHA1: | 22a58409bed9a9801aa9894ceae4858fbf2c81e5 |
| SHA256: | 4bc04aa1102d1ddab6de06654183987351f5215c5cf3fe6f9cb13b3efcd99656 |
| Tags: | AgentTeslaexe |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Username: ": "CEoVwenaUi", "URL: ": "http://Jneszaj6A5TZOa4IbKa.net", "To: ": "mpdolx@yandex.com", "ByHost: ": "mail.unique-skill.com:587", "Password: ": "liyrWKt", "From: ": ""}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 5 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Scheduled temp file as task from temp location | Show sources | ||
| Source: | Author: Joe Security: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | ReversingLabs: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
Compliance: | |
|---|
| Uses 32bit PE files | Show sources | ||
| Source: | Static PE information: | ||
| Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources | ||
| Source: | Static PE information: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| C2 URLs / IPs found in malware configuration | Show sources | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Installs a global keyboard hook | Show sources | ||
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 3_2_01420A70 | |
| Source: | Window created: | Jump to behavior | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Code function: | 3_2_01426178 | |
| Source: | Code function: | 3_2_014268B0 | |
| Source: | Code function: | 3_2_01425B45 | |
| Source: | Code function: | 3_2_0142D898 | |
| Source: | Code function: | 3_2_01694750 | |
| Source: | Code function: | 3_2_01694806 | |
| Source: | Code function: | 3_2_05B7C6F0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_0142B599 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Uses schtasks.exe or at.exe to add and modify task schedules | Show sources | ||
| Source: | Process created: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM_3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File opened / queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_01420A70 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection12 | Disable or Modify Tools1 | OS Credential Dumping2 | File and Directory Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Deobfuscate/Decode Files or Information1 | Input Capture111 | System Information Discovery114 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Credentials in Registry1 | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing2 | NTDS | Security Software Discovery321 | Distributed Component Object Model | Input Capture111 | Scheduled Transfer | Application Layer Protocol111 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Virtualization/Sandbox Evasion14 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion14 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection12 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 44% | Virustotal | Browse | ||
| 35% | ReversingLabs | ByteCode-MSIL.Trojan.Wacatac | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 35% | ReversingLabs | ByteCode-MSIL.Trojan.Wacatac |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| shared116.accountservergroup.com | 162.215.249.91 | true | false | high | |
| mail.unique-skill.com | unknown | unknown | true | unknown |
Contacted URLs |
|---|
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| low | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| low |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 162.215.249.91 | unknown | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Emerald |
| Analysis ID: | 344998 |
| Start date: | 27.01.2021 |
| Start time: | 15:37:53 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 51s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | BL Draft Copy #747470.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 30 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/5@4/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 15:38:47 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 162.215.249.91 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| shared116.accountservergroup.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 1216 |
| Entropy (8bit): | 5.355304211458859 |
| Encrypted: | false |
| SSDEEP: | 24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY |
| MD5: | 69206D3AF7D6EFD08F4B4726998856D3 |
| SHA1: | E778D4BF781F7712163CF5E2F5E7C15953E484CF |
| SHA-256: | A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87 |
| SHA-512: | CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8 |
| Malicious: | true |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1641 |
| Entropy (8bit): | 5.184319550582037 |
| Encrypted: | false |
| SSDEEP: | 24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBptn:cbh47TlNQ//rydbz9I3YODOLNdq3t |
| MD5: | EA820972FA2CCF8B35D40CA1210C43A5 |
| SHA1: | F325CC00E898EB253AD5537DC3A54DCAA68E93E4 |
| SHA-256: | 47F45706B26E170F985B2883DB4DFB3943962AC5ADF8093E18D483C554DE27FF |
| SHA-512: | CE1D8673A1C8827F8687F2D849CE74CB1D9891472EB659A13027C9AB9C2522D182845B09EDA24D5BF8E7C957B4E46A067D39FC1031EB2E8E75DE26F30BB7F2FF |
| Malicious: | true |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.6970840431455908 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
| MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
| SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
| SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
| SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 878592 |
| Entropy (8bit): | 6.815171149795038 |
| Encrypted: | false |
| SSDEEP: | 12288:CCImHAGL08xZXMzcY8KaVumnG4ju84e+e+KBj:exLofxVU4Ge+K |
| MD5: | 125158A5CEC004BA7EE2910B6A835292 |
| SHA1: | 22A58409BED9A9801AA9894CEAE4858FBF2C81E5 |
| SHA-256: | 4BC04AA1102D1DDAB6DE06654183987351F5215C5CF3FE6F9CB13B3EFCD99656 |
| SHA-512: | A7CC602AD37DC4AC15327D22E59CA2C57C2C91231F3E89A62384BD4727D7D30BCD64E65475313A0B37EB709D8C8C7B1FBCD0270B0E4C63BE30C29F9DAB2A38C5 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.815171149795038 |
| TrID: |
|
| File name: | BL Draft Copy #747470.exe |
| File size: | 878592 |
| MD5: | 125158a5cec004ba7ee2910b6a835292 |
| SHA1: | 22a58409bed9a9801aa9894ceae4858fbf2c81e5 |
| SHA256: | 4bc04aa1102d1ddab6de06654183987351f5215c5cf3fe6f9cb13b3efcd99656 |
| SHA512: | a7cc602ad37dc4ac15327d22e59ca2c57c2c91231f3e89a62384bd4727d7d30bcd64e65475313a0b37eb709d8c8c7b1fbcd0270b0e4c63be30c29f9dab2a38c5 |
| SSDEEP: | 12288:CCImHAGL08xZXMzcY8KaVumnG4ju84e+e+KBj:exLofxVU4Ge+K |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............~.... ........... ....................................@................................ |
File Icon |
|---|
 | |
| Icon Hash: | 78e4c4ccc4c4c0c0 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x110ae87e |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x11000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x600E9011 [Mon Jan 25 09:32:01 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [11002000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xae830 | 0x4b | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb0000 | 0x29a00 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xda000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xac884 | 0xaca00 | False | 0.675396564989 | data | 7.4641212281 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xb0000 | 0x29a00 | 0x29a00 | False | 0.118689001502 | data | 2.57748829649 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xda000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xb0250 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | ||
| RT_ICON | 0xc0a78 | 0x860 | PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced | ||
| RT_ICON | 0xc12d8 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
| RT_ICON | 0xc3880 | 0x10a8 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 | ||
| RT_ICON | 0xc4928 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | ||
| RT_ICON | 0xd5150 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0 | ||
| RT_GROUP_ICON | 0xd9378 | 0x14 | data | ||
| RT_GROUP_ICON | 0xd938c | 0x5a | data | ||
| RT_VERSION | 0xd93e8 | 0x3a4 | data | ||
| RT_MANIFEST | 0xd978c | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Bharat Biotech (C) 2021 |
| Assembly Version | 48.0.31.9 |
| InternalName | AssemblyAttributesGoHereSM.exe |
| FileVersion | 48.0.31.09 |
| CompanyName | Bharat Biotech |
| LegalTrademarks | |
| Comments | BBV152 |
| ProductName | BBV152 |
| ProductVersion | 48.0.31.09 |
| FileDescription | BBV152 |
| OriginalFilename | AssemblyAttributesGoHereSM.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 01/27/21-15:40:35.387940 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| 01/27/21-15:40:39.573506 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 27, 2021 15:40:33.500226021 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:33.687643051 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:33.687750101 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:34.172257900 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:34.172804117 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:34.361555099 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:34.364537001 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:34.552763939 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:34.556365967 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:34.784570932 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:34.786215067 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:34.971618891 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:34.972244978 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:35.190584898 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:35.191073895 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:35.376176119 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:35.376306057 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:35.387939930 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:35.388271093 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:35.388468981 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:35.388636112 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:35.578268051 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:35.578305960 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:35.578315973 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:35.628073931 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:36.831295967 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:37.022589922 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:37.023705006 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:37.023778915 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:37.023808956 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:37.211483002 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:37.889930964 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:38.075484037 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:38.075812101 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:38.388313055 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:38.391540051 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:38.577089071 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:38.577860117 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:38.763447046 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:38.763978004 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:38.953967094 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:38.958499908 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.144212961 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.144929886 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.379036903 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.381092072 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.381411076 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.566580057 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.566694975 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.573129892 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.573506117 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.573797941 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.574081898 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.574393034 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.574650049 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.574857950 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.575015068 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
| Jan 27, 2021 15:40:39.758888006 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.759186983 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.759448051 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.760349989 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.760638952 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
| Jan 27, 2021 15:40:39.815946102 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 27, 2021 15:38:40.633764982 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:40.684362888 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:41.609376907 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:41.660146952 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:42.541364908 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:42.597834110 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:43.587028980 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:43.637615919 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:44.569364071 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:44.618776083 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:45.516994953 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:45.566935062 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:46.508770943 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:46.568001986 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:47.628586054 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:47.686671972 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:48.615596056 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:48.676919937 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:49.646852970 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:49.694704056 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:38:50.669192076 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:38:50.717133999 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:39:10.820998907 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:39:10.882679939 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:39:10.985491991 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:39:11.035700083 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:39:22.213756084 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:39:22.271456957 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:39:29.062257051 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:39:29.120871067 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:39:30.326040983 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:39:30.373845100 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:39:35.005244017 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:39:35.080034018 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:39:37.994842052 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:39:38.055236101 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:40:18.616282940 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:40:18.664115906 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:40:32.956835032 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:40:33.150487900 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:40:33.179351091 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:40:33.394534111 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:40:37.353630066 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:40:37.410239935 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:40:37.829807043 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:40:37.888125896 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:40:37.944574118 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:40:37.992598057 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:40:38.385370970 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:40:38.461071968 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:29.406645060 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:29.458532095 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:30.167496920 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:30.226586103 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:31.175510883 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:31.237050056 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:31.845662117 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:31.906846046 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:32.505964994 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:32.562412977 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:33.250128031 CET | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:33.298245907 CET | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:34.069631100 CET | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:34.117554903 CET | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:35.339411020 CET | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:35.398880005 CET | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:36.606127024 CET | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:37.578093052 CET | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:38.084826946 CET | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:38.085246086 CET | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
| Jan 27, 2021 15:41:38.629118919 CET | 56803 | 53 | 192.168.2.3 | 8.8.8.8 |
| Jan 27, 2021 15:41:38.685359001 CET | 53 | 56803 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jan 27, 2021 15:40:32.956835032 CET | 192.168.2.3 | 8.8.8.8 | 0x938c | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jan 27, 2021 15:40:33.179351091 CET | 192.168.2.3 | 8.8.8.8 | 0x438b | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jan 27, 2021 15:40:37.353630066 CET | 192.168.2.3 | 8.8.8.8 | 0xba21 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jan 27, 2021 15:40:37.829807043 CET | 192.168.2.3 | 8.8.8.8 | 0x7cb1 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jan 27, 2021 15:40:33.150487900 CET | 8.8.8.8 | 192.168.2.3 | 0x938c | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 27, 2021 15:40:33.150487900 CET | 8.8.8.8 | 192.168.2.3 | 0x938c | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) | ||
| Jan 27, 2021 15:40:33.394534111 CET | 8.8.8.8 | 192.168.2.3 | 0x438b | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 27, 2021 15:40:33.394534111 CET | 8.8.8.8 | 192.168.2.3 | 0x438b | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) | ||
| Jan 27, 2021 15:40:37.410239935 CET | 8.8.8.8 | 192.168.2.3 | 0xba21 | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 27, 2021 15:40:37.410239935 CET | 8.8.8.8 | 192.168.2.3 | 0xba21 | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) | ||
| Jan 27, 2021 15:40:37.888125896 CET | 8.8.8.8 | 192.168.2.3 | 0x7cb1 | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 27, 2021 15:40:37.888125896 CET | 8.8.8.8 | 192.168.2.3 | 0x7cb1 | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jan 27, 2021 15:40:34.172257900 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 220-shared116.accountservergroup.com ESMTP Exim 4.91 #1 Wed, 27 Jan 2021 08:40:34 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jan 27, 2021 15:40:34.172804117 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | EHLO 128757 |
| Jan 27, 2021 15:40:34.361555099 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250-shared116.accountservergroup.com Hello 128757 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jan 27, 2021 15:40:34.364537001 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | AUTH login cG1AdW5pcXVlLXNraWxsLmNvbQ== |
| Jan 27, 2021 15:40:34.552763939 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
| Jan 27, 2021 15:40:34.784570932 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 235 Authentication succeeded |
| Jan 27, 2021 15:40:34.786215067 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | MAIL FROM:<pm@unique-skill.com> |
| Jan 27, 2021 15:40:34.971618891 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250 OK |
| Jan 27, 2021 15:40:34.972244978 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | RCPT TO:<mpdolx@yandex.com> |
| Jan 27, 2021 15:40:35.190584898 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250 Accepted |
| Jan 27, 2021 15:40:35.191073895 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | DATA |
| Jan 27, 2021 15:40:35.376306057 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
| Jan 27, 2021 15:40:35.388636112 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | . |
| Jan 27, 2021 15:40:35.578315973 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250 OK id=1l4lzn-000foR-9h |
| Jan 27, 2021 15:40:36.831295967 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | QUIT |
| Jan 27, 2021 15:40:37.022589922 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 221 shared116.accountservergroup.com closing connection |
| Jan 27, 2021 15:40:38.388313055 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 220-shared116.accountservergroup.com ESMTP Exim 4.91 #1 Wed, 27 Jan 2021 08:40:38 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jan 27, 2021 15:40:38.391540051 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | EHLO 128757 |
| Jan 27, 2021 15:40:38.577089071 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250-shared116.accountservergroup.com Hello 128757 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jan 27, 2021 15:40:38.577860117 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | AUTH login cG1AdW5pcXVlLXNraWxsLmNvbQ== |
| Jan 27, 2021 15:40:38.763447046 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
| Jan 27, 2021 15:40:38.953967094 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 235 Authentication succeeded |
| Jan 27, 2021 15:40:38.958499908 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | MAIL FROM:<pm@unique-skill.com> |
| Jan 27, 2021 15:40:39.144212961 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250 OK |
| Jan 27, 2021 15:40:39.144929886 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | RCPT TO:<mpdolx@yandex.com> |
| Jan 27, 2021 15:40:39.381092072 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250 Accepted |
| Jan 27, 2021 15:40:39.381411076 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | DATA |
| Jan 27, 2021 15:40:39.566694975 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
| Jan 27, 2021 15:40:39.575015068 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | . |
| Jan 27, 2021 15:40:39.760638952 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250 OK id=1l4lzr-000fvO-Fq |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 15:38:45 |
| Start date: | 27/01/2021 |
| Path: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe0000 |
| File size: | 878592 bytes |
| MD5 hash: | 125158A5CEC004BA7EE2910B6A835292 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 15:38:49 |
| Start date: | 27/01/2021 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1110000 |
| File size: | 185856 bytes |
| MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 15:38:49 |
| Start date: | 27/01/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2800000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 15:38:50 |
| Start date: | 27/01/2021 |
| Path: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc00000 |
| File size: | 878592 bytes |
| MD5 hash: | 125158A5CEC004BA7EE2910B6A835292 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 00A7D4A0, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D3B4, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A8D01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A8D006, Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D3AF, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D49B, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D731, Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D730, Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
Function 01420A70, Relevance: 28.0, APIs: 18, Instructions: 984keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014268B0, Relevance: .9, Instructions: 890COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01425B45, Relevance: .5, Instructions: 514COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01426178, Relevance: .4, Instructions: 445COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01694750, Relevance: .3, Instructions: 312COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01694806, Relevance: .2, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420A91, Relevance: 26.1, APIs: 17, Instructions: 637keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420AD6, Relevance: 26.1, APIs: 17, Instructions: 628keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420B12, Relevance: 26.1, APIs: 17, Instructions: 621keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420B4E, Relevance: 26.1, APIs: 17, Instructions: 616keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420B93, Relevance: 26.1, APIs: 17, Instructions: 609keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420BD8, Relevance: 26.1, APIs: 17, Instructions: 602keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420C1D, Relevance: 24.6, APIs: 16, Instructions: 595keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420C62, Relevance: 23.1, APIs: 15, Instructions: 588keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420CA7, Relevance: 21.6, APIs: 14, Instructions: 581keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420CEC, Relevance: 21.6, APIs: 14, Instructions: 574keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420D47, Relevance: 20.1, APIs: 13, Instructions: 563keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420D8C, Relevance: 20.1, APIs: 13, Instructions: 556keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420DD1, Relevance: 20.0, APIs: 13, Instructions: 549keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420E16, Relevance: 20.0, APIs: 13, Instructions: 542keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420E5B, Relevance: 20.0, APIs: 13, Instructions: 533keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420E97, Relevance: 20.0, APIs: 13, Instructions: 526keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420ED3, Relevance: 20.0, APIs: 13, Instructions: 521keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420F18, Relevance: 20.0, APIs: 13, Instructions: 514keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420F5D, Relevance: 20.0, APIs: 13, Instructions: 507keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420FA2, Relevance: 18.5, APIs: 12, Instructions: 500keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01420FE7, Relevance: 17.0, APIs: 11, Instructions: 493keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0142102C, Relevance: 17.0, APIs: 11, Instructions: 486keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421071, Relevance: 17.0, APIs: 11, Instructions: 477keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014210AD, Relevance: 17.0, APIs: 11, Instructions: 470keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014210E9, Relevance: 17.0, APIs: 11, Instructions: 465keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0142112E, Relevance: 15.5, APIs: 10, Instructions: 458keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421173, Relevance: 15.5, APIs: 10, Instructions: 451keyboardlibrarywindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014217C8, Relevance: 6.2, APIs: 4, Instructions: 237COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421826, Relevance: 6.2, APIs: 4, Instructions: 226COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0142186E, Relevance: 4.7, APIs: 3, Instructions: 219COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014218B6, Relevance: 4.7, APIs: 3, Instructions: 212COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014218FE, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421946, Relevance: 4.7, APIs: 3, Instructions: 198COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0142198E, Relevance: 4.7, APIs: 3, Instructions: 191COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014219D6, Relevance: 3.2, APIs: 2, Instructions: 184COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01693EB8, Relevance: 1.8, APIs: 1, Instructions: 280COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421A1E, Relevance: 1.7, APIs: 1, Instructions: 177COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421A66, Relevance: 1.7, APIs: 1, Instructions: 170COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421AAE, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0169516F, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421AEA, Relevance: 1.7, APIs: 1, Instructions: 156COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421B32, Relevance: 1.6, APIs: 1, Instructions: 149COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01421B7A, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016951F0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016969C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01696DD2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01696DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0169BE59, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0169BE68, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01692F8C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0169420A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016941E0, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD53C, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD537, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 0142D898, Relevance: .4, Instructions: 378COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05B7C6F0, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |