Analysis Report Deadly Variants of Covid 19.doc
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Click to see the 2 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Droppers Exploiting CVE-2017-11882 | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: EQNEDT32.EXE connecting to internet | Show sources |
Source: | Author: Joe Security: |
Sigma detected: File Dropped By EQNEDT32EXE | Show sources |
Source: | Author: Joe Security: |
Sigma detected: Scheduled temp file as task from temp location | Show sources |
Source: | Author: Joe Security: |
Sigma detected: Executables Started in Suspicious Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Execution in Non-Executable Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Program Location Process Starts | Show sources |
Source: | Author: Florian Roth: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: |
Exploits: |
---|
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources |
Source: | Process created: |
Source: | Process created: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Connects to a URL shortener service | Show sources |
Source: | DNS query: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected AsyncRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Office equation editor drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Base64 encoded string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Console Write: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Window detected: |
Source: | File opened: |
Source: | Key opened: |
Source: | File opened: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Yara detected AsyncRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AsyncRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Registry key queried: | ||
Source: | Registry key queried: | ||
Source: | Registry key queried: | ||
Source: | Registry key queried: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: |
Source: | File Volume queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
Yara detected AsyncRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | WMI Queries: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Spearphishing Link1 | Windows Management Instrumentation11 | Scheduled Task/Job2 | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping | Account Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution13 | Boot or Logon Initialization Scripts | Scheduled Task/Job2 | Obfuscated Files or Information121 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Encrypted Channel1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter1 | Logon Script (Windows) | Logon Script (Windows) | Software Packing1 | Security Account Manager | System Information Discovery14 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Standard Port1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | Scheduled Task/Job2 | Logon Script (Mac) | Logon Script (Mac) | Masquerading121 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Virtualization/Sandbox Evasion13 | LSA Secrets | Security Software Discovery321 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol112 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Process Injection112 | Cached Domain Credentials | Virtualization/Sandbox Evasion13 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Process Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | Document-RTF.Exploit.MathType |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
11% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
11% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
11% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1133757 | Download File | ||
100% | Avira | TR/Dropper.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bit.ly | 67.199.248.10 | true | false | high | |
greatestyear2021.ddns.net | 79.134.225.49 | true | true | unknown | |
sgkmudder.org.tr | 93.89.224.134 | true | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| low | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
79.134.225.49 | unknown | Switzerland | 6775 | FINK-TELECOM-SERVICESCH | true | |
93.89.224.134 | unknown | Turkey | 51557 | TR-FBSTR | false | |
67.199.248.10 | unknown | United States | 396982 | GOOGLE-PRIVATE-CLOUDUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 356233 |
Start date: | 22.02.2021 |
Start time: | 19:51:43 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Deadly Variants of Covid 19.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winDOC@8/18@3/3 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
19:52:37 | API Interceptor | |
19:52:42 | API Interceptor | |
19:52:50 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
79.134.225.49 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
93.89.224.134 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
67.199.248.10 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
bit.ly | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
sgkmudder.org.tr | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
FINK-TELECOM-SERVICESCH | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
GOOGLE-PRIVATE-CLOUDUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
TR-FBSTR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\Public\69577.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\Public\69577.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 328 |
Entropy (8bit): | 3.090852246460565 |
Encrypted: | false |
SSDEEP: | 6:kKOsPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:7W3kPlE99SNxAhUeo+aKt |
MD5: | 4C263222F99F8CCD3BFF78D11287343A |
SHA1: | EE20F124605FDE40B3F6CEE545E8D0D9D69F7538 |
SHA-256: | 6F6ECD80E49016ECD6284D61DF45B979CA2C27112B6E4E1FE0DD09260BE75D77 |
SHA-512: | B87A0B87DBFDCD02EB3FF34E9FF9E9B56D73277E2E50703BAA1B03634030BADEDDCDD952CFB1061699B9BB8271AAEB5C3D63D6E415A24C7913B5CD8A9B61162A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 1143808 |
Entropy (8bit): | 6.509278540577558 |
Encrypted: | false |
SSDEEP: | 12288:GRe0EHIOjYgydfAv9kmIdffnlyMNZVjswXXyyWp+X117FlTxvrvt:TVydf2IdffY+rwwX77FlTxR |
MD5: | DCCD2F6A61F8D95552863B537F2B6698 |
SHA1: | 62C9D1B5C489133CBC0F19F3902724847BBFD765 |
SHA-256: | 3266A27BD3BB930017AA09BC7483AB2E047292B47F9D9C5796C02FA566D00CFE |
SHA-512: | E63F98F144CF843D1A920C37A9BBB689F3ACF11697637DB70636C842323805A5E3FC2DEDBAE9CC53FB5FEBC4D8D2E37E0E5BE3E59EDD6FEE44A90FB92699FFE3 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
IE Cache URL: | http://sgkmudder.org.tr/2d/mgLD5CcdJx9YVKl.jpg |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 133 |
Entropy (8bit): | 4.839899666314567 |
Encrypted: | false |
SSDEEP: | 3:qVvzLURODccZ/vXbvx9nDyiNCU1SLxKRGhEPGRHFSXbKFvNGb:qFzLIeco3XLx92iQU3cEPWSLWQb |
MD5: | 88C573C24367B4A46F244961AB26A151 |
SHA1: | 3A8C4FC70ACD33D906DA6F34169FF5554B0E82D4 |
SHA-256: | 1C33F2A85277E75A8BE212C6CBC947DC1AC6BDD9162132386A91FFE303314429 |
SHA-512: | C49661A08AEBC5D2C1A93BC8F8BDA3B0C2585F6F076DC61BFB80B2D14F546C56F76DB035B6725B459823E4948E52BFC8E5EF163949B642340049F8F22B85994A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1474130 |
Entropy (8bit): | 4.189631552288507 |
Encrypted: | false |
SSDEEP: | 24576:j7np9HpHZHSHVVndnVsHtHBPDHnbnnrHzHfH7Ho0nonQEHtHnHF:jbnJ5y1V9aNhLH7rT/bIkYfNHl |
MD5: | 7C382FAFE594F20C1C7308821CF166C4 |
SHA1: | 8200943429016BB115C69F2E9E0F102E85CD44D8 |
SHA-256: | 45503DF30500D85200E4F8E266467C6B894940BF0A52D9FAC49CC88BE619A276 |
SHA-512: | 54B4925EE55D2A17D8DF9DAF19B22A9617A62697D889A3C83697CD812A8F5294C5531D4526871E7F78C627A34A408F059021D2102E677785A100B5D53A1DDF17 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 1.3555252507007243 |
Encrypted: | false |
SSDEEP: | 3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbG:IiiiiiiiiifdLloZQc8++lsJe1Mzh |
MD5: | 612870F14611A2846F34F3E170825E80 |
SHA1: | 721433825DFB55328F6D5FE264C74AECDC016C16 |
SHA-256: | A1BA57C7E4DB0AF82EA6DFA91F2DE55C40DAA9E5BC995CA4BDCFA3E9E8348A1D |
SHA-512: | 8C1095E5D14A48CB9178CCEE20976FD7AC1CF0F6ED5535EB39EED4354435DF418AB523EE895F8EFF8E8DE78D8A447918A965DEAF6C6C0EB634BD1694CBF549B2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\Public\69577.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\Public\69577.exe |
File Type: | |
Category: | modified |
Size (bytes): | 152788 |
Entropy (8bit): | 6.316654432555028 |
Encrypted: | false |
SSDEEP: | 1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx |
MD5: | 64FEDADE4387A8B92C120B21EC61E394 |
SHA1: | 15A2673209A41CCA2BC3ADE90537FE676010A962 |
SHA-256: | BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745 |
SHA-512: | 655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\Public\69577.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1619 |
Entropy (8bit): | 5.144232284026302 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBBtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3V |
MD5: | 670E506D7A13CDF1A7EDA14E5533D0EE |
SHA1: | 670E6321EE31AC7BCC58B1EA48B82E8676FA30E0 |
SHA-256: | 4723B0312E0807A682EFC2672E778A957AF005EE722656F1A98227D816E7ECB4 |
SHA-512: | 54C615BAFAAD04592CC866C974DA3796577910B258CF689B6C50C0F951424D5456B6BB0DE72001E415DC58ED999C7D4F4DD7AE319A17FD57EB925533E779A93E |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2198 |
Entropy (8bit): | 4.5804577209594095 |
Encrypted: | false |
SSDEEP: | 48:8mg/XT0jFCkMGr1qQh2mg/XT0jFCkMGr1qQ/:8z/XojFCorAQh2z/XojFCorAQ/ |
MD5: | 214DE48BB7AB3394487ED65A59720EE4 |
SHA1: | 69906D7D7F6E81438464CDA474220ED1E80099DA |
SHA-256: | 9C74F780B3A246C5F12CA814CADAE25408C6EA1C7836F23FD1E0D92B9835F740 |
SHA-512: | CCC50159FCFF8244A5E213045A7EBFE268126325B32087F4C07333633C097335787C6A8E1A08CF79B21629077ACFA00429FD4741C4B321612A598187C0344181 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 119 |
Entropy (8bit): | 4.715190191727231 |
Encrypted: | false |
SSDEEP: | 3:M1WoUzg0Fo5Ezg0FomX1WoUzg0Fov:MU7FFyEFFu7FFy |
MD5: | F5B042E282283867959C5C4DC006A269 |
SHA1: | 46AED4B701DD3CF1283F01E3284575073231499E |
SHA-256: | E0FFBF41794378ABE8041471D6044D8AAD0AF014C35005E2C9803DC4E1E4EBB0 |
SHA-512: | 8C9AD60F956B9855762689C284FE04B746B69A6CDBE0FE19F8E52869777C5C0060BE028F3BA140C50EE7F2070822A8B8283528F94403C1B9F1FD3921775C40DC |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:Qn:Qn |
MD5: | F3B25701FE362EC84616A93A45CE9998 |
SHA1: | D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB |
SHA-256: | B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
SHA-512: | 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 90 |
Entropy (8bit): | 4.346866086240761 |
Encrypted: | false |
SSDEEP: | 3:jvQl5EEdAcAKgGIqkYi2SSz3LRQLWgVdTmy:21CcTDIqji2R3dgVdTz |
MD5: | FC0E959CB4BBA53D9D57ED91323DC910 |
SHA1: | EC318BF5B96F688BE0F48F6E765B59C6C380704D |
SHA-256: | 203AC0200F37AEC3B1EF816C1FDC91CC78ABEF0417C8756D5D0CB0860826ECDB |
SHA-512: | 5555C234266A7C5035CC5E5ED070EE005737CBAC077B0896BFFA9A57AD42A14DE72F7C67BF1502CCB5A1128461636F2D7BAC352A82DB14418FB465DF996F37C4 |
Malicious: | false |
IE Cache URL: | bit.ly/ |
Preview: |
|
Process: | C:\Users\Public\69577.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1143808 |
Entropy (8bit): | 6.509278540577558 |
Encrypted: | false |
SSDEEP: | 12288:GRe0EHIOjYgydfAv9kmIdffnlyMNZVjswXXyyWp+X117FlTxvrvt:TVydf2IdffY+rwwX77FlTxR |
MD5: | DCCD2F6A61F8D95552863B537F2B6698 |
SHA1: | 62C9D1B5C489133CBC0F19F3902724847BBFD765 |
SHA-256: | 3266A27BD3BB930017AA09BC7483AB2E047292B47F9D9C5796C02FA566D00CFE |
SHA-512: | E63F98F144CF843D1A920C37A9BBB689F3ACF11697637DB70636C842323805A5E3FC2DEDBAE9CC53FB5FEBC4D8D2E37E0E5BE3E59EDD6FEE44A90FB92699FFE3 |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1143808 |
Entropy (8bit): | 6.509278540577558 |
Encrypted: | false |
SSDEEP: | 12288:GRe0EHIOjYgydfAv9kmIdffnlyMNZVjswXXyyWp+X117FlTxvrvt:TVydf2IdffY+rwwX77FlTxR |
MD5: | DCCD2F6A61F8D95552863B537F2B6698 |
SHA1: | 62C9D1B5C489133CBC0F19F3902724847BBFD765 |
SHA-256: | 3266A27BD3BB930017AA09BC7483AB2E047292B47F9D9C5796C02FA566D00CFE |
SHA-512: | E63F98F144CF843D1A920C37A9BBB689F3ACF11697637DB70636C842323805A5E3FC2DEDBAE9CC53FB5FEBC4D8D2E37E0E5BE3E59EDD6FEE44A90FB92699FFE3 |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.324998517598124 |
TrID: |
|
File name: | Deadly Variants of Covid 19.doc |
File size: | 833197 |
MD5: | 3d9171d094dae1fb8da244756dd9733c |
SHA1: | 91e43ec7a21e7e8c1fc2a6202ca3545974084ad2 |
SHA256: | 4d1bde540b3c45739e1d8cff08e801ccb6ff9caad391109dc298b011a914e57c |
SHA512: | 3c612f02b4f3ae3113f08af66325cee173eede0bd7ff366048c2a86279c3dc9d6fa23e5e6d105d7d4dca5fb3c993e1b57f9674d3ccd70b79cb5b689043538eac |
SSDEEP: | 24576:GaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaCaO7v:G999999999999999999999999b |
File Content Preview: | {\rtf51437\page11419927264400464@ApJnbSmEIkBYwPBr@-DysivyjzZmoIeCPiF<eh&&0_M-C_g--_-d,64>32997$Cv>yt=n5|:%_>jn8%bm\mklP;=u\m3699.28.... .... ...... .... .... .... |
File Icon |
---|
Icon Hash: | e4eea2aaa4b4b4a4 |
Static RTF Info |
---|
Objects |
---|
Id | Start | Format ID | Format | Classname | Datasize | Filename | Sourcepath | Temppath | Exploit |
---|---|---|---|---|---|---|---|---|---|
0 | 000C4595h | no |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/22/21-19:52:54.267775 | TCP | 2030673 | ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) | 5000 | 49169 | 79.134.225.49 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 22, 2021 19:52:34.030258894 CET | 49167 | 80 | 192.168.2.22 | 67.199.248.10 |
Feb 22, 2021 19:52:34.078953981 CET | 80 | 49167 | 67.199.248.10 | 192.168.2.22 |
Feb 22, 2021 19:52:34.079070091 CET | 49167 | 80 | 192.168.2.22 | 67.199.248.10 |
Feb 22, 2021 19:52:34.079585075 CET | 49167 | 80 | 192.168.2.22 | 67.199.248.10 |
Feb 22, 2021 19:52:34.130676985 CET | 80 | 49167 | 67.199.248.10 | 192.168.2.22 |
Feb 22, 2021 19:52:34.227475882 CET | 80 | 49167 | 67.199.248.10 | 192.168.2.22 |
Feb 22, 2021 19:52:34.227626085 CET | 49167 | 80 | 192.168.2.22 | 67.199.248.10 |
Feb 22, 2021 19:52:34.359882116 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.446923971 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.447447062 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.448152065 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.536376953 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.536528111 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537424088 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.537738085 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537766933 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537790060 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537816048 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537839890 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537863970 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537875891 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.537887096 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537890911 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.537894964 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.537914038 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.537961006 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.537966967 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.539580107 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.547821045 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.548002958 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625053883 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625113010 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625154018 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625185013 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625196934 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625211000 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625214100 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625232935 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625323057 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625353098 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625403881 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625406027 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625413895 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625444889 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.625531912 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.625684023 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.627624989 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712013960 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712066889 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712100983 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712116957 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712121964 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712162018 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712373972 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712414980 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712452888 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712481022 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712486029 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712491989 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712531090 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.712532997 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712537050 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.712595940 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.716445923 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.716567993 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.798217058 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798254967 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798274040 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798299074 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798408985 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.798568964 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798593998 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798612118 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798633099 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.798645020 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.798650980 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.798702955 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.798712969 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.803931952 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.803965092 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.804162979 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.807508945 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.886324883 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886382103 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886423111 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886470079 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886482954 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.886521101 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.886521101 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886526108 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.886571884 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886626005 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.886630058 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.886697054 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886878967 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.886893034 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.886989117 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
Feb 22, 2021 19:52:34.895035028 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.895128012 CET | 80 | 49168 | 93.89.224.134 | 192.168.2.22 |
Feb 22, 2021 19:52:34.895210981 CET | 49168 | 80 | 192.168.2.22 | 93.89.224.134 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 22, 2021 19:52:33.966006994 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 22, 2021 19:52:34.014686108 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Feb 22, 2021 19:52:34.251554966 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 22, 2021 19:52:34.357984066 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Feb 22, 2021 19:52:53.760273933 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 22, 2021 19:52:53.819189072 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Feb 22, 2021 19:52:55.110183954 CET | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 22, 2021 19:52:55.161643982 CET | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Feb 22, 2021 19:52:55.171720028 CET | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 22, 2021 19:52:55.224850893 CET | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 22, 2021 19:52:33.966006994 CET | 192.168.2.22 | 8.8.8.8 | 0xc52c | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 22, 2021 19:52:34.251554966 CET | 192.168.2.22 | 8.8.8.8 | 0x4d68 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 22, 2021 19:52:53.760273933 CET | 192.168.2.22 | 8.8.8.8 | 0x5410 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 22, 2021 19:52:34.014686108 CET | 8.8.8.8 | 192.168.2.22 | 0xc52c | No error (0) | 67.199.248.10 | A (IP address) | IN (0x0001) | ||
Feb 22, 2021 19:52:34.014686108 CET | 8.8.8.8 | 192.168.2.22 | 0xc52c | No error (0) | 67.199.248.11 | A (IP address) | IN (0x0001) | ||
Feb 22, 2021 19:52:34.357984066 CET | 8.8.8.8 | 192.168.2.22 | 0x4d68 | No error (0) | 93.89.224.134 | A (IP address) | IN (0x0001) | ||
Feb 22, 2021 19:52:53.819189072 CET | 8.8.8.8 | 192.168.2.22 | 0x5410 | No error (0) | 79.134.225.49 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 67.199.248.10 | 80 | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 22, 2021 19:52:34.079585075 CET | 0 | OUT | |
Feb 22, 2021 19:52:34.227475882 CET | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49168 | 93.89.224.134 | 80 | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 22, 2021 19:52:34.448152065 CET | 2 | OUT | |
Feb 22, 2021 19:52:34.536528111 CET | 2 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 19:52:36 |
Start date: | 22/02/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fb80000 |
File size: | 1424032 bytes |
MD5 hash: | 95C38D04597050285A18F66039EDB456 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:52:37 |
Start date: | 22/02/2021 |
Path: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 543304 bytes |
MD5 hash: | A87236E214F6D42A65F5DEDAC816AEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:52:42 |
Start date: | 22/02/2021 |
Path: | C:\Users\Public\69577.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf60000 |
File size: | 1143808 bytes |
MD5 hash: | DCCD2F6A61F8D95552863B537F2B6698 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 19:52:49 |
Start date: | 22/02/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe10000 |
File size: | 179712 bytes |
MD5 hash: | 2003E9B15E1C502B146DAD2E383AC1E3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:52:50 |
Start date: | 22/02/2021 |
Path: | C:\Users\Public\69577.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf60000 |
File size: | 1143808 bytes |
MD5 hash: | DCCD2F6A61F8D95552863B537F2B6698 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|