{"Username: ": "SYgLhOXLAKJaD", "URL: ": "https://T4gAxtuj18rwIFW1VRIf.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "EbOiB", "From: ": "fikriye@turuncoglu.com"}
Source: Swift doc. ZD.1.19022021_PDF.exe.7020.1.memstr | Malware Configuration Extractor: Agenttesla {"Username: ": "SYgLhOXLAKJaD", "URL: ": "https://T4gAxtuj18rwIFW1VRIf.com", "To: ": "fikriye@turuncoglu.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "EbOiB", "From: ": "fikriye@turuncoglu.com"} |
Source: Swift doc. ZD.1.19022021_PDF.exe | ReversingLabs: Detection: 10% |
Source: Swift doc. ZD.1.19022021_PDF.exe | Joe Sandbox ML: detected |
Source: Swift doc. ZD.1.19022021_PDF.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: Swift doc. ZD.1.19022021_PDF.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Malware configuration extractor | URLs: https://T4gAxtuj18rwIFW1VRIf.com |
Source: global traffic | TCP traffic: 192.168.2.4:49765 -> 77.88.21.158:587 |
Source: Joe Sandbox View | IP Address: 77.88.21.158 77.88.21.158 |
Source: global traffic | TCP traffic: 192.168.2.4:49765 -> 77.88.21.158:587 |
Source: unknown | DNS traffic detected: queries for: smtp.yandex.com |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp | String found in binary or memory: http://NfuOAc.com |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://crl.certum.pl/ca.crl0h |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://crl.certum.pl/ctnca.crl0k |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0- |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://repository.certum.pl/ca.cer09 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://repository.certum.pl/ctnca.cer09 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://repository.certum.pl/ycasha2.cer0 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.919606289.0000000003566000.00000004.00000001.sdmp | String found in binary or memory: http://smtp.yandex.com |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://subca.ocsp-certum.com0. |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://subca.ocsp-certum.com01 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://www.certum.pl/CPS0 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: http://yandex.ocsp-responder.com03 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.919506938.000000000351D000.00000004.00000001.sdmp | String found in binary or memory: https://T4gAxtuj18rwIFW1VRIf.com |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp | String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.924041258.0000000006DAF000.00000004.00000001.sdmp | String found in binary or memory: https://www.certum.pl/CPS0 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Window created: window name: CLIPBRDWNDCLASS | Jump to behavior |
Source: Swift doc. ZD.1.19022021_PDF.exe, frmSplashScreen.cs | Long String: Length: 13656 |
Source: initial sample | Static PE information: Filename: Swift doc. ZD.1.19022021_PDF.exe |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01769608 | 1_2_01769608 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0176C2A8 | 1_2_0176C2A8 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0176AB34 | 1_2_0176AB34 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01838190 | 1_2_01838190 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0183A1F8 | 1_2_0183A1F8 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_018344C0 | 1_2_018344C0 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0183C9F0 | 1_2_0183C9F0 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0183D9F8 | 1_2_0183D9F8 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01835900 | 1_2_01835900 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01831EF0 | 1_2_01831EF0 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0183AE20 | 1_2_0183AE20 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0183A199 | 1_2_0183A199 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01837010 | 1_2_01837010 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_0183C9EA | 1_2_0183C9EA |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01864880 | 1_2_01864880 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01868312 | 1_2_01868312 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01862530 | 1_2_01862530 |
Source: C:\Users\user\Desktop\Swift doc. ZD.1.19022021_PDF.exe | Code function: 1_2_01867CC0 | 1_2_01867CC0 |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000000.647670906.0000000000EBA000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameRSAPKCS1SignatureDescription.exe< vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.923788189.0000000006940000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916315212.0000000001840000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamewshom.ocx.mui vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.921926825.0000000004241000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.922521029.000000000448B000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameJjuAGuEggFLyNdgxhZLJIKFOcxph.exe4 vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000003.843393717.00000000015C7000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameclr.dl<fQ vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.917324348.0000000003241000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameAsyncState.dllF vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe, 00000001.00000002.916284500.0000000001820000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamewshom.ocx vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe | Binary or memory string: OriginalFilenameRSAPKCS1SignatureDescription.exe< vs Swift doc. ZD.1.19022021_PDF.exe |
Source: Swift doc. ZD.1.19022021_PDF.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: Swift doc. ZD.1.19022021_PDF.exe, frmSplashScreen.cs | Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvt |