{"Exfil Mode": "SMTP", "FTP Info": "comercial@fil-net.comFil-2020net+smtp.fil-net.comgreendogman@yandex.com"}
Source: 0.2.Zapytanie -20216470859302.exe.42643b0.2.raw.unpack | Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "comercial@fil-net.comFil-2020net+smtp.fil-net.comgreendogman@yandex.com"} |
Source: Zapytanie -20216470859302.exe | Joe Sandbox ML: detected |
Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack | Avira: Label: TR/Spy.Gen8 |
Source: Zapytanie -20216470859302.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: unknown | HTTPS traffic detected: 50.19.252.36:443 -> 192.168.2.4:49761 version: TLS 1.2 |
Source: Zapytanie -20216470859302.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h | 0_2_062E24E8 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h | 0_2_062E24D8 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h | 0_2_062E21D0 |
Source: unknown | DNS query: name: api.ipify.org |
Source: unknown | DNS query: name: api.ipify.org |
Source: unknown | DNS query: name: api.ipify.org |
Source: unknown | DNS query: name: api.ipify.org |
Source: unknown | DNS query: name: api.ipify.org |
Source: unknown | DNS query: name: api.ipify.org |
Source: global traffic | TCP traffic: 192.168.2.4:49763 -> 46.16.61.250:587 |
Source: Joe Sandbox View | IP Address: 50.19.252.36 50.19.252.36 |
Source: Joe Sandbox View | IP Address: 50.19.252.36 50.19.252.36 |
Source: Joe Sandbox View | ASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES |
Source: Joe Sandbox View | JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: global traffic | TCP traffic: 192.168.2.4:49763 -> 46.16.61.250:587 |
Source: unknown | DNS traffic detected: queries for: api.ipify.org |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmp | String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 |
Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmp | String found in binary or memory: http://cps.letsencrypt.org0 |
Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmp | String found in binary or memory: http://cps.root-x1.letsencrypt.org0 |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.900549612.00000000068C1000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmp | String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmp | String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0# |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897520193.0000000002D95000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.897579753.0000000002DFB000.00000004.00000001.sdmp | String found in binary or memory: http://hqFkeHOniWF1AKH.org |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmp | String found in binary or memory: http://r3.i.lencr.org/0% |
Source: Zapytanie -20216470859302.exe, 00000003.00000003.842182229.00000000068F2000.00000004.00000001.sdmp | String found in binary or memory: http://r3.o.lencr.org0 |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897562623.0000000002DE9000.00000004.00000001.sdmp | String found in binary or memory: http://smtp.fil-net.com |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: http://umWsex.com |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org/ |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.orgGETMozilla/5.0 |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmp | String found in binary or memory: https://api.telegram.org/bot%telegramapi%/ |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897300872.0000000002B7B000.00000004.00000001.sdmp | String found in binary or memory: https://sectigo.com/CPS0 |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp | String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp, Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.897276888.0000000002B41000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49761 |
Source: unknown | Network traffic detected: HTTP traffic on port 49761 -> 443 |
Source: unknown | HTTPS traffic detected: 50.19.252.36:443 -> 192.168.2.4:49761 version: TLS 1.2 |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.638710880.00000000014B8000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b90458A73u002d8324u002d4E56u002d8BE3u002d2A7ADB55DB6Bu007d/u0034305A58Eu002dD76Eu002d4574u002d8A32u002dFA9D5665EC26.cs | Large array initialization: .cctor: array initializer size 12012 |
Source: Zapytanie -20216470859302.exe, frmSplashScreen.cs | Long String: Length: 13656 |
Source: 0.0.Zapytanie -20216470859302.exe.ce0000.0.unpack, frmSplashScreen.cs | Long String: Length: 13656 |
Source: 0.2.Zapytanie -20216470859302.exe.ce0000.0.unpack, frmSplashScreen.cs | Long String: Length: 13656 |
Source: 2.0.Zapytanie -20216470859302.exe.210000.0.unpack, frmSplashScreen.cs | Long String: Length: 13656 |
Source: 2.2.Zapytanie -20216470859302.exe.210000.0.unpack, frmSplashScreen.cs | Long String: Length: 13656 |
Source: 3.2.Zapytanie -20216470859302.exe.710000.1.unpack, frmSplashScreen.cs | Long String: Length: 13656 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 0_2_00CE2050 | 0_2_00CE2050 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 0_2_0175C2A8 | 0_2_0175C2A8 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 0_2_0175AB34 | 0_2_0175AB34 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 0_2_062E0040 | 0_2_062E0040 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 0_2_062E10C0 | 0_2_062E10C0 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 0_2_062E2CE8 | 0_2_062E2CE8 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 0_2_062E0006 | 0_2_062E0006 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 2_2_00212050 | 2_2_00212050 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_3_068ED960 | 3_3_068ED960 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_2_00712050 | 3_2_00712050 |
Source: C:\Users\user\Desktop\Zapytanie -20216470859302.exe | Code function: 3_2_011047A0 | 3_2_011047A0 |
Source: Zapytanie -20216470859302.exe | Binary or memory string: OriginalFilename vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameAsyncState.dllF vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.638964828.0000000003101000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamefRoJCrdovlLLQXIyIMxNDkclBC.exe4 vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.638710880.00000000014B8000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000000.00000000.631772952.0000000000CE2000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000000.00000002.639307733.0000000004109000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe | Binary or memory string: OriginalFilename vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000002.00000000.636391918.0000000000212000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe | Binary or memory string: OriginalFilename vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.896326467.0000000000402000.00000040.00000001.sdmp | Binary or memory string: OriginalFilenamefRoJCrdovlLLQXIyIMxNDkclBC.exe4 vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.900342702.0000000006380000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000003.00000000.637339059.0000000000712000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.898747710.00000000050C0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamewshom.ocx.mui vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.896484624.0000000000B68000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe, 00000003.00000002.900399923.00000000063F0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe | Binary or memory string: OriginalFilenameSurrogateKey.exe< vs Zapytanie -20216470859302.exe |
Source: Zapytanie -20216470859302.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 3.2.Zapytanie -20216470859302.exe.400000.0.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: Zapytanie -20216470859302.exe, frmSplashScreen.cs | Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvt |