Play interactive tour
Edit tourAnalysis Report NDKr3inJa9dXEu3.exe
Overview
General Information
| Sample Name: | NDKr3inJa9dXEu3.exe |
| Analysis ID: | 358345 |
| MD5: | c52d827c2b63af9a81b1328a2c027cd7 |
| SHA1: | 397dba569945139e35a83d27fcddf6dc59b8570d |
| SHA256: | 63e89e3a9aa5843b13a2148eb97a2a2168f15953ec31a31d819b29e770bb7ac0 |
| Tags: | AgentTeslaexe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "FTP Info": "admin@estagold.com.myestagold202584mail.estagold.com.mybmathena@accesesdata.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 5 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Scheduled temp file as task from temp location | Show sources | ||
| Source: | Author: Joe Security: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
Compliance: | |
|---|
| Uses 32bit PE files | Show sources | ||
| Source: | Static PE information: | ||
| Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources | ||
| Source: | Static PE information: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Code function: | 1_2_00F2C888 | |
| Source: | Code function: | 1_2_00F2AED4 | |
| Source: | Code function: | 4_2_0143C968 | |
| Source: | Code function: | 4_2_01432520 | |
| Source: | Code function: | 4_2_01430040 | |
| Source: | Code function: | 4_2_014366B1 | |
| Source: | Code function: | 4_2_0143C570 | |
| Source: | Code function: | 4_2_0143D8B0 | |
| Source: | Code function: | 4_2_016E1908 | |
| Source: | Code function: | 4_2_016E299C | |
| Source: | Code function: | 4_2_016E0040 | |
| Source: | Code function: | 4_2_016EB7E8 | |
| Source: | Code function: | 4_2_016E5E10 | |
| Source: | Code function: | 4_2_016E0022 | |
| Source: | Code function: | 4_2_016EAF98 | |
| Source: | Code function: | 4_2_016EF230 | |
| Source: | Code function: | 4_2_032747A0 | |
| Source: | Code function: | 4_2_03273CCC | |
| Source: | Code function: | 4_2_03274730 | |
| Source: | Code function: | 4_2_03274750 | |
| Source: | Code function: | 4_2_032746B0 | |
| Source: | Code function: | 4_2_032746F0 | |
| Source: | Code function: | 4_2_03275490 | |
| Source: | Code function: | 4_2_0327D820 | |
| Source: | Code function: | 4_2_06696C68 | |
| Source: | Code function: | 4_2_066994F8 | |
| Source: | Code function: | 4_2_06697538 | |
| Source: | Code function: | 4_2_06696920 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_01434DD0 | |
| Source: | Code function: | 4_2_06698550 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Uses schtasks.exe or at.exe to add and modify task schedules | Show sources | ||
| Source: | Process created: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM_3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | File opened / queried: | Jump to behavior | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_01431790 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 4_2_0669516C | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation311 | Scheduled Task/Job1 | Process Injection12 | Disable or Modify Tools1 | OS Credential Dumping2 | Account Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | File and Directory Discovery1 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | System Information Discovery114 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing2 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Security Software Discovery321 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion24 | Cached Domain Credentials | Virtualization/Sandbox Evasion24 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection12 | DCSync | Process Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 24% | Virustotal | Browse | ||
| 9% | ReversingLabs | Win32.Trojan.Wacatac | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 9% | ReversingLabs | Win32.Trojan.Wacatac |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| estagold.com.my | 103.6.196.156 | true | true |
| unknown |
| mail.estagold.com.my | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 103.6.196.156 | unknown | Malaysia | 46015 | EXABYTES-AS-APExaBytesNetworkSdnBhdMY | true |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Emerald |
| Analysis ID: | 358345 |
| Start date: | 25.02.2021 |
| Start time: | 13:13:09 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 7m 52s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | NDKr3inJa9dXEu3.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 25 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/5@4/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 13:13:55 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 103.6.196.156 | Get hash | malicious | Browse |
|
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| EXABYTES-AS-APExaBytesNetworkSdnBhdMY | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 1406 |
| Entropy (8bit): | 5.341099307467139 |
| Encrypted: | false |
| SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg |
| MD5: | E5FA1A53BA6D70E18192AF6AF7CFDBFA |
| SHA1: | 1C076481F11366751B8DA795C98A54DE8D1D82D5 |
| SHA-256: | 1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83 |
| SHA-512: | 77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4 |
| Malicious: | true |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1643 |
| Entropy (8bit): | 5.187928282029358 |
| Encrypted: | false |
| SSDEEP: | 24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBjtn:cbh47TlNQ//rydbz9I3YODOLNdq3L |
| MD5: | 86DFB223E06A7EB192A19D6A1A5F5991 |
| SHA1: | 245EBB6FEF323BA97AB0AEFB9F69DC25EB326D92 |
| SHA-256: | C3107DCD31C2E3AC283F48C2F2EC81A063ADCB4D5DD382B66F668D2DF303D87B |
| SHA-512: | 3C48C74E8C4C7A01A6AA4728E01A64CD1A4F56AD8B8A68FDB12D0AC7B39A2717B67E3EBEB72EDC65E6A2FE09DED1767AF252E8978E432DB4B5E35257AE87889F |
| Malicious: | true |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1024512 |
| Entropy (8bit): | 6.795376997370158 |
| Encrypted: | false |
| SSDEEP: | 12288:K+rReYqTLTxRdnHpe1QFl1rHWd9yWXVa2A///vOq:DrReYqTXx7Je1QFl1rHeXVG/Z |
| MD5: | C52D827C2B63AF9A81B1328A2C027CD7 |
| SHA1: | 397DBA569945139E35A83D27FCDDF6DC59B8570D |
| SHA-256: | 63E89E3A9AA5843B13A2148EB97A2A2168F15953EC31A31D819B29E770BB7AC0 |
| SHA-512: | 3974E79EB87DBD0DC18BBAB000E9FAC031CFECE7BF0132F211D07066032B434593B1B75AF74F4258E9963784D1F863DDC647496D2BD58759BE3D54FF9E7E4C69 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.6970840431455908 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
| MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
| SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
| SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
| SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.795376997370158 |
| TrID: |
|
| File name: | NDKr3inJa9dXEu3.exe |
| File size: | 1024512 |
| MD5: | c52d827c2b63af9a81b1328a2c027cd7 |
| SHA1: | 397dba569945139e35a83d27fcddf6dc59b8570d |
| SHA256: | 63e89e3a9aa5843b13a2148eb97a2a2168f15953ec31a31d819b29e770bb7ac0 |
| SHA512: | 3974e79eb87dbd0dc18bbab000e9fac031cfece7bf0132f211d07066032b434593b1b75af74f4258e9963784d1f863ddc647496d2bd58759be3d54ff9e7e4c69 |
| SSDEEP: | 12288:K+rReYqTLTxRdnHpe1QFl1rHWd9yWXVa2A///vOq:DrReYqTXx7Je1QFl1rHeXVG/Z |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m7`..............P..............,... ........@.. ....................................@................................ |
File Icon |
|---|
 | |
| Icon Hash: | 206ae682a280a906 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4d2cde |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x60376DFC [Thu Feb 25 09:29:32 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd2c90 | 0x4b | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd4000 | 0x29000 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xfe000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xd0ce4 | 0xd0e00 | False | 0.592011940829 | data | 7.00995424289 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xd4000 | 0x29000 | 0x29000 | False | 0.0339176829268 | data | 3.30773665372 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xfe000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xd42e0 | 0x4f2 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
| RT_ICON | 0xd47d4 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4278496986, next used block 4278496986 | ||
| RT_ICON | 0xe4ffc | 0x94a8 | data | ||
| RT_ICON | 0xee4a4 | 0x5488 | data | ||
| RT_ICON | 0xf392c | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0 | ||
| RT_ICON | 0xf7b54 | 0x25a8 | data | ||
| RT_ICON | 0xfa0fc | 0x10a8 | data | ||
| RT_ICON | 0xfb1a4 | 0x988 | data | ||
| RT_ICON | 0xfbb2c | 0x468 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0xfbf94 | 0x84 | data | ||
| RT_GROUP_ICON | 0xfc018 | 0x14 | data | ||
| RT_VERSION | 0xfc02c | 0x368 | data | ||
| RT_MANIFEST | 0xfc394 | 0xb15 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Copyright 2014 |
| Assembly Version | 3.0.0.0 |
| InternalName | DSASignatureDescription.exe |
| FileVersion | 3.0.0.0 |
| CompanyName | KTV |
| LegalTrademarks | |
| Comments | |
| ProductName | KTVManagement |
| ProductVersion | 3.0.0.0 |
| FileDescription | KTVManagement |
| OriginalFilename | DSASignatureDescription.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 02/25/21-13:15:39.408011 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| 02/25/21-13:15:43.573991 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 25, 2021 13:15:37.219960928 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:37.462656975 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:37.462773085 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:37.988204002 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:37.988688946 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:38.222326994 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:38.224571943 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:38.458317041 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:38.458898067 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:38.699927092 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:38.700957060 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:38.934817076 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:38.935199022 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:39.170259953 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:39.170469999 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:39.403994083 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:39.404026985 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:39.408010960 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:39.408222914 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:39.408355951 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:39.408499956 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:39.641700983 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:39.641877890 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:39.738096952 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:39.786835909 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:40.673029900 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:40.909938097 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:40.910262108 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:40.911627054 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:41.132333994 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:41.145011902 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:41.359195948 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:41.359333038 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:42.196867943 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:42.197593927 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:42.424637079 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:42.425134897 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:42.652947903 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:42.653850079 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:42.884433031 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:42.886369944 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.115370035 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.115833044 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.344393015 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.344901085 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.571710110 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.571811914 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.573740005 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.573991060 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.574096918 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.574201107 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.574368954 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.574455023 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.574537992 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.574619055 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
| Feb 25, 2021 13:15:43.803039074 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.803369999 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.803601027 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.897942066 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
| Feb 25, 2021 13:15:43.943551064 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 25, 2021 13:13:47.794286013 CET | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:13:47.844525099 CET | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:13:47.849242926 CET | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:13:47.900942087 CET | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:13:48.966368914 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:13:49.015219927 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:13:49.823757887 CET | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:13:49.875453949 CET | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:13:50.651333094 CET | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:13:50.700170994 CET | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:13:51.622975111 CET | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:13:51.672077894 CET | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:21.063409090 CET | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:21.112258911 CET | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:23.213094950 CET | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:23.265486956 CET | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:26.502511978 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:26.572556019 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:39.245309114 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:39.310409069 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:42.618647099 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:42.671966076 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:43.174786091 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:43.224875927 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:45.860286951 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:45.908855915 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:47.382839918 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:47.434655905 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:48.567085981 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:48.615760088 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:49.699915886 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:49.749664068 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:50.645895958 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:50.697346926 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:53.509497881 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:53.561062098 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:14:57.048566103 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:14:57.098632097 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:02.154098034 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:02.212759972 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:14.683739901 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:14.735873938 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:15.841717005 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:15.890506029 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:16.807022095 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:16.858503103 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:22.443159103 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:22.493446112 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:23.283706903 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:23.344743967 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:32.037843943 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:32.086483955 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:34.483572960 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:34.553822041 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:36.720400095 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:36.902743101 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:36.916362047 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:37.112339973 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:40.963608027 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:41.020692110 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
| Feb 25, 2021 13:15:41.072596073 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
| Feb 25, 2021 13:15:41.129863977 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Feb 25, 2021 13:15:36.720400095 CET | 192.168.2.3 | 8.8.8.8 | 0xa08f | Standard query (0) | A (IP address) | IN (0x0001) | |
| Feb 25, 2021 13:15:36.916362047 CET | 192.168.2.3 | 8.8.8.8 | 0x58be | Standard query (0) | A (IP address) | IN (0x0001) | |
| Feb 25, 2021 13:15:40.963608027 CET | 192.168.2.3 | 8.8.8.8 | 0x38f4 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Feb 25, 2021 13:15:41.072596073 CET | 192.168.2.3 | 8.8.8.8 | 0xc70b | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Feb 25, 2021 13:15:36.902743101 CET | 8.8.8.8 | 192.168.2.3 | 0xa08f | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
| Feb 25, 2021 13:15:36.902743101 CET | 8.8.8.8 | 192.168.2.3 | 0xa08f | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) | ||
| Feb 25, 2021 13:15:37.112339973 CET | 8.8.8.8 | 192.168.2.3 | 0x58be | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
| Feb 25, 2021 13:15:37.112339973 CET | 8.8.8.8 | 192.168.2.3 | 0x58be | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) | ||
| Feb 25, 2021 13:15:41.020692110 CET | 8.8.8.8 | 192.168.2.3 | 0x38f4 | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
| Feb 25, 2021 13:15:41.020692110 CET | 8.8.8.8 | 192.168.2.3 | 0x38f4 | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) | ||
| Feb 25, 2021 13:15:41.129863977 CET | 8.8.8.8 | 192.168.2.3 | 0xc70b | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
| Feb 25, 2021 13:15:41.129863977 CET | 8.8.8.8 | 192.168.2.3 | 0xc70b | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Feb 25, 2021 13:15:37.988204002 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 220-datousaurus.mschosting.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 20:15:21 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Feb 25, 2021 13:15:37.988688946 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | EHLO 910646 |
| Feb 25, 2021 13:15:38.222326994 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250-datousaurus.mschosting.com Hello 910646 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Feb 25, 2021 13:15:38.224571943 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | AUTH login YWRtaW5AZXN0YWdvbGQuY29tLm15 |
| Feb 25, 2021 13:15:38.458317041 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
| Feb 25, 2021 13:15:38.699927092 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 235 Authentication succeeded |
| Feb 25, 2021 13:15:38.700957060 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | MAIL FROM:<admin@estagold.com.my> |
| Feb 25, 2021 13:15:38.934817076 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250 OK |
| Feb 25, 2021 13:15:38.935199022 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | RCPT TO:<bmathena@accesesdata.com> |
| Feb 25, 2021 13:15:39.170259953 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250 Accepted |
| Feb 25, 2021 13:15:39.170469999 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | DATA |
| Feb 25, 2021 13:15:39.404026985 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
| Feb 25, 2021 13:15:39.408499956 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | . |
| Feb 25, 2021 13:15:39.738096952 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250 OK id=1lFFYB-00CrHB-2O |
| Feb 25, 2021 13:15:40.673029900 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | QUIT |
| Feb 25, 2021 13:15:40.909938097 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 221 datousaurus.mschosting.com closing connection |
| Feb 25, 2021 13:15:42.196867943 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 220-datousaurus.mschosting.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 20:15:25 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Feb 25, 2021 13:15:42.197593927 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | EHLO 910646 |
| Feb 25, 2021 13:15:42.424637079 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250-datousaurus.mschosting.com Hello 910646 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Feb 25, 2021 13:15:42.425134897 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | AUTH login YWRtaW5AZXN0YWdvbGQuY29tLm15 |
| Feb 25, 2021 13:15:42.652947903 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
| Feb 25, 2021 13:15:42.884433031 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 235 Authentication succeeded |
| Feb 25, 2021 13:15:42.886369944 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | MAIL FROM:<admin@estagold.com.my> |
| Feb 25, 2021 13:15:43.115370035 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250 OK |
| Feb 25, 2021 13:15:43.115833044 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | RCPT TO:<bmathena@accesesdata.com> |
| Feb 25, 2021 13:15:43.344393015 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250 Accepted |
| Feb 25, 2021 13:15:43.344901085 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | DATA |
| Feb 25, 2021 13:15:43.571811914 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
| Feb 25, 2021 13:15:43.574619055 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | . |
| Feb 25, 2021 13:15:43.897942066 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250 OK id=1lFFYF-00CrHy-7w |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 13:13:54 |
| Start date: | 25/02/2021 |
| Path: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x700000 |
| File size: | 1024512 bytes |
| MD5 hash: | C52D827C2B63AF9A81B1328A2C027CD7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 13:13:57 |
| Start date: | 25/02/2021 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe60000 |
| File size: | 185856 bytes |
| MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 13:13:58 |
| Start date: | 25/02/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2800000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 13:13:58 |
| Start date: | 25/02/2021 |
| Path: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf10000 |
| File size: | 1024512 bytes |
| MD5 hash: | C52D827C2B63AF9A81B1328A2C027CD7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00F2E24C, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00F2E258, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00F28F1B, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00F277B8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00F277C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00F2C380, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EAD4D8, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EBD01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EBD005, Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EAD4D3, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EAD749, Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EAD748, Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00F2C888, Relevance: .5, Instructions: 524COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00F2AED4, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0669516C, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03273E4B, Relevance: 1.8, APIs: 1, Instructions: 298COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0669D7A6, Relevance: 1.7, APIs: 1, Instructions: 156COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0669D7EE, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06699228, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0669B4EC, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0669929C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016EEA48, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03275184, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03275190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03276964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0327C3B9, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03276D73, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03276D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03272F30, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016E94E8, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0327C3C8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016EEB1A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03272F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 032741AB, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 017CD53C, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 017DD01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 017DD005, Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 017CD537, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|