Analysis Report NDKr3inJa9dXEu3.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Exfil Mode": "SMTP", "FTP Info": "admin@estagold.com.myestagold202584mail.estagold.com.mybmathena@accesesdata.com"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 5 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Scheduled temp file as task from temp location | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: | Static PE information: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
.NET source code contains very large array initializations | Show sources |
Source: | Large array initialization: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File opened: |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Registry key queried: | ||
Source: | Registry key queried: | ||
Source: | Registry key queried: | ||
Source: | File opened / queried: | ||
Source: | Registry key queried: | ||
Source: | Registry key queried: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Memory allocated: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation311 | Scheduled Task/Job1 | Process Injection12 | Disable or Modify Tools1 | OS Credential Dumping2 | Account Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | File and Directory Discovery1 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | System Information Discovery114 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing2 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Security Software Discovery321 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion24 | Cached Domain Credentials | Virtualization/Sandbox Evasion24 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection12 | DCSync | Process Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
24% | Virustotal | Browse | ||
9% | ReversingLabs | Win32.Trojan.Wacatac | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
9% | ReversingLabs | Win32.Trojan.Wacatac |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
estagold.com.my | 103.6.196.156 | true | true |
| unknown |
mail.estagold.com.my | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
103.6.196.156 | unknown | Malaysia | 46015 | EXABYTES-AS-APExaBytesNetworkSdnBhdMY | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 358345 |
Start date: | 25.02.2021 |
Start time: | 13:13:09 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 52s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | NDKr3inJa9dXEu3.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@6/5@4/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
13:13:55 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
103.6.196.156 | Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
EXABYTES-AS-APExaBytesNetworkSdnBhdMY | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1406 |
Entropy (8bit): | 5.341099307467139 |
Encrypted: | false |
SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg |
MD5: | E5FA1A53BA6D70E18192AF6AF7CFDBFA |
SHA1: | 1C076481F11366751B8DA795C98A54DE8D1D82D5 |
SHA-256: | 1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83 |
SHA-512: | 77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1643 |
Entropy (8bit): | 5.187928282029358 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBjtn:cbh47TlNQ//rydbz9I3YODOLNdq3L |
MD5: | 86DFB223E06A7EB192A19D6A1A5F5991 |
SHA1: | 245EBB6FEF323BA97AB0AEFB9F69DC25EB326D92 |
SHA-256: | C3107DCD31C2E3AC283F48C2F2EC81A063ADCB4D5DD382B66F668D2DF303D87B |
SHA-512: | 3C48C74E8C4C7A01A6AA4728E01A64CD1A4F56AD8B8A68FDB12D0AC7B39A2717B67E3EBEB72EDC65E6A2FE09DED1767AF252E8978E432DB4B5E35257AE87889F |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1024512 |
Entropy (8bit): | 6.795376997370158 |
Encrypted: | false |
SSDEEP: | 12288:K+rReYqTLTxRdnHpe1QFl1rHWd9yWXVa2A///vOq:DrReYqTXx7Je1QFl1rHeXVG/Z |
MD5: | C52D827C2B63AF9A81B1328A2C027CD7 |
SHA1: | 397DBA569945139E35A83D27FCDDF6DC59B8570D |
SHA-256: | 63E89E3A9AA5843B13A2148EB97A2A2168F15953EC31A31D819B29E770BB7AC0 |
SHA-512: | 3974E79EB87DBD0DC18BBAB000E9FAC031CFECE7BF0132F211D07066032B434593B1B75AF74F4258E9963784D1F863DDC647496D2BD58759BE3D54FF9E7E4C69 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 0.6970840431455908 |
Encrypted: | false |
SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.795376997370158 |
TrID: |
|
File name: | NDKr3inJa9dXEu3.exe |
File size: | 1024512 |
MD5: | c52d827c2b63af9a81b1328a2c027cd7 |
SHA1: | 397dba569945139e35a83d27fcddf6dc59b8570d |
SHA256: | 63e89e3a9aa5843b13a2148eb97a2a2168f15953ec31a31d819b29e770bb7ac0 |
SHA512: | 3974e79eb87dbd0dc18bbab000e9fac031cfece7bf0132f211d07066032b434593b1b75af74f4258e9963784d1f863ddc647496d2bd58759be3d54ff9e7e4c69 |
SSDEEP: | 12288:K+rReYqTLTxRdnHpe1QFl1rHWd9yWXVa2A///vOq:DrReYqTXx7Je1QFl1rHeXVG/Z |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m7`..............P..............,... ........@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | 206ae682a280a906 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4d2cde |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x60376DFC [Thu Feb 25 09:29:32 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd2c90 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd4000 | 0x29000 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xfe000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xd0ce4 | 0xd0e00 | False | 0.592011940829 | data | 7.00995424289 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xd4000 | 0x29000 | 0x29000 | False | 0.0339176829268 | data | 3.30773665372 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xfe000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xd42e0 | 0x4f2 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0xd47d4 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4278496986, next used block 4278496986 | ||
RT_ICON | 0xe4ffc | 0x94a8 | data | ||
RT_ICON | 0xee4a4 | 0x5488 | data | ||
RT_ICON | 0xf392c | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0xf7b54 | 0x25a8 | data | ||
RT_ICON | 0xfa0fc | 0x10a8 | data | ||
RT_ICON | 0xfb1a4 | 0x988 | data | ||
RT_ICON | 0xfbb2c | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0xfbf94 | 0x84 | data | ||
RT_GROUP_ICON | 0xfc018 | 0x14 | data | ||
RT_VERSION | 0xfc02c | 0x368 | data | ||
RT_MANIFEST | 0xfc394 | 0xb15 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 2014 |
Assembly Version | 3.0.0.0 |
InternalName | DSASignatureDescription.exe |
FileVersion | 3.0.0.0 |
CompanyName | KTV |
LegalTrademarks | |
Comments | |
ProductName | KTVManagement |
ProductVersion | 3.0.0.0 |
FileDescription | KTVManagement |
OriginalFilename | DSASignatureDescription.exe |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/25/21-13:15:39.408011 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
02/25/21-13:15:43.573991 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 25, 2021 13:15:37.219960928 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:37.462656975 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:37.462773085 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:37.988204002 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:37.988688946 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:38.222326994 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:38.224571943 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:38.458317041 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:38.458898067 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:38.699927092 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:38.700957060 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:38.934817076 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:38.935199022 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:39.170259953 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:39.170469999 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:39.403994083 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:39.404026985 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:39.408010960 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:39.408222914 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:39.408355951 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:39.408499956 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:39.641700983 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:39.641877890 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:39.738096952 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:39.786835909 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:40.673029900 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:40.909938097 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:40.910262108 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:40.911627054 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:41.132333994 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:41.145011902 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:41.359195948 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:41.359333038 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:42.196867943 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:42.197593927 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:42.424637079 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:42.425134897 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:42.652947903 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:42.653850079 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:42.884433031 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:42.886369944 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.115370035 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.115833044 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.344393015 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.344901085 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.571710110 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.571811914 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.573740005 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.573991060 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.574096918 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.574201107 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.574368954 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.574455023 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.574537992 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.574619055 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
Feb 25, 2021 13:15:43.803039074 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.803369999 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.803601027 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.897942066 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 |
Feb 25, 2021 13:15:43.943551064 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 25, 2021 13:13:47.794286013 CET | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:13:47.844525099 CET | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:13:47.849242926 CET | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:13:47.900942087 CET | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:13:48.966368914 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:13:49.015219927 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:13:49.823757887 CET | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:13:49.875453949 CET | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:13:50.651333094 CET | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:13:50.700170994 CET | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:13:51.622975111 CET | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:13:51.672077894 CET | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:21.063409090 CET | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:21.112258911 CET | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:23.213094950 CET | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:23.265486956 CET | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:26.502511978 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:26.572556019 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:39.245309114 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:39.310409069 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:42.618647099 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:42.671966076 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:43.174786091 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:43.224875927 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:45.860286951 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:45.908855915 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:47.382839918 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:47.434655905 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:48.567085981 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:48.615760088 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:49.699915886 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:49.749664068 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:50.645895958 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:50.697346926 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:53.509497881 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:53.561062098 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:14:57.048566103 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:14:57.098632097 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:02.154098034 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:02.212759972 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:14.683739901 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:14.735873938 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:15.841717005 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:15.890506029 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:16.807022095 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:16.858503103 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:22.443159103 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:22.493446112 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:23.283706903 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:23.344743967 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:32.037843943 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:32.086483955 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:34.483572960 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:34.553822041 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:36.720400095 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:36.902743101 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:36.916362047 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:37.112339973 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:40.963608027 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:41.020692110 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Feb 25, 2021 13:15:41.072596073 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 25, 2021 13:15:41.129863977 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 25, 2021 13:15:36.720400095 CET | 192.168.2.3 | 8.8.8.8 | 0xa08f | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 25, 2021 13:15:36.916362047 CET | 192.168.2.3 | 8.8.8.8 | 0x58be | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 25, 2021 13:15:40.963608027 CET | 192.168.2.3 | 8.8.8.8 | 0x38f4 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 25, 2021 13:15:41.072596073 CET | 192.168.2.3 | 8.8.8.8 | 0xc70b | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 25, 2021 13:15:36.902743101 CET | 8.8.8.8 | 192.168.2.3 | 0xa08f | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
Feb 25, 2021 13:15:36.902743101 CET | 8.8.8.8 | 192.168.2.3 | 0xa08f | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) | ||
Feb 25, 2021 13:15:37.112339973 CET | 8.8.8.8 | 192.168.2.3 | 0x58be | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
Feb 25, 2021 13:15:37.112339973 CET | 8.8.8.8 | 192.168.2.3 | 0x58be | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) | ||
Feb 25, 2021 13:15:41.020692110 CET | 8.8.8.8 | 192.168.2.3 | 0x38f4 | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
Feb 25, 2021 13:15:41.020692110 CET | 8.8.8.8 | 192.168.2.3 | 0x38f4 | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) | ||
Feb 25, 2021 13:15:41.129863977 CET | 8.8.8.8 | 192.168.2.3 | 0xc70b | No error (0) | estagold.com.my | CNAME (Canonical name) | IN (0x0001) | ||
Feb 25, 2021 13:15:41.129863977 CET | 8.8.8.8 | 192.168.2.3 | 0xc70b | No error (0) | 103.6.196.156 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Feb 25, 2021 13:15:37.988204002 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 220-datousaurus.mschosting.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 20:15:21 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Feb 25, 2021 13:15:37.988688946 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | EHLO 910646 |
Feb 25, 2021 13:15:38.222326994 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250-datousaurus.mschosting.com Hello 910646 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Feb 25, 2021 13:15:38.224571943 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | AUTH login YWRtaW5AZXN0YWdvbGQuY29tLm15 |
Feb 25, 2021 13:15:38.458317041 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Feb 25, 2021 13:15:38.699927092 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 235 Authentication succeeded |
Feb 25, 2021 13:15:38.700957060 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | MAIL FROM:<admin@estagold.com.my> |
Feb 25, 2021 13:15:38.934817076 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250 OK |
Feb 25, 2021 13:15:38.935199022 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | RCPT TO:<bmathena@accesesdata.com> |
Feb 25, 2021 13:15:39.170259953 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250 Accepted |
Feb 25, 2021 13:15:39.170469999 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | DATA |
Feb 25, 2021 13:15:39.404026985 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
Feb 25, 2021 13:15:39.408499956 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | . |
Feb 25, 2021 13:15:39.738096952 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 250 OK id=1lFFYB-00CrHB-2O |
Feb 25, 2021 13:15:40.673029900 CET | 49740 | 587 | 192.168.2.3 | 103.6.196.156 | QUIT |
Feb 25, 2021 13:15:40.909938097 CET | 587 | 49740 | 103.6.196.156 | 192.168.2.3 | 221 datousaurus.mschosting.com closing connection |
Feb 25, 2021 13:15:42.196867943 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 220-datousaurus.mschosting.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 20:15:25 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Feb 25, 2021 13:15:42.197593927 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | EHLO 910646 |
Feb 25, 2021 13:15:42.424637079 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250-datousaurus.mschosting.com Hello 910646 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Feb 25, 2021 13:15:42.425134897 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | AUTH login YWRtaW5AZXN0YWdvbGQuY29tLm15 |
Feb 25, 2021 13:15:42.652947903 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Feb 25, 2021 13:15:42.884433031 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 235 Authentication succeeded |
Feb 25, 2021 13:15:42.886369944 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | MAIL FROM:<admin@estagold.com.my> |
Feb 25, 2021 13:15:43.115370035 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250 OK |
Feb 25, 2021 13:15:43.115833044 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | RCPT TO:<bmathena@accesesdata.com> |
Feb 25, 2021 13:15:43.344393015 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250 Accepted |
Feb 25, 2021 13:15:43.344901085 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | DATA |
Feb 25, 2021 13:15:43.571811914 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
Feb 25, 2021 13:15:43.574619055 CET | 49741 | 587 | 192.168.2.3 | 103.6.196.156 | . |
Feb 25, 2021 13:15:43.897942066 CET | 587 | 49741 | 103.6.196.156 | 192.168.2.3 | 250 OK id=1lFFYF-00CrHy-7w |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 13:13:54 |
Start date: | 25/02/2021 |
Path: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x700000 |
File size: | 1024512 bytes |
MD5 hash: | C52D827C2B63AF9A81B1328A2C027CD7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 13:13:57 |
Start date: | 25/02/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe60000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:13:58 |
Start date: | 25/02/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:13:58 |
Start date: | 25/02/2021 |
Path: | C:\Users\user\Desktop\NDKr3inJa9dXEu3.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf10000 |
File size: | 1024512 bytes |
MD5 hash: | C52D827C2B63AF9A81B1328A2C027CD7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|