Play interactive tour
Edit tourAnalysis Report Purchase_Order-Documents.exe
Overview
General Information
| Sample Name: | Purchase_Order-Documents.exe |
| Analysis ID: | 358397 |
| MD5: | 970bce067ae6cdcf4cdf30a0a1f87186 |
| SHA1: | 75b2a8726790ca34db04a003ba3547a1eb28f3fd |
| SHA256: | f828f3f4109c84bc59b919c268c2d73ed8f1b327b3c3afd64184c2ddf2ae3aa5 |
| Tags: | AgentTesla |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "FTP Info": "kehoach@cuulongcorp.com.vnClkehoach9999@mail.cuulongcorp.com.vnkhanhkythuats@davitecco.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 4 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Scheduled temp file as task from temp location | Show sources | ||
| Source: | Author: Joe Security: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Compliance: | |
|---|
| Uses 32bit PE files | Show sources | ||
| Source: | Static PE information: | ||
| Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_01240F70 | |
| Source: | Code function: | 1_2_01240F68 | |
| Source: | Code function: | 1_2_0E88A60D | |
| Source: | Code function: | 1_2_0E88C480 | |
| Source: | Code function: | 1_2_0E88C470 | |
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Initial sample is a PE file and has a suspicious name | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| PE file has nameless sections | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_007ED21B | |
| Source: | Code function: | 1_2_01240478 | |
| Source: | Code function: | 1_2_01241191 | |
| Source: | Code function: | 1_2_0124C0B0 | |
| Source: | Code function: | 1_2_0124EA90 | |
| Source: | Code function: | 1_2_0E88CC73 | |
| Source: | Code function: | 1_2_0E880007 | |
| Source: | Code function: | 1_2_0E880040 | |
| Source: | Code function: | 1_2_0E883902 | |
| Source: | Code function: | 1_2_007E38AA | |
| Source: | Code function: | 1_2_007EDD0A | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Data Obfuscation: | |
|---|
| Detected unpacking (changes PE section rights) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Binary contains a suspicious time stamp | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_007F431A | |
| Source: | Code function: | 1_2_007F42CC | |
| Source: | Code function: | 1_2_007F42B4 | |
| Source: | Code function: | 1_2_007F3D8C | |
| Source: | Code function: | 1_2_007F4788 | |
| Source: | Code function: | 1_2_007F3D8C | |
| Source: | Code function: | 1_2_007F477C | |
| Source: | Code function: | 1_2_007F4770 | |
| Source: | Code function: | 1_2_007F475E | |
| Source: | Code function: | 1_2_007F4320 | |
| Source: | Code function: | 1_2_007F4BCC | |
| Source: | Code function: | 1_2_007F3E2E | |
| Source: | Code function: | 1_2_007F47E8 | |
| Source: | Code function: | 1_2_007F4BD2 | |
| Source: | Code function: | 1_2_007F3DE6 | |
| Source: | Code function: | 1_2_007F4BCC | |
| Source: | Code function: | 1_2_007F4BB4 | |
| Source: | Code function: | 1_2_007F3DC2 | |
| Source: | Code function: | 1_2_007F47D0 | |
| Source: | Code function: | 1_2_007F3DA4 | |
| Source: | Code function: | 1_2_007F479A | |
| Source: | Code function: | 1_2_0E88564C | |
| Source: | Code function: | 1_2_0E8870D6 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Uses schtasks.exe or at.exe to add and modify task schedules | Show sources | ||
| Source: | Process created: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM_3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File opened / queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging: | |
|---|
| Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) | Show sources | ||
| Source: | Code function: | 1_2_01240F70 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | File and Directory Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | System Information Discovery114 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information3 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing14 | NTDS | Security Software Discovery331 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Timestomp1 | LSA Secrets | Virtualization/Sandbox Evasion15 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Masquerading1 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Virtualization/Sandbox Evasion15 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection112 | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen3 | Download File |
Domains |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| mail.cuulongcorp.com.vn | 210.245.86.30 | true | true |
| unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 210.245.86.30 | unknown | Viet Nam | 18403 | FPT-AS-APTheCorporationforFinancingPromotingTechnolo | true |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Emerald |
| Analysis ID: | 358397 |
| Start date: | 25.02.2021 |
| Start time: | 15:13:18 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 17s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Purchase_Order-Documents.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 24 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/5@2/1 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 15:14:12 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 210.245.86.30 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| mail.cuulongcorp.com.vn | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| FPT-AS-APTheCorporationforFinancingPromotingTechnolo | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\Purchase_Order-Documents.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 1400 |
| Entropy (8bit): | 5.344635889251176 |
| Encrypted: | false |
| SSDEEP: | 24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEg:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHV |
| MD5: | CDB0CBEDFEC7CCD7229835F37D89305C |
| SHA1: | 39023F8CFF044D44485DB049CE242383BCB07035 |
| SHA-256: | B1D78A56636298EFB329B368C4D52F2DCCF7F948AF7E7A30D9A8916D532760FE |
| SHA-512: | 35066E4F12E28DA041B4EE5BE8E24B21A1FBF6D3267100EFA4EEC701288F48F5BA4E63A4866D1DEC3E1A8147A060B9E0D4C4D4A2FB49890AA617172AE4BFA764 |
| Malicious: | true |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Purchase_Order-Documents.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1649 |
| Entropy (8bit): | 5.171485035916021 |
| Encrypted: | false |
| SSDEEP: | 24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBTtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3j |
| MD5: | D75F7083DACCE330AFAC5AD5BBC2DE74 |
| SHA1: | EF53F69823E22445F5B8484548B68125E4DA078F |
| SHA-256: | 621321D565CA73074F1A2E14D3D2C2F212C72BEAA9F44790457281584F21681C |
| SHA-512: | 4787C76489D4C552D50D26DF1D4A79DBC08DCC89A8B8CBAAA19E582CFDD5D393627C31BC6CFB8CA356434642BCD246EFB8A8EC59BE3B494A6923C54289581F27 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Purchase_Order-Documents.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.698304057893793 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j |
| MD5: | 3806E8153A55C1A2DA0B09461A9C882A |
| SHA1: | BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72 |
| SHA-256: | 366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE |
| SHA-512: | 31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Purchase_Order-Documents.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 707584 |
| Entropy (8bit): | 7.411392432394974 |
| Encrypted: | false |
| SSDEEP: | 12288:glSq8Ssox252QHJcERkUE/+0UKwajvvQPOkg7v:gEq9fx2NRGUE/+4waDIxQ |
| MD5: | 970BCE067AE6CDCF4CDF30A0A1F87186 |
| SHA1: | 75B2A8726790CA34DB04A003BA3547A1EB28F3FD |
| SHA-256: | F828F3F4109C84BC59B919C268C2D73ED8F1B327B3C3AFD64184C2DDF2AE3AA5 |
| SHA-512: | 3D57AA017EC7A22302DF6D299CC01EAA93BC26E649021FE25EF88EF8413D665EB1309AF6CAE7EC55B4D8D26C5095C37F0CB44398A6AAF39971A4E936F8833266 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Purchase_Order-Documents.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.411392432394974 |
| TrID: |
|
| File name: | Purchase_Order-Documents.exe |
| File size: | 707584 |
| MD5: | 970bce067ae6cdcf4cdf30a0a1f87186 |
| SHA1: | 75b2a8726790ca34db04a003ba3547a1eb28f3fd |
| SHA256: | f828f3f4109c84bc59b919c268c2d73ed8f1b327b3c3afd64184c2ddf2ae3aa5 |
| SHA512: | 3d57aa017ec7a22302df6d299cc01eaa93bc26e649021fe25ef88ef8413d665eb1309af6cae7ec55b4d8d26c5095c37f0cb44398a6aaf39971a4e936f8833266 |
| SSDEEP: | 12288:glSq8Ssox252QHJcERkUE/+0UKwajvvQPOkg7v:gEq9fx2NRGUE/+4waDIxQ |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.................P..V...r....... ....... ....@.. .......................@............@................................ |
File Icon |
|---|
 | |
| Icon Hash: | d086aab2b2aad403 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4b200a |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0xE2E2904A [Tue Aug 15 16:48:10 2090 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [004B2000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x103c4 | 0x57 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x86000 | 0x292f0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb0000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xb2000 | 0x8 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x10000 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| qYIUK | 0x2000 | 0xdb8c | 0xdc00 | False | 1.00046164773 | data | 7.99672559397 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .text | 0x10000 | 0x752b8 | 0x75400 | False | 0.887743203625 | data | 7.85454569485 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x86000 | 0x292f0 | 0x29400 | False | 0.0759943181818 | data | 3.78905338519 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xb0000 | 0xc | 0x200 | False | 0.044921875 | data | 0.0980041756627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| 0xb2000 | 0x10 | 0x200 | False | 0.044921875 | data | 0.122275881259 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x862b0 | 0x1280 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
| RT_ICON | 0x87530 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4283735867, next used block 4283735867 | ||
| RT_ICON | 0x97d58 | 0x94a8 | data | ||
| RT_ICON | 0xa1200 | 0x5488 | data | ||
| RT_ICON | 0xa6688 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0 | ||
| RT_ICON | 0xaa8b0 | 0x25a8 | data | ||
| RT_ICON | 0xace58 | 0x10a8 | data | ||
| RT_ICON | 0xadf00 | 0x988 | data | ||
| RT_ICON | 0xae888 | 0x468 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0xaecf0 | 0x84 | data | ||
| RT_VERSION | 0xaed74 | 0x390 | data | ||
| RT_MANIFEST | 0xaf104 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Copyright Hotplates 2020-2021 |
| Assembly Version | 2.0.9.0 |
| InternalName | ValueCollection.exe |
| FileVersion | 2.0.9.0 |
| CompanyName | Hotplates |
| LegalTrademarks | |
| Comments | MLT |
| ProductName | Medical Laboratory |
| ProductVersion | 2.0.9.0 |
| FileDescription | Medical Laboratory |
| OriginalFilename | ValueCollection.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 02/25/21-15:15:56.398431 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| 02/25/21-15:16:00.980980 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 25, 2021 15:15:53.859267950 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:54.120907068 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:54.121155977 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:54.802969933 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:54.803484917 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:55.068698883 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:55.074105024 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:55.338762045 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:55.339390993 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:55.606652975 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:55.607539892 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:55.867578983 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:55.867924929 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:56.133550882 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:56.134006977 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:56.394382954 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:56.394401073 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:56.398431063 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:56.398566961 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:56.398678064 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:56.398763895 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:56.656650066 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:56.656682014 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:56.724713087 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:56.766714096 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:57.667551041 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:57.930289984 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:57.930651903 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:57.930708885 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:57.935487032 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:58.198956013 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:58.364896059 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:58.616486073 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:58.618292093 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:59.338344097 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:59.341984987 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:59.608027935 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:59.608469009 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:15:59.872970104 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:15:59.873589039 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.161842108 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:00.162549019 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.425728083 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:00.426069021 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.698580980 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:00.701538086 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.978655100 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:00.978672028 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:00.980613947 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.980979919 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.981322050 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.981331110 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.981564999 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.981827021 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.981928110 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:00.982665062 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:16:01.257108927 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:01.257538080 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:01.258142948 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:01.258312941 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:01.298628092 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:01.367521048 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:16:01.409432888 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:17:33.464570999 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:17:33.745942116 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:17:33.746258974 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
| Feb 25, 2021 15:17:33.746284008 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:17:33.746351004 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 |
| Feb 25, 2021 15:17:34.031064034 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 25, 2021 15:14:00.614456892 CET | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:00.673077106 CET | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:17.773355007 CET | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:17.830391884 CET | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:18.772814035 CET | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:18.821708918 CET | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:19.687643051 CET | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:19.736459970 CET | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:20.519609928 CET | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:20.568279982 CET | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:28.408837080 CET | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:28.467767954 CET | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:32.337611914 CET | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:32.389306068 CET | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:43.031414032 CET | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:43.088355064 CET | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:44.305552006 CET | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:44.354703903 CET | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:47.684875965 CET | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:47.733829975 CET | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:48.976933002 CET | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:49.025506973 CET | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:50.178472042 CET | 60151 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:50.230242014 CET | 53 | 60151 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:52.044712067 CET | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:52.093455076 CET | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:53.168992043 CET | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:53.217766047 CET | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:56.702155113 CET | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:56.750999928 CET | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:14:59.780395985 CET | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:14:59.829229116 CET | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:15:07.089879990 CET | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:15:07.148258924 CET | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:15:18.397152901 CET | 55016 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:15:18.446222067 CET | 53 | 55016 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:15:25.907023907 CET | 64345 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:15:25.974898100 CET | 53 | 64345 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:15:39.689004898 CET | 57128 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:15:39.737688065 CET | 53 | 57128 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:15:40.282181025 CET | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:15:40.349874020 CET | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:15:53.450650930 CET | 50463 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:15:53.825484037 CET | 53 | 50463 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:15:57.986135006 CET | 50394 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:15:58.363188982 CET | 53 | 50394 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:40.012384892 CET | 58530 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:40.283049107 CET | 53 | 58530 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:40.728240013 CET | 53813 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:40.791915894 CET | 53 | 53813 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:41.411791086 CET | 63732 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:41.481204987 CET | 53 | 63732 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:41.849817038 CET | 57344 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:41.911187887 CET | 53 | 57344 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:42.290951014 CET | 54450 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:42.351074934 CET | 53 | 54450 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:42.805290937 CET | 59261 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:42.862632990 CET | 53 | 59261 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:43.302687883 CET | 57151 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:43.360616922 CET | 53 | 57151 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:43.914323092 CET | 59413 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:43.974423885 CET | 53 | 59413 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:44.655744076 CET | 60516 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:44.707451105 CET | 53 | 60516 | 8.8.8.8 | 192.168.2.5 |
| Feb 25, 2021 15:16:45.099301100 CET | 51649 | 53 | 192.168.2.5 | 8.8.8.8 |
| Feb 25, 2021 15:16:45.156717062 CET | 53 | 51649 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Feb 25, 2021 15:15:53.450650930 CET | 192.168.2.5 | 8.8.8.8 | 0xdd23 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Feb 25, 2021 15:15:57.986135006 CET | 192.168.2.5 | 8.8.8.8 | 0xadbe | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Feb 25, 2021 15:15:53.825484037 CET | 8.8.8.8 | 192.168.2.5 | 0xdd23 | No error (0) | 210.245.86.30 | A (IP address) | IN (0x0001) | ||
| Feb 25, 2021 15:15:58.363188982 CET | 8.8.8.8 | 192.168.2.5 | 0xadbe | No error (0) | 210.245.86.30 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Feb 25, 2021 15:15:54.802969933 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 220 webhost56.fptdata.vn ESMTP Exim 4.92.3 Thu, 25 Feb 2021 21:15:54 +0700 |
| Feb 25, 2021 15:15:54.803484917 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 | EHLO 093954 |
| Feb 25, 2021 15:15:55.068698883 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 250-webhost56.fptdata.vn Hello 093954 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Feb 25, 2021 15:15:55.074105024 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 | AUTH login a2Vob2FjaEBjdXVsb25nY29ycC5jb20udm4= |
| Feb 25, 2021 15:15:55.338762045 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 334 UGFzc3dvcmQ6 |
| Feb 25, 2021 15:15:55.606652975 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 235 Authentication succeeded |
| Feb 25, 2021 15:15:55.607539892 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 | MAIL FROM:<kehoach@cuulongcorp.com.vn> |
| Feb 25, 2021 15:15:55.867578983 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 250 OK |
| Feb 25, 2021 15:15:55.867924929 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 | RCPT TO:<khanhkythuats@davitecco.com> |
| Feb 25, 2021 15:15:56.133550882 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 250 Accepted |
| Feb 25, 2021 15:15:56.134006977 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 | DATA |
| Feb 25, 2021 15:15:56.394401073 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 354 Enter message, ending with "." on a line by itself |
| Feb 25, 2021 15:15:56.398763895 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 | . |
| Feb 25, 2021 15:15:56.724713087 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 250 OK id=1lFHQq-0001WJ-9B |
| Feb 25, 2021 15:15:57.667551041 CET | 49736 | 587 | 192.168.2.5 | 210.245.86.30 | QUIT |
| Feb 25, 2021 15:15:57.930289984 CET | 587 | 49736 | 210.245.86.30 | 192.168.2.5 | 221 webhost56.fptdata.vn closing connection |
| Feb 25, 2021 15:15:59.338344097 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 220 webhost56.fptdata.vn ESMTP Exim 4.92.3 Thu, 25 Feb 2021 21:15:59 +0700 |
| Feb 25, 2021 15:15:59.341984987 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 | EHLO 093954 |
| Feb 25, 2021 15:15:59.608027935 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 250-webhost56.fptdata.vn Hello 093954 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Feb 25, 2021 15:15:59.608469009 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 | AUTH login a2Vob2FjaEBjdXVsb25nY29ycC5jb20udm4= |
| Feb 25, 2021 15:15:59.872970104 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 334 UGFzc3dvcmQ6 |
| Feb 25, 2021 15:16:00.161842108 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 235 Authentication succeeded |
| Feb 25, 2021 15:16:00.162549019 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 | MAIL FROM:<kehoach@cuulongcorp.com.vn> |
| Feb 25, 2021 15:16:00.425728083 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 250 OK |
| Feb 25, 2021 15:16:00.426069021 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 | RCPT TO:<khanhkythuats@davitecco.com> |
| Feb 25, 2021 15:16:00.698580980 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 250 Accepted |
| Feb 25, 2021 15:16:00.701538086 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 | DATA |
| Feb 25, 2021 15:16:00.978672028 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 354 Enter message, ending with "." on a line by itself |
| Feb 25, 2021 15:16:00.982665062 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 | . |
| Feb 25, 2021 15:16:01.367521048 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 250 OK id=1lFHQu-0001WP-S2 |
| Feb 25, 2021 15:17:33.464570999 CET | 49737 | 587 | 192.168.2.5 | 210.245.86.30 | QUIT |
| Feb 25, 2021 15:17:33.745942116 CET | 587 | 49737 | 210.245.86.30 | 192.168.2.5 | 221 webhost56.fptdata.vn closing connection |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 15:14:09 |
| Start date: | 25/02/2021 |
| Path: | C:\Users\user\Desktop\Purchase_Order-Documents.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7e0000 |
| File size: | 707584 bytes |
| MD5 hash: | 970BCE067AE6CDCF4CDF30A0A1F87186 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 15:14:13 |
| Start date: | 25/02/2021 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x12b0000 |
| File size: | 185856 bytes |
| MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 15:14:13 |
| Start date: | 25/02/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7ecfc0000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 15:14:14 |
| Start date: | 25/02/2021 |
| Path: | C:\Users\user\Desktop\Purchase_Order-Documents.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xcd0000 |
| File size: | 707584 bytes |
| MD5 hash: | 970BCE067AE6CDCF4CDF30A0A1F87186 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 01241191, Relevance: 4.7, Strings: 3, Instructions: 980COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01240478, Relevance: 3.2, Strings: 2, Instructions: 708COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01240F68, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01240F70, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E88CC73, Relevance: .3, Instructions: 336COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E88A60D, Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E88C470, Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0124E2A8, Relevance: 1.7, APIs: 1, Instructions: 224COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01249478, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01249480, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E887973, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E887978, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01241F99, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01241088, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01241090, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01241FA0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E88B2C8, Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E88B2D0, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01240170, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01242770, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01240118, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0124E498, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01242868, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E8874E3, Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0124017C, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E8874E8, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0115D4D8, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0116D01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0116D006, Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0115D4D3, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0115D799, Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0115D798, Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 007ED21B, Relevance: 1.6, Instructions: 1561COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E880007, Relevance: 1.4, Strings: 1, Instructions: 126COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E880040, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0124EA90, Relevance: .5, Instructions: 524COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0124C0B0, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E883902, Relevance: .2, Instructions: 196COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0E88C480, Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |