Play interactive tour

Edit tour

Analysis Report TNT eInvoice.exe

Overview

General Information

Sample Name:	TNT eInvoice.exe
Analysis ID:	360251
MD5:	faff5ed3bcc8e818de35554887b79efe
SHA1:	93a0f3f8e7bde8694c337f577e96d24a4dec22d9
SHA256:	d714a39018e39b388029e0daa827b9aa90d018c94f0e1978f9c55bbcf43d928a
Tags:	DHLexeSnakeKeylogger
Infos:
Most interesting Screenshot:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM_3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code contains very large strings

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Startup

System is w10x64

TNT eInvoice.exe (PID: 6332 cmdline: 'C:\Users\user\Desktop\TNT eInvoice.exe' MD5: FAFF5ED3BCC8E818DE35554887B79EFE)

TNT eInvoice.exe (PID: 6408 cmdline: C:\Users\user\Desktop\TNT eInvoice.exe MD5: FAFF5ED3BCC8E818DE35554887B79EFE)

TNT eInvoice.exe (PID: 6444 cmdline: C:\Users\user\Desktop\TNT eInvoice.exe MD5: FAFF5ED3BCC8E818DE35554887B79EFE)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "sent@pinaudalgasova.ca,%5YLk4Ajd(Rmail.pinaudalgasova.caorisa@pinaudalgasova.ca"}}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.495973738.0000000003069000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: TNT eInvoice.exe PID: 6444	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: TNT eInvoice.exe PID: 6444	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: TNT eInvoice.exe PID: 6444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TNT eInvoice.exe PID: 6332	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: TNT eInvoice.exe PID: 6332	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TNT eInvoice.exe PID: 6332	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.TNT eInvoice.exe.3940fd0.1.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.TNT eInvoice.exe.3940fd0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.TNT eInvoice.exe.400000.0.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
3.2.TNT eInvoice.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.TNT eInvoice.exe.378c720.2.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.TNT eInvoice.exe.378c720.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.TNT eInvoice.exe.3701500.3.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.TNT eInvoice.exe.3701500.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "sent@pinaudalgasova.ca,%5YLk4Ajd(Rmail.pinaudalgasova.caorisa@pinaudalgasova.ca"}}

Multi AV Scanner detection for submitted file

Show sources

Source: TNT eInvoice.exe	Virustotal: Detection: 25%			Perma Link
Source: TNT eInvoice.exe	ReversingLabs: Detection: 15%

Machine Learning detection for sample

Show sources

Source: TNT eInvoice.exe

Joe Sandbox ML: detected

Source: 3.2.TNT eInvoice.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: TNT eInvoice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49717 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: TNT eInvoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View	IP Address: 131.186.161.70 131.186.161.70
Source: Joe Sandbox View	IP Address: 104.21.19.200 104.21.19.200

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49717 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Cloudfl
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: TNT eInvoice.exe, 00000003.00000002.495264713.000000000140C000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot20L
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.c
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: TNT eInvoice.exe, 00000003.00000002.495264713.000000000140C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.78
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: TNT eInvoice.exe, 00000003.00000002.495973738.0000000003069000.00000004.00000001.sdmp, TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/C
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

System Summary:

.NET source code contains very large strings

Show sources

Source: TNT eInvoice.exe, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 0.2.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 0.0.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 1.2.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 1.0.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 3.0.TNT eInvoice.exe.c10000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 3.2.TNT eInvoice.exe.c10000.1.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: TNT eInvoice.exe

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230FB20	0_2_0230FB20
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230C2B0	0_2_0230C2B0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230F73D	0_2_0230F73D
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_02309990	0_2_02309990
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1F488	3_2_05B1F488
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1EC50	3_2_05B1EC50
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B11C00	3_2_05B11C00
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B14FA0	3_2_05B14FA0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B147A0	3_2_05B147A0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B13FA0	3_2_05B13FA0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B137F0	3_2_05B137F0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B137E1	3_2_05B137E1
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B10EA8	3_2_05B10EA8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1F1F8	3_2_05B1F1F8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B17932	3_2_05B17932
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B17940	3_2_05B17940
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B10006	3_2_05B10006
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B10040	3_2_05B10040
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06732778	3_2_06732778
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06734740	3_2_06734740
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067307D8	3_2_067307D8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06730040	3_2_06730040
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06734F28	3_2_06734F28
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06730FC0	3_2_06730FC0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06732F88	3_2_06732F88
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06733770	3_2_06733770
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067317A8	3_2_067317A8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06733F58	3_2_06733F58
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06731F90	3_2_06731F90
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06730007	3_2_06730007
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06734F17	3_2_06734F17
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06733760	3_2_06733760
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06731799	3_2_06731799
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06767E68	3_2_06767E68
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06768650	3_2_06768650
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06768E38	3_2_06768E38
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06769620	3_2_06769620
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06769E08	3_2_06769E08
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06766EE8	3_2_06766EE8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067676D0	3_2_067676D0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06764760	3_2_06764760
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06764F48	3_2_06764F48
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06765730	3_2_06765730
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06765F18	3_2_06765F18
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06766700	3_2_06766700
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06762FF8	3_2_06762FF8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06763FC8	3_2_06763FC8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06763790	3_2_06763790
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676A5F0	3_2_0676A5F0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676CDD0	3_2_0676CDD0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676ADD8	3_2_0676ADD8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676B5C0	3_2_0676B5C0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676D5B8	3_2_0676D5B8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676BDA8	3_2_0676BDA8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676C598	3_2_0676C598
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676F278	3_2_0676F278
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676EAC8	3_2_0676EAC8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06760040	3_2_06760040
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06766ED7	3_2_06766ED7
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067676C7	3_2_067676C7
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06762FE8	3_2_06762FE8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06763FBB	3_2_06763FBB
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06760007	3_2_06760007

Source: TNT eInvoice.exe	Binary or memory string: OriginalFilename vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename8MC0UDR6.exe4 vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000000.00000002.237044575.0000000005501000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000000.00000002.237907630.000000000DAB0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs TNT eInvoice.exe
Source: TNT eInvoice.exe	Binary or memory string: OriginalFilename vs TNT eInvoice.exe
Source: TNT eInvoice.exe	Binary or memory string: OriginalFilename vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000003.00000002.492445341.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename8MC0UDR6.exe4 vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000003.00000002.494362718.00000000011D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000003.00000002.493073866.00000000010F6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TNT eInvoice.exe
Source: TNT eInvoice.exe	Binary or memory string: OriginalFilenameStreamingContextStates.exe: vs TNT eInvoice.exe

Source: TNT eInvoice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/2

Source: C:\Users\user\Desktop\TNT eInvoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT eInvoice.exe.log

Jump to behavior

Source: TNT eInvoice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: TNT eInvoice.exe	Virustotal: Detection: 25%
Source: TNT eInvoice.exe	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\TNT eInvoice.exe 'C:\Users\user\Desktop\TNT eInvoice.exe'
Source: unknown	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe
Source: unknown	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe	Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TNT eInvoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TNT eInvoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: TNT eInvoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: TNT eInvoice.exe, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.TNT eInvoice.exe.c10000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.TNT eInvoice.exe.c10000.1.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xDE7CE35A [Tue Apr 13 20:30:18 2088 UTC]

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230D4FC push E8023FFEh; ret	0_2_0230D501
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1BC02 push 8B000003h; iretd	3_2_05B1BC0C
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067621CF push es; retf	3_2_067621D0

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe TID: 6336	Thread sleep time: -104144s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe TID: 6360	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Code function: 3_2_06762D50 LdrInitializeThunk,

3_2_06762D50

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe			Jump to behavior

Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Users\user\Desktop\TNT eInvoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Users\user\Desktop\TNT eInvoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\TNT eInvoice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\TNT eInvoice.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000003.00000002.495973738.0000000003069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping2	Security Software Discovery11	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TNT eInvoice.exe	25%	Virustotal		Browse
TNT eInvoice.exe	15%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
TNT eInvoice.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.TNT eInvoice.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File

Domains

Source	Detection	Scanner	Link
freegeoip.app	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.org/HB	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.78	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	104.21.19.200	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.com	131.186.161.70	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/HB	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://freegeoip.app/xml/	TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false		high
http://checkip.dyndns.org	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/LoadCountryNameClipboard	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/84.17.52.78	TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
131.186.161.70	unknown	United States		33517	DYNDNSUS	false
104.21.19.200	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	360251
Start date:	01.03.2021
Start time:	17:27:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TNT eInvoice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@3/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 31 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 51.103.5.186, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.132.208.181, 104.43.193.48, 104.43.139.144, 23.211.6.115, 168.61.161.212, 52.255.188.83, 23.218.208.56, 20.82.209.183, 52.155.217.156, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:28:08	API Interceptor	1x Sleep call for process: TNT eInvoice.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
131.186.161.70	YF19NagrPh.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PI.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SH1PMENT DOCUMMENTS.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ORDER0023490923.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	DHL delivery 9808765668,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	AWB 9899691012 Clearance Doc.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	DHL SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Transfer Forms.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	07766554433.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	INVOICE-0899877.jar	Get hash	malicious	Browse	checkip.dyndns.org/
	Proforma_Invoice.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Bankdaten #f6356.pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Neue Bestellung_WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order NX-LI-15-0001.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	mif000262021.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PAYMENT SWIFT USD96110_PDF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	RFQ_#2021-2-25-1.pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Purchase Order#20222502G.exe	Get hash	malicious	Browse	checkip.dyndns.org/
104.21.19.200	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse
	OemRkTcBOc.exe	Get hash	malicious	Browse
	YF19NagrPh.exe	Get hash	malicious	Browse
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse
	MWPGKxTCp3.exe	Get hash	malicious	Browse
	t_DMD5VX.doc	Get hash	malicious	Browse
	y9K4ZA3o3E.exe	Get hash	malicious	Browse
	PO0301020.exe	Get hash	malicious	Browse
	HA00-20505LF.exe	Get hash	malicious	Browse
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse
	order list for best pricing.exe	Get hash	malicious	Browse
	Purchase Order-147000015740.exe	Get hash	malicious	Browse
	Copy_Sample7864576.exe	Get hash	malicious	Browse
	Confirm new order 51119_0014288190BC9,pdf.exe	Get hash	malicious	Browse
	AkbankSubeMevduatEkstre.pdf.exe	Get hash	malicious	Browse
	SH1PMENT DOCUMMENTS.exe	Get hash	malicious	Browse
	ORDER0023490923.exe	Get hash	malicious	Browse
	ORDER009882377343.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
freegeoip.app	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	104.21.19.200
	OemRkTcBOc.exe	Get hash	malicious	Browse	104.21.19.200
	YF19NagrPh.exe	Get hash	malicious	Browse	104.21.19.200
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	172.67.188.154
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	MWPGKxTCp3.exe	Get hash	malicious	Browse	104.21.19.200
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	172.67.188.154
	t_DMD5VX.doc	Get hash	malicious	Browse	104.21.19.200
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	104.21.19.200
	PO0301020.exe	Get hash	malicious	Browse	104.21.19.200
	HA00-20505LF.exe	Get hash	malicious	Browse	104.21.19.200
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	172.67.188.154
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	172.67.188.154
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	104.21.19.200
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	172.67.188.154
	doc02933820210226090207.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	order list for best pricing.exe	Get hash	malicious	Browse	104.21.19.200
	PI.exe	Get hash	malicious	Browse	172.67.188.154
	2189110276, pdf.exe	Get hash	malicious	Browse	172.67.188.154
checkip.dyndns.com	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	216.146.43.71
	OemRkTcBOc.exe	Get hash	malicious	Browse	162.88.193.70
	YF19NagrPh.exe	Get hash	malicious	Browse	131.186.161.70
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	162.88.193.70
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	131.186.161.70
	t_DMD5VX.doc	Get hash	malicious	Browse	162.88.193.70
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	131.186.113.70
	PO0301020.exe	Get hash	malicious	Browse	216.146.43.71
	HA00-20505LF.exe	Get hash	malicious	Browse	131.186.113.70
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	216.146.43.71
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	162.88.193.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	131.186.113.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	216.146.43.70
	doc02933820210226090207.pdf.exe	Get hash	malicious	Browse	216.146.43.70
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	order list for best pricing.exe	Get hash	malicious	Browse	216.146.43.70
	PI.exe	Get hash	malicious	Browse	162.88.193.70
	2189110276, pdf.exe	Get hash	malicious	Browse	162.88.193.70
	1708 210225SEBDBDDHABAN9012598115.exe	Get hash	malicious	Browse	162.88.193.70

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	104.21.19.200
	index_2021-03-01-17_13.dll	Get hash	malicious	Browse	104.20.185.68
	Hs52qascx.dll	Get hash	malicious	Browse	104.20.184.68
	Remittance Advice.xlsx	Get hash	malicious	Browse	23.227.38.74
	OemRkTcBOc.exe	Get hash	malicious	Browse	172.67.188.154
	YF19NagrPh.exe	Get hash	malicious	Browse	104.21.19.200
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase Order 02-28-21.exe	Get hash	malicious	Browse	162.159.135.233
	DZoj4wicd0.dll	Get hash	malicious	Browse	104.20.184.68
	uwq8T3mqDx.dll	Get hash	malicious	Browse	104.20.185.68
	E2uiGA3X2v.dll	Get hash	malicious	Browse	104.20.184.68
	l3EhTHpbDB.exe	Get hash	malicious	Browse	104.23.98.190
	enquries.pdf.exe	Get hash	malicious	Browse	104.21.85.173
	RjIx2AoDBJ.dll	Get hash	malicious	Browse	104.20.185.68
	v2dw80uF0x.dll	Get hash	malicious	Browse	104.20.185.68
	c7xT0JtUU7.dll	Get hash	malicious	Browse	104.20.185.68
	vDhk0cXtAD.dll	Get hash	malicious	Browse	104.20.184.68
	my6vhJ87w0.dll	Get hash	malicious	Browse	104.20.185.68
	lcZA3NDMaU.dll	Get hash	malicious	Browse	104.20.185.68
	grtf.dll	Get hash	malicious	Browse	104.20.185.68
DYNDNSUS	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	216.146.43.71
	OemRkTcBOc.exe	Get hash	malicious	Browse	162.88.193.70
	YF19NagrPh.exe	Get hash	malicious	Browse	162.88.193.70
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	162.88.193.70
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	131.186.161.70
	t_DMD5VX.doc	Get hash	malicious	Browse	216.146.43.71
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	131.186.113.70
	PO0301020.exe	Get hash	malicious	Browse	216.146.43.71
	HA00-20505LF.exe	Get hash	malicious	Browse	131.186.113.70
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	216.146.43.71
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	162.88.193.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	131.186.113.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	216.146.43.70
	doc02933820210226090207.pdf.exe	Get hash	malicious	Browse	216.146.43.70
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	order list for best pricing.exe	Get hash	malicious	Browse	216.146.43.70
	PI.exe	Get hash	malicious	Browse	162.88.193.70
	2189110276, pdf.exe	Get hash	malicious	Browse	162.88.193.70
	1708 210225SEBDBDDHABAN9012598115.exe	Get hash	malicious	Browse	162.88.193.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	104.21.19.200
	prCVRHmsqJ.exe	Get hash	malicious	Browse	104.21.19.200
	oZ8ZPPDTDR.exe	Get hash	malicious	Browse	104.21.19.200
	OemRkTcBOc.exe	Get hash	malicious	Browse	104.21.19.200
	YF19NagrPh.exe	Get hash	malicious	Browse	104.21.19.200
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	104.21.19.200
	y6ZCm1WdfT.exe	Get hash	malicious	Browse	104.21.19.200
	enquries.pdf.exe	Get hash	malicious	Browse	104.21.19.200
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	MWPGKxTCp3.exe	Get hash	malicious	Browse	104.21.19.200
	AYiodsWKVw.exe	Get hash	malicious	Browse	104.21.19.200
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	104.21.19.200
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	104.21.19.200
	PO0301020.exe	Get hash	malicious	Browse	104.21.19.200
	HA00-20505LF.exe	Get hash	malicious	Browse	104.21.19.200
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	104.21.19.200
	HpEA19QthY.exe	Get hash	malicious	Browse	104.21.19.200
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	104.21.19.200
	ORDER01032021rfggfscan.exe	Get hash	malicious	Browse	104.21.19.200
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	104.21.19.200

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT eInvoice.exe.log Download File
Process:	C:\Users\user\Desktop\TNT eInvoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.655722383425868
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	TNT eInvoice.exe
File size:	885760
MD5:	faff5ed3bcc8e818de35554887b79efe
SHA1:	93a0f3f8e7bde8694c337f577e96d24a4dec22d9
SHA256:	d714a39018e39b388029e0daa827b9aa90d018c94f0e1978f9c55bbcf43d928a
SHA512:	2628ca122c9397d8923c95e4018bbd2d92c57f40af1e9c70e17897923d9f886e50a81e462f2c7d7c4b2b411182b500f92393b1397e96bfcd3da40a071555b7e3
SSDEEP:	12288:UGkYyx0W89B8OBI1jkVCMdcDOX4kovIdEteOoda3cAIrYv:bkGNKr1j6CMuDkoQE0OoMs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.\|...............P..x............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4d978e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xDE7CE35A [Tue Apr 13 20:30:18 2088 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [ecx], eax
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd973c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x604	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd9720	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd779c	0xd7800	False	0.582917180249	data	6.66197436233	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x604	0x800	False	0.328125	data	3.42566987801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xda090	0x374	data
RT_MANIFEST	0xda414	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020 - 2021
Assembly Version	8.6.2.0
InternalName	StreamingContextStates.exe
FileVersion	8.6.2.0
CompanyName
LegalTrademarks
Comments
ProductName	Health Point
ProductVersion	8.6.2.0
FileDescription	Health Point
OriginalFilename	StreamingContextStates.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2021 17:28:14.409548998 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.563157082 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.563256025 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.563922882 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.719585896 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.719619989 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.719636917 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.719707966 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.720700026 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.875437975 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.275897026 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.430639982 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.430742025 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.431349039 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.587390900 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.587601900 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.587619066 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.588038921 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.588068962 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.743056059 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:17.925833941 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:17.966944933 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:17.967032909 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.147953033 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.190428019 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.191282034 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.191315889 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.191401958 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.266450882 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.307481050 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.307548046 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.381371975 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.817151070 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.858263969 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.873795986 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.873826981 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.873941898 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:29:59.049171925 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:29:59.090426922 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:29:59.090620995 CET	49717	443	192.168.2.5	104.21.19.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2021 17:27:58.841237068 CET	52704	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:58.890032053 CET	53	52704	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.142966032 CET	52212	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.200284958 CET	53	52212	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.542840004 CET	54302	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.591739893 CET	53	54302	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.666749001 CET	53784	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.699393988 CET	65307	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.716206074 CET	53	53784	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.750547886 CET	53	65307	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.812355042 CET	64344	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.860981941 CET	53	64344	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.892585993 CET	62060	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.942372084 CET	53	62060	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:00.600442886 CET	61805	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:00.649934053 CET	53	61805	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:01.571353912 CET	54795	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:01.619919062 CET	53	54795	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:02.439647913 CET	49557	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:02.500581980 CET	53	49557	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:02.601883888 CET	61733	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:02.652117968 CET	53	61733	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:03.715758085 CET	65447	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:03.765347958 CET	53	65447	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:05.168164968 CET	52441	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:05.219537020 CET	53	52441	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:06.353423119 CET	62176	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:06.402298927 CET	53	62176	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:07.472008944 CET	59596	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:07.529249907 CET	53	59596	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:09.239150047 CET	65296	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:09.290751934 CET	53	65296	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:10.428298950 CET	63183	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:10.476856947 CET	53	63183	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:11.349174023 CET	60151	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:11.399202108 CET	53	60151	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:14.172745943 CET	56969	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:14.223536015 CET	53	56969	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:14.245565891 CET	55161	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:14.294373035 CET	53	55161	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:17.854497910 CET	54757	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:17.912378073 CET	53	54757	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:27.943186045 CET	49992	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:28.002338886 CET	53	49992	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:43.932760000 CET	60075	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:43.983275890 CET	53	60075	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:54.538389921 CET	55016	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:54.595875978 CET	53	55016	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:02.840285063 CET	64345	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:02.947035074 CET	53	64345	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:03.514343977 CET	57128	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:03.586496115 CET	53	57128	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:03.916486979 CET	54791	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:03.977420092 CET	53	54791	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:04.150787115 CET	50463	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:04.210445881 CET	53	50463	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:04.712178946 CET	50394	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:04.794328928 CET	53	50394	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:05.306123018 CET	58530	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:05.355093956 CET	53	58530	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:05.837084055 CET	53813	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:05.894148111 CET	53	53813	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:05.947725058 CET	63732	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:06.007632017 CET	53	63732	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:06.822909117 CET	57344	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:06.888166904 CET	53	57344	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:07.760236025 CET	54450	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:07.839015961 CET	53	54450	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:09.074717045 CET	59261	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:09.136262894 CET	53	59261	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:09.667176962 CET	57151	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:09.716362953 CET	53	57151	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 1, 2021 17:28:14.172745943 CET	192.168.2.5	8.8.8.8	0xcefb	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.245565891 CET	192.168.2.5	8.8.8.8	0x19d5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:17.854497910 CET	192.168.2.5	8.8.8.8	0xbd05	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:17.912378073 CET	8.8.8.8	192.168.2.5	0xbd05	No error (0)	freegeoip.app		104.21.19.200	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:17.912378073 CET	8.8.8.8	192.168.2.5	0xbd05	No error (0)	freegeoip.app		172.67.188.154	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49715	131.186.161.70	80	C:\Users\user\Desktop\TNT eInvoice.exe

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2021 17:28:14.563922882 CET	1489	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 1, 2021 17:28:14.719619989 CET	1490	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49716	131.186.161.70	80	C:\Users\user\Desktop\TNT eInvoice.exe

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2021 17:28:15.431349039 CET	1490	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 1, 2021 17:28:15.587601900 CET	1491	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 1, 2021 17:28:18.191315889 CET	104.21.19.200	443	192.168.2.5	49717	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Mar 1, 2021 17:28:18.191315889 CET	104.21.19.200	443	192.168.2.5	49717	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: TNT eInvoice.exe PID: 6332 Parent PID: 5724

General

Start time:	17:28:06
Start date:	01/03/2021
Path:	C:\Users\user\Desktop\TNT eInvoice.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TNT eInvoice.exe'
Imagebase:	0xf0000
File size:	885760 bytes
MD5 hash:	FAFF5ED3BCC8E818DE35554887B79EFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: TNT eInvoice.exe PID: 6408 Parent PID: 6332

General

Start time:	17:28:09
Start date:	01/03/2021
Path:	C:\Users\user\Desktop\TNT eInvoice.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\TNT eInvoice.exe
Imagebase:	0x2a0000
File size:	885760 bytes
MD5 hash:	FAFF5ED3BCC8E818DE35554887B79EFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: TNT eInvoice.exe PID: 6444 Parent PID: 6332

General

Start time:	17:28:10
Start date:	01/03/2021
Path:	C:\Users\user\Desktop\TNT eInvoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\TNT eInvoice.exe
Imagebase:	0xc10000
File size:	885760 bytes
MD5 hash:	FAFF5ED3BCC8E818DE35554887B79EFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.495973738.0000000003069000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: TNT eInvoice.exe PID: 6332 Parent PID: 5724 TNT eInvoice.exeCOMMON

Executed Functions

Function 0230F73D, Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe553757edc0a8db9e89e735b025b09797a0d2f8ef504a00a79d7f9286454c92
Instruction ID: 05d8f918dc8ab1928c2de74ed9ee6dca9fa1cbb28a17bb2b0e36f05b773e9ae2
Opcode Fuzzy Hash: fe553757edc0a8db9e89e735b025b09797a0d2f8ef504a00a79d7f9286454c92
Instruction Fuzzy Hash: 9D711974D04208CFDB14CFAAC5A56EDBBF6AF88304F14C52AD418AB789EB748945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0230FB20, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e574745c2c91ae4e4a76fd7094ffc2796b00615d57a4c15320c8cb4e3104471c
Instruction ID: edfe092caa454467fd7adce5e7fd660524a471d91bf0578058de6a3c7f7880ef
Opcode Fuzzy Hash: e574745c2c91ae4e4a76fd7094ffc2796b00615d57a4c15320c8cb4e3104471c
Instruction Fuzzy Hash: AB910874D042088FCB14DFA9C59569EFBF6BF88304F24C52AD418AB789EB309945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02306B80, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02306BF0
GetCurrentThread.KERNEL32 ref: 02306C2D
GetCurrentProcess.KERNEL32 ref: 02306C6A
GetCurrentThreadId.KERNEL32 ref: 02306CC3

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d253cecd4e8ffd53bb6d8d89207063a6986c44b3768e3a38878e1d0d9d85f839
Instruction ID: 88523111fc6768f76ac0e53104a33b13d3fe83ec4d384daf0b9b0b4dfa88d935
Opcode Fuzzy Hash: d253cecd4e8ffd53bb6d8d89207063a6986c44b3768e3a38878e1d0d9d85f839
Instruction Fuzzy Hash: 5E5156B4D002488FDB54CFA9E689BDEBBF4EF88304F248499E519A7390D7749844CF25

Uniqueness

Uniqueness Score: -1.00%

Function 02306B90, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02306BF0
GetCurrentThread.KERNEL32 ref: 02306C2D
GetCurrentProcess.KERNEL32 ref: 02306C6A
GetCurrentThreadId.KERNEL32 ref: 02306CC3

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: de9eb4a0b2e2608bcf8428bdf315642bf96ea871a8ec2c9c597488756b518539
Instruction ID: 3e6b7eb467bdc58b24af359aa735b25911fe0af3779a41ba89f5e5af752ea0e1
Opcode Fuzzy Hash: de9eb4a0b2e2608bcf8428bdf315642bf96ea871a8ec2c9c597488756b518539
Instruction Fuzzy Hash: E95176B4D002488FDB54CFA9E688B9EBBF4EF88304F248459E609A3390D774A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0230BBB8, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0230BE0E

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: acb09a189a0f976e45cfe2908b7cb6892870be83309aaf16b0761ed0e6fcbdfc
Instruction ID: 55dbe18bfcf633d91798eb2affd35e695a9eea69f04ee1bc0c629d2bc89c1f35
Opcode Fuzzy Hash: acb09a189a0f976e45cfe2908b7cb6892870be83309aaf16b0761ed0e6fcbdfc
Instruction Fuzzy Hash: 36712570A00B058FD764DF29D19575AB7F6FF88208F008929D586D7A80DB35E846CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0230DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0230DD8A

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f5ad7610c2efd8735eba12e49b0faee02a29312717f8d1b82ba31af58313e662
Instruction ID: 50ff3a3ae5c74915b147447a5b6da7eb966f2ab3fcc0b3a946e729a84d623736
Opcode Fuzzy Hash: f5ad7610c2efd8735eba12e49b0faee02a29312717f8d1b82ba31af58313e662
Instruction Fuzzy Hash: F751CFB1D00259DFDF14CFA9C884ADEBBB1FF48314F24812AE819AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0230DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0230DD8A

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3f7bf56014b36e23af8894b6a07831099ee35db53f01972530b83eb3660e53ed
Instruction ID: 4482ba822ebd3948e9dcede9d746d35b97038ab8c411f4b7f1ac336308466255
Opcode Fuzzy Hash: 3f7bf56014b36e23af8894b6a07831099ee35db53f01972530b83eb3660e53ed
Instruction Fuzzy Hash: 4941BDB1D102599FDF14CFE9C884ADEBBB6FF88314F24852AE819AB250D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02306D41, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02306E3F

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2dc8430338e4e0cfcfc0d252ae85e1b510c800115c0aabaa9e762e7033235812
Instruction ID: a3762d5b14b7b2906d47a44a88f50c0d1d5d09a5ed8b780855687c8134a0a25b
Opcode Fuzzy Hash: 2dc8430338e4e0cfcfc0d252ae85e1b510c800115c0aabaa9e762e7033235812
Instruction Fuzzy Hash: DC416B76900248AFCF11CFA9D985AEEBFF9EF48310F14805AEA54A7350C3359925CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02306DB0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02306E3F

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 75126fbc739c97f95d3dcc31e3b6d359488c08819fd3392ff7fbfe733de6a4c6
Instruction ID: 1f840c9a0b48ac8162331aedb65b6370c1acfa2ade7468615ff3f327ed6f6e7a
Opcode Fuzzy Hash: 75126fbc739c97f95d3dcc31e3b6d359488c08819fd3392ff7fbfe733de6a4c6
Instruction Fuzzy Hash: B72100B5D002489FCB10CFA9D989BEEBBF9EF48324F14841AE914A7350C374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02306DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02306E3F

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 34622d343d63694c540079ca65de022b8620a58bd5fb1a4847c9f00c3c0cf6a2
Instruction ID: b50da937beae0aef91c03baac5ea885ab571dcfd436c9966159fb93508c062c7
Opcode Fuzzy Hash: 34622d343d63694c540079ca65de022b8620a58bd5fb1a4847c9f00c3c0cf6a2
Instruction Fuzzy Hash: B321C2B5D002589FDB10CFA9D984BDEBBF9EB48324F14841AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0230B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0230BE89,00000800,00000000,00000000), ref: 0230C09A

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: efdb50a3298cf65599333870aab187f8d5f8405426b2ee791e46edeb42387126
Instruction ID: 0f975cec73bb14774b9d4a997be32220cde369741d5d3484808be16f28ac8836
Opcode Fuzzy Hash: efdb50a3298cf65599333870aab187f8d5f8405426b2ee791e46edeb42387126
Instruction Fuzzy Hash: B91103B6D002088FCB10CFAAD488B9EFBF8EB98354F04892AD915A7640C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0230C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0230BE89,00000800,00000000,00000000), ref: 0230C09A

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a08f2fb423957d60c9b142c5f6284e1d1af2897567d529591885a395f2a60f00
Instruction ID: a68521ec8f74d7764399312c7ef711993982f95938b44003e836b953832c7c7d
Opcode Fuzzy Hash: a08f2fb423957d60c9b142c5f6284e1d1af2897567d529591885a395f2a60f00
Instruction Fuzzy Hash: EA1117B6D002498FCB10CFA9D488BDEFBF5EB98314F15851ED415A7240C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0230BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0230BE0E

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c531cddfd0f8a2800d0949ae5a421b26d1a0cfea1cd6bd78dde9be2f562662b7
Instruction ID: 8dd617b5dd62dc93e628eb15cebdc40e57b4b6a8813a2c0b5deee68bc7492c34
Opcode Fuzzy Hash: c531cddfd0f8a2800d0949ae5a421b26d1a0cfea1cd6bd78dde9be2f562662b7
Instruction Fuzzy Hash: 8E1110B5C002498FCB10CF9AD484BDFFBF5EB88228F14841AD819A7640C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0230DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0230DF1D

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1e5f11095cb3d99d71105de2f0f449a7716c3df770c2431ca4a7b0dda163cefc
Instruction ID: 140abaf0f686843c12fe81259855ed8eaae12d32196a20b601bfe20aa2684ece
Opcode Fuzzy Hash: 1e5f11095cb3d99d71105de2f0f449a7716c3df770c2431ca4a7b0dda163cefc
Instruction Fuzzy Hash: 171112B5900249CFDB10CF99D588BDFBBF8EB98324F14845AE919A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0230DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0230DF1D

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 806f6a46271bb0822de5e8efac0aa2a89828d2c7d7dd72f817f64f8f2782e721
Instruction ID: 60049ce162ccd0509d787984ccd17a9fd3ecbdaded49f8ca825a8689e5933e49
Opcode Fuzzy Hash: 806f6a46271bb0822de5e8efac0aa2a89828d2c7d7dd72f817f64f8f2782e721
Instruction Fuzzy Hash: A0111EB58003488FDB10CF9AD488BDFBBF8EB98324F14841AE919A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232500529.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29316cbe0ef1969cc59c9a0cc27b0aa64d1b306f1e87c5aff225e5a53b1293b5
Instruction ID: ec545befe3844f50eb4f9d4c0c2d9477c25055d701268063be6d01e941e7b483
Opcode Fuzzy Hash: 29316cbe0ef1969cc59c9a0cc27b0aa64d1b306f1e87c5aff225e5a53b1293b5
Instruction Fuzzy Hash: 9F2149B1504240EFCB09EF14D9C4F27BF75FB98328F24856AE9054B286C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232519987.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc461749eccbddc528d4145eb19c9f0c170f570c9112accdfed57fe5a4a598b
Instruction ID: 426de88b7421696c73d59a738ba8f9e29eadac81d75cd5d6c27a615945bebeff
Opcode Fuzzy Hash: 0dc461749eccbddc528d4145eb19c9f0c170f570c9112accdfed57fe5a4a598b
Instruction Fuzzy Hash: C9210471608240EFDF14CF24D9C4B26BBA5FB84318F24C969D94B4B246C33AD887CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232519987.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d662004104baf82045ffe028ee606f2a36d8fbd954cc2dab10a68406eb178ecf
Instruction ID: 322508c7cfc6e3cf6098a8820219ba43278f6375cb14c96dba13e5897d75ddf8
Opcode Fuzzy Hash: d662004104baf82045ffe028ee606f2a36d8fbd954cc2dab10a68406eb178ecf
Instruction Fuzzy Hash: 0F21C3755093808FDB02CF20D994B15BFB1FB46314F28C5EAD8498B697C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232500529.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdcb83618f214e70205b7714ad004fa8237fb1459ab3c7e60193ad4a9fb76a7
Instruction ID: 818e482c6bba191628628001821d4b189b77c87ff3ca8a43847dfc50c400d55b
Opcode Fuzzy Hash: ecdcb83618f214e70205b7714ad004fa8237fb1459ab3c7e60193ad4a9fb76a7
Instruction Fuzzy Hash: F311D376504280DFCB15DF10D5C4B16BF71FB94324F2886AAD8050B656C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D799, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232500529.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef3548785dbfcda3fe5197d9925b354a2abaca3282351f69750e16f04ba0164
Instruction ID: f0b39375a759792faf20cc3f7ebfa8d8140d7c1137e821bba6eded2f8bc19ac4
Opcode Fuzzy Hash: 1ef3548785dbfcda3fe5197d9925b354a2abaca3282351f69750e16f04ba0164
Instruction Fuzzy Hash: CA01A7718083809AE7216B16CC84B66FBA8EF51764F18855AEE045A2C6C7799844CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D798, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232500529.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1df6b153ed3a7ad421e8bc1a70c0ac63efee064eed2afd6f5ed0358cf182db
Instruction ID: 1a6c4dcaf889b03f084a5c3ee150ccb5875f5e39d802575133a1d4aa0511008a
Opcode Fuzzy Hash: bf1df6b153ed3a7ad421e8bc1a70c0ac63efee064eed2afd6f5ed0358cf182db
Instruction Fuzzy Hash: 0AF062718043849AEB209B16DC84B62FFA8EB51774F18C55AED085B286C3799C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0230C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ce20f3242dffe13ae808bbafd4f38f996dae398a3cad2c85f66b21aeac65a4
Instruction ID: 36b59d20aadff4cd71dd6c6db065bd5ce024034e80a5dd0c0834f5908ce9a6ac
Opcode Fuzzy Hash: 66ce20f3242dffe13ae808bbafd4f38f996dae398a3cad2c85f66b21aeac65a4
Instruction Fuzzy Hash: 495268F19827268BD712CF18F4C86997BB9FB40318FD14A09D161DBAD0D3B4656ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 02309990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232666560.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baafd004515be51bac9edb4624164ed9baea2e8713807a2f1171357001d21a8f
Instruction ID: 473d1b9dd5c5a3fac0d7162d42fbb69b3aa7a0fd39e8c10e65bb0c54a1dc1ae6
Opcode Fuzzy Hash: baafd004515be51bac9edb4624164ed9baea2e8713807a2f1171357001d21a8f
Instruction Fuzzy Hash: 83A19A32E0060A8FCF15DFA5C89459EFBB3FF85304B15856AE905BB261EB30A916CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: TNT eInvoice.exe PID: 6444 Parent PID: 6332 TNT eInvoice.exeCOMMON

Executed Functions

Function 06760040, Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1879libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06760927

Strings

Y, xrefs: 06761FD4

Memory Dump Source

Source File: 00000003.00000002.500640582.0000000006760000.00000040.00000001.sdmp, Offset: 06760000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 4bee6a0665940d404b0a3f844e476261e188a2be2700564588530e5271fcbb14
Instruction ID: 88e64efa99b866fe3a113fc345be58a0f3cf6c701603ba83b90c2fa70ea6987d
Opcode Fuzzy Hash: 4bee6a0665940d404b0a3f844e476261e188a2be2700564588530e5271fcbb14
Instruction Fuzzy Hash: 2E131A70D10619CECB65EF69C894AEDF7B1BF89304F51C699E458AB211EB70AAC4CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06760007, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 795libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06760927

Strings

Y, xrefs: 06761FD4

Memory Dump Source

Source File: 00000003.00000002.500640582.0000000006760000.00000040.00000001.sdmp, Offset: 06760000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: b40fe37cc08fdcc0528f3e7d951e3564857f6753fca65a3ca4ab991b52bc9fda
Instruction ID: d63d98fc13f687c468a936e2e3da0ab9942f98a9b377d56053ee5518570934c0
Opcode Fuzzy Hash: b40fe37cc08fdcc0528f3e7d951e3564857f6753fca65a3ca4ab991b52bc9fda
Instruction Fuzzy Hash: 4B821A70D106198FCB64DFA9C884A9DF7F1BF89304F54C69AD558AB211EB70AAC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05B1F488, Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.500373132.0000000005B10000.00000040.00000001.sdmp, Offset: 05B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b5d245d0bf6fd2fb7cae84b258016758d9dd5a14eb63f3ee872f8adbcb333b
Instruction ID: 7ff6474813b910cf059e5a60c1b815ea8e188979b38fdae283b73ea6c53a6752
Opcode Fuzzy Hash: 10b5d245d0bf6fd2fb7cae84b258016758d9dd5a14eb63f3ee872f8adbcb333b
Instruction Fuzzy Hash: 4A22A370B042189FDB64EB79C8587AEB6E3AFC9340F54C469D90AEB780DE74AC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05B1EC50, Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.500373132.0000000005B10000.00000040.00000001.sdmp, Offset: 05B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639cd355ce5f8e5f0502eb25e98c097864e2e4109c44bb15434405850b741d62
Instruction ID: 789985c5b28500af6c7c04d6a85d41750b9ca2e730e83b24e74f6621d06bba94
Opcode Fuzzy Hash: 639cd355ce5f8e5f0502eb25e98c097864e2e4109c44bb15434405850b741d62
Instruction Fuzzy Hash: 00E1E130B042049FDB64EB78881976EBAE7AFCA304F548879E91ADB381DE34EC45C755

Uniqueness

Uniqueness Score: -1.00%

Function 06762D50, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.500640582.0000000006760000.00000040.00000001.sdmp, Offset: 06760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c0e03dee51276ad495f8b8781563c7380e6faf81cbc5e202f9b9864b0dc53c
Instruction ID: 2ecac3d04515546cd57b67f0fa2f8466d67d8cf0df902cceaea0c8ca701771e3
Opcode Fuzzy Hash: 19c0e03dee51276ad495f8b8781563c7380e6faf81cbc5e202f9b9864b0dc53c
Instruction Fuzzy Hash: 29314B74A001099FDB44CFA5D5C4A9DFBB2BF84314F25C669E8046B286C735AE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06762A08, Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06762C2C

Memory Dump Source

Source File: 00000003.00000002.500640582.0000000006760000.00000040.00000001.sdmp, Offset: 06760000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4e8d9564c5e82747024b09b261464ec4d3f9820fba38dff853d8627022b11770
Instruction ID: 192f1a25afbf8d4ef5951b57f05607c4bfbe39e4d4b3edccccae823bc099521f
Opcode Fuzzy Hash: 4e8d9564c5e82747024b09b261464ec4d3f9820fba38dff853d8627022b11770
Instruction Fuzzy Hash: DC712230A04208DFCB55DF69C8847EDBBF1FF85314F15816AE914AB392CB789885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0673C514, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0673CA96,?,?,?,?,?), ref: 0673CB57

Memory Dump Source

Source File: 00000003.00000002.500594581.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8bc64de6d2648a48bef6f278ed645e13ed6d10809732b91c217d48476abeee00
Instruction ID: 9df00d7266ce4cd3b1c8c701b3df53b19a4c81ab709466605f745953a17e6ac4
Opcode Fuzzy Hash: 8bc64de6d2648a48bef6f278ed645e13ed6d10809732b91c217d48476abeee00
Instruction Fuzzy Hash: 5521E3B5D00218DFDB10CFA9D884AEEBBF8EB48324F14842AE914B7311D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0673CAC9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0673CA96,?,?,?,?,?), ref: 0673CB57

Memory Dump Source

Source File: 00000003.00000002.500594581.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 06ed5d98d2a1f289aa461e10f0cbf615e9b575333dead0a485ddb3d12d4bcc85
Instruction ID: 9b907de71229ae5211d088266f80b39dedc3c5c30a57461b19b288141c037830
Opcode Fuzzy Hash: 06ed5d98d2a1f289aa461e10f0cbf615e9b575333dead0a485ddb3d12d4bcc85
Instruction Fuzzy Hash: F821D2B5D002589FDB00CFA9D984BDEBBF4EB48224F14841AE918B7311D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B1E94F, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.500373132.0000000005B10000.00000040.00000001.sdmp, Offset: 05B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3d9472a58bf847632f0c96f7ffaa1c5d70db2ae8d80d732438584647f1fef5
Instruction ID: be3ca7a7be4d5ba8f034e8c85e57df4c279565b5d103d284816c17b0384c2424
Opcode Fuzzy Hash: eb3d9472a58bf847632f0c96f7ffaa1c5d70db2ae8d80d732438584647f1fef5
Instruction Fuzzy Hash: 0D91AB317402269FCF44EB68C855B7F7BABFB88354F948468EA069B280CB70EC45C795

Uniqueness

Uniqueness Score: -1.00%

Function 05B1E868, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.500373132.0000000005B10000.00000040.00000001.sdmp, Offset: 05B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde2c49fa4af0684b866aa2d0b4c4bd1215c60ee62dc71a2c1d0c991279dd88f
Instruction ID: b38c961124fa1d6c8c25a6af33be2b5556acff3c5036fee026982fa5c00e3093
Opcode Fuzzy Hash: bde2c49fa4af0684b866aa2d0b4c4bd1215c60ee62dc71a2c1d0c991279dd88f
Instruction Fuzzy Hash: 7121573160020ADFCF55AF15D8449BE7BAAFB88360F848468FD069B250CB36EC61DB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report TNT eInvoice.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Snake Keylogger

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations