Play interactive tour
Edit tourAnalysis Report RQF 100021790.exe
Overview
General Information
| Sample Name: | RQF 100021790.exe |
| Analysis ID: | 385385 |
| MD5: | 31f58bbbd330f886e422d44e9c21dbf4 |
| SHA1: | 1795b60a6f387dec4ac7a6c38119efa0138bdff7 |
| SHA256: | c289703ef1a3645d2c1653c0f571a9abdeec2b404df429196c2523b0b17d9c4c |
| Tags: | AgentTesla |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "SMTP Info": "ekwe@yillyenterprise.com^1.kk2[?w-Yzmail.yillyenterprise.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| Click to see the 2 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Code function: | 0_2_00BC929D | |
| Source: | Code function: | 0_2_014DC164 | |
| Source: | Code function: | 0_2_014DE5A0 | |
| Source: | Code function: | 0_2_014DE5B0 | |
| Source: | Code function: | 0_2_00BC9BE6 | |
| Source: | Code function: | 2_2_0001929D | |
| Source: | Code function: | 2_2_00019BE6 | |
| Source: | Code function: | 3_2_0053929D | |
| Source: | Code function: | 3_2_027F46A0 | |
| Source: | Code function: | 3_2_027F45B0 | |
| Source: | Code function: | 3_2_027FDA00 | |
| Source: | Code function: | 3_2_05C77540 | |
| Source: | Code function: | 3_2_05C794F8 | |
| Source: | Code function: | 3_2_05C76C70 | |
| Source: | Code function: | 3_2_05C76928 | |
| Source: | Code function: | 3_2_05F326B8 | |
| Source: | Code function: | 3_2_05F3A1A0 | |
| Source: | Code function: | 3_2_05F3AC49 | |
| Source: | Code function: | 3_2_05F3F4B0 | |
| Source: | Code function: | 3_2_05F38C50 | |
| Source: | Code function: | 3_2_05F5A7D0 | |
| Source: | Code function: | 3_2_05F57E20 | |
| Source: | Code function: | 3_2_05F5007A | |
| Source: | Code function: | 3_2_05F5AF30 | |
| Source: | Code function: | 3_2_05F5E818 | |
| Source: | Code function: | 3_2_05F552D0 | |
| Source: | Code function: | 3_2_00539BE6 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00BCB032 | |
| Source: | Code function: | 0_2_00BCAEE2 | |
| Source: | Code function: | 0_2_00BCB024 | |
| Source: | Code function: | 2_2_0001AEE2 | |
| Source: | Code function: | 2_2_0001B024 | |
| Source: | Code function: | 2_2_0001B032 | |
| Source: | Code function: | 3_2_0053B024 | |
| Source: | Code function: | 3_2_0053AEE2 | |
| Source: | Code function: | 3_2_0053B032 | |
| Source: | Code function: | 3_2_027F8C02 | |
| Source: | Code function: | 3_2_027F8C32 | |
| Source: | Code function: | 3_2_05C725D2 | |
| Source: | Code function: | 3_2_05C725E2 | |
| Source: | Code function: | 3_2_05C725B2 | |
| Source: | Code function: | 3_2_05C725F2 | |
| Source: | Code function: | 3_2_05C72602 | |
| Source: | Code function: | 3_2_05C725A2 | |
| Source: | Code function: | 3_2_05C725B2 | |
| Source: | Code function: | 3_2_05C725C2 | |
| Source: | Code function: | 3_2_05C72582 | |
| Source: | Code function: | 3_2_05C7572A | |
| Source: | Code function: | 3_2_05C7573A | |
| Source: | Code function: | 3_2_05C72622 | |
| Source: | Code function: | 3_2_05C72612 | |
| Source: | Code function: | 3_2_05C72622 | |
| Source: | Code function: | 3_2_05F534ED | |
| Source: | Static PE information: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM3 | Show sources | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_05C7C5A8 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 3_2_05C75A94 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection12 | Disable or Modify Tools1 | OS Credential Dumping2 | Account Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | System Information Discovery114 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing3 | NTDS | Security Software Discovery211 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Timestomp1 | LSA Secrets | Process Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Masquerading1 | Cached Domain Credentials | Virtualization/Sandbox Evasion131 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Virtualization/Sandbox Evasion131 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection12 | Proc Filesystem | System Owner/User Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 31% | Virustotal | Browse | ||
| 15% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| yillyenterprise.com | 103.6.198.237 | true | true |
| unknown |
| mail.yillyenterprise.com | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 103.6.198.237 | yillyenterprise.com | Malaysia | 46015 | EXABYTES-AS-APExaBytesNetworkSdnBhdMY | true |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Emerald |
| Analysis ID: | 385385 |
| Start date: | 12.04.2021 |
| Start time: | 12:13:12 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 11s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | RQF 100021790.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 30 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@5/2@4/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 12:14:00 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 103.6.198.237 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| EXABYTES-AS-APExaBytesNetworkSdnBhdMY | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\RQF 100021790.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1216 |
| Entropy (8bit): | 5.355304211458859 |
| Encrypted: | false |
| SSDEEP: | 24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr |
| MD5: | FED34146BF2F2FA59DCF8702FCC8232E |
| SHA1: | B03BFEA175989D989850CF06FE5E7BBF56EAA00A |
| SHA-256: | 123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C |
| SHA-512: | 1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6 |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\RQF 100021790.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.6970840431455908 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
| MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
| SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
| SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
| SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.891722616606059 |
| TrID: |
|
| File name: | RQF 100021790.exe |
| File size: | 719360 |
| MD5: | 31f58bbbd330f886e422d44e9c21dbf4 |
| SHA1: | 1795b60a6f387dec4ac7a6c38119efa0138bdff7 |
| SHA256: | c289703ef1a3645d2c1653c0f571a9abdeec2b404df429196c2523b0b17d9c4c |
| SHA512: | 13c8c5151da7a0ac3409e7c7f2d50ec761377035694275b96f82c77e13979504bd05c68ae5d3a3bcb2fa6d5735f2433e4c98be0ad97e5aa6625f2f820bc542ec |
| SSDEEP: | 12288:N67nnN27JO4zaE+ThxgcHzQC3n0eKR7gZxzhpsFifL:5I4zbYgor3nhX |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....j...............0......L........... ........@.. .......................`............@................................ |
File Icon |
|---|
 | |
| Icon Hash: | b04c9e9ab2c66a92 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4acb9a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0xCB6A8586 [Tue Feb 22 11:44:06 2078 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xacb48 | 0x4f | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xae000 | 0x495c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb4000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xacb2c | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xaaba0 | 0xaac00 | False | 0.904438426519 | data | 7.89427057508 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xae000 | 0x495c | 0x4a00 | False | 0.932010135135 | data | 7.8688533795 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xb4000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xae130 | 0x42c1 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
| RT_GROUP_ICON | 0xb23f4 | 0x14 | data | ||
| RT_VERSION | 0xb2408 | 0x366 | data | ||
| RT_MANIFEST | 0xb2770 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Copyright Integra Wealth |
| Assembly Version | 1.8.9.10 |
| InternalName | wu.exe |
| FileVersion | 1.9.1.0 |
| CompanyName | Integra Wealth |
| LegalTrademarks | |
| Comments | |
| ProductName | ReplacementFallback |
| ProductVersion | 1.9.1.0 |
| FileDescription | ReplacementFallback |
| OriginalFilename | wu.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/12/21-12:15:45.696184 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| 04/12/21-12:15:50.878674 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 12, 2021 12:15:42.762054920 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:43.071121931 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:43.071336985 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:43.782385111 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:43.783063889 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:44.092108965 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:44.094373941 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:44.402190924 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:44.402662039 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:44.751108885 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:44.752495050 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:44.761033058 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:45.069158077 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:45.072818041 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:45.383188963 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:45.383842945 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:45.690876007 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:45.690944910 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:45.696183920 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:45.696470976 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:45.696624041 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:45.696784019 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:46.004097939 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:46.004144907 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:46.441358089 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:46.490317106 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:47.621572971 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:47.930361032 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:47.930761099 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:47.932034016 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:48.096860886 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:48.239238977 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:48.391484976 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:48.391783953 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:49.080897093 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:49.081491947 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:49.373914003 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:49.374644995 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:49.668432951 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:49.669471025 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:49.994201899 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:49.994524956 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.288446903 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:50.288921118 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.585438967 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:50.585814953 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.876641035 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:50.876692057 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:50.878473997 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.878674030 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.878762007 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.878869057 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.879036903 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.879120111 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.879215956 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:50.879287958 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
| Apr 12, 2021 12:15:51.170461893 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:51.170726061 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:51.170878887 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:51.625159025 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 |
| Apr 12, 2021 12:15:51.678492069 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 12, 2021 12:13:51.586704969 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:13:52.469470024 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:13:52.520422935 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:13:53.392422915 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:13:53.441185951 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:13:54.293262959 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:13:54.342257977 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:13:55.530160904 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:13:55.581937075 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:13:57.751872063 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:13:57.811475039 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:13:58.640142918 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:13:58.688821077 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:13:59.625888109 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:13:59.675868034 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:05.710988998 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:05.759812117 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:07.595828056 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:07.647330046 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:08.479594946 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:08.528533936 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:19.542860031 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:19.596565962 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:20.452672005 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:20.501466036 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:23.887476921 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:23.939207077 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:25.828679085 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:25.882148981 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:26.902961016 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:26.951574087 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:27.705231905 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:27.753947973 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:28.474406004 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:28.533435106 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:29.341681004 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:29.400687933 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:29.711903095 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:29.772387981 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:38.205297947 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:38.264327049 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:46.517821074 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:46.570503950 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:50.567768097 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:50.673624992 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:51.201191902 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:51.345591068 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:51.524884939 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:51.599174976 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:51.936480045 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:51.999366999 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:52.471220016 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:52.528228045 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:53.073225021 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:53.156069994 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:53.753889084 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:53.810863972 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:54.299735069 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:54.359675884 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:55.132415056 CEST | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:55.226861000 CEST | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:56.321180105 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:56.372930050 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:14:57.363403082 CEST | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:14:57.420798063 CEST | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:02.112020016 CEST | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:02.160840988 CEST | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:06.356405020 CEST | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:06.424463987 CEST | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:07.379235029 CEST | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:07.437526941 CEST | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:37.663800001 CEST | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:37.712726116 CEST | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:39.711788893 CEST | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:39.782140970 CEST | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:42.064769983 CEST | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:42.254080057 CEST | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:42.276153088 CEST | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:42.655107975 CEST | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:47.973196983 CEST | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:48.032934904 CEST | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
| Apr 12, 2021 12:15:48.046407938 CEST | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
| Apr 12, 2021 12:15:48.095315933 CEST | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Apr 12, 2021 12:15:42.064769983 CEST | 192.168.2.3 | 8.8.8.8 | 0x6128 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 12, 2021 12:15:42.276153088 CEST | 192.168.2.3 | 8.8.8.8 | 0xaab | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 12, 2021 12:15:47.973196983 CEST | 192.168.2.3 | 8.8.8.8 | 0xa834 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 12, 2021 12:15:48.046407938 CEST | 192.168.2.3 | 8.8.8.8 | 0xe4ea | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Apr 12, 2021 12:15:42.254080057 CEST | 8.8.8.8 | 192.168.2.3 | 0x6128 | No error (0) | yillyenterprise.com | CNAME (Canonical name) | IN (0x0001) | ||
| Apr 12, 2021 12:15:42.254080057 CEST | 8.8.8.8 | 192.168.2.3 | 0x6128 | No error (0) | 103.6.198.237 | A (IP address) | IN (0x0001) | ||
| Apr 12, 2021 12:15:42.655107975 CEST | 8.8.8.8 | 192.168.2.3 | 0xaab | No error (0) | yillyenterprise.com | CNAME (Canonical name) | IN (0x0001) | ||
| Apr 12, 2021 12:15:42.655107975 CEST | 8.8.8.8 | 192.168.2.3 | 0xaab | No error (0) | 103.6.198.237 | A (IP address) | IN (0x0001) | ||
| Apr 12, 2021 12:15:48.032934904 CEST | 8.8.8.8 | 192.168.2.3 | 0xa834 | No error (0) | yillyenterprise.com | CNAME (Canonical name) | IN (0x0001) | ||
| Apr 12, 2021 12:15:48.032934904 CEST | 8.8.8.8 | 192.168.2.3 | 0xa834 | No error (0) | 103.6.198.237 | A (IP address) | IN (0x0001) | ||
| Apr 12, 2021 12:15:48.095315933 CEST | 8.8.8.8 | 192.168.2.3 | 0xe4ea | No error (0) | yillyenterprise.com | CNAME (Canonical name) | IN (0x0001) | ||
| Apr 12, 2021 12:15:48.095315933 CEST | 8.8.8.8 | 192.168.2.3 | 0xe4ea | No error (0) | 103.6.198.237 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Apr 12, 2021 12:15:43.782385111 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 220-naan.mschosting.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 18:15:42 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Apr 12, 2021 12:15:43.783063889 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 | EHLO 305090 |
| Apr 12, 2021 12:15:44.092108965 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 250-naan.mschosting.com Hello 305090 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Apr 12, 2021 12:15:44.094373941 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 | AUTH login ZWt3ZUB5aWxseWVudGVycHJpc2UuY29t |
| Apr 12, 2021 12:15:44.402190924 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
| Apr 12, 2021 12:15:44.752495050 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 235 Authentication succeeded |
| Apr 12, 2021 12:15:44.761033058 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 | MAIL FROM:<ekwe@yillyenterprise.com> |
| Apr 12, 2021 12:15:45.069158077 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 250 OK |
| Apr 12, 2021 12:15:45.072818041 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 | RCPT TO:<ekwe@yillyenterprise.com> |
| Apr 12, 2021 12:15:45.383188963 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 250 Accepted |
| Apr 12, 2021 12:15:45.383842945 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 | DATA |
| Apr 12, 2021 12:15:45.690944910 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
| Apr 12, 2021 12:15:45.696784019 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 | . |
| Apr 12, 2021 12:15:46.441358089 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 250 OK id=1lVtbc-0001fd-2u |
| Apr 12, 2021 12:15:47.621572971 CEST | 49753 | 587 | 192.168.2.3 | 103.6.198.237 | QUIT |
| Apr 12, 2021 12:15:47.930361032 CEST | 587 | 49753 | 103.6.198.237 | 192.168.2.3 | 221 naan.mschosting.com closing connection |
| Apr 12, 2021 12:15:49.080897093 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 220-naan.mschosting.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 18:15:47 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Apr 12, 2021 12:15:49.081491947 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 | EHLO 305090 |
| Apr 12, 2021 12:15:49.373914003 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 250-naan.mschosting.com Hello 305090 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Apr 12, 2021 12:15:49.374644995 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 | AUTH login ZWt3ZUB5aWxseWVudGVycHJpc2UuY29t |
| Apr 12, 2021 12:15:49.668432951 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
| Apr 12, 2021 12:15:49.994201899 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 235 Authentication succeeded |
| Apr 12, 2021 12:15:49.994524956 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 | MAIL FROM:<ekwe@yillyenterprise.com> |
| Apr 12, 2021 12:15:50.288446903 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 250 OK |
| Apr 12, 2021 12:15:50.288921118 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 | RCPT TO:<ekwe@yillyenterprise.com> |
| Apr 12, 2021 12:15:50.585438967 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 250 Accepted |
| Apr 12, 2021 12:15:50.585814953 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 | DATA |
| Apr 12, 2021 12:15:50.876692057 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
| Apr 12, 2021 12:15:50.879287958 CEST | 49754 | 587 | 192.168.2.3 | 103.6.198.237 | . |
| Apr 12, 2021 12:15:51.625159025 CEST | 587 | 49754 | 103.6.198.237 | 192.168.2.3 | 250 OK id=1lVtbh-0001iB-8z |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 12:13:59 |
| Start date: | 12/04/2021 |
| Path: | C:\Users\user\Desktop\RQF 100021790.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbc0000 |
| File size: | 719360 bytes |
| MD5 hash: | 31F58BBBD330F886E422D44E9C21DBF4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 12:14:02 |
| Start date: | 12/04/2021 |
| Path: | C:\Users\user\Desktop\RQF 100021790.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 719360 bytes |
| MD5 hash: | 31F58BBBD330F886E422D44E9C21DBF4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
General |
|---|
| Start time: | 12:14:02 |
| Start date: | 12/04/2021 |
| Path: | C:\Users\user\Desktop\RQF 100021790.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 719360 bytes |
| MD5 hash: | 31F58BBBD330F886E422D44E9C21DBF4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 014DE5A0, Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014DFCC0, Relevance: 1.7, APIs: 1, Instructions: 152COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014DDDF0, Relevance: 1.6, APIs: 1, Instructions: 139COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014DDE0C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014D5365, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014D3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014D9800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014DB8F0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014D9869, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014D9870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00BC929D, Relevance: 1.3, Instructions: 1264COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014DE5B0, Relevance: .3, Instructions: 315COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014DC164, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05C75A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05C75873, Relevance: 1.8, APIs: 1, Instructions: 295COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05C75AA8, Relevance: 1.7, APIs: 1, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F500F, Relevance: 1.7, APIs: 1, Instructions: 165COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05C7B4ED, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05C7921C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05F5E438, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F5084, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F6B61, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05F5E508, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05F5CF8C, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027FC198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027FC191, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05F3E230, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 027F40AB, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05C7B60D, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|