Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:41099
Start time:19:16:25
Joe Sandbox Product:CloudBasic
Start date:27.12.2017
Overall analysis duration:0h 15m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:dnscart.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal72.evad.troj.winEXE@8/0@0/16
HCA Information:
  • Successful, ratio: 96%
  • Number of executed functions: 52
  • Number of non-executed functions: 97
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 24.6% (good quality ratio 18.3%)
  • Quality average: 55.4%
  • Quality standard deviation: 40%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: dnscart.exevirustotal: Detection: 17%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_001124C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_001124C8
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00112505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_00112505
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_0011259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_0011259B
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00112447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_00112447
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_002190BE memset,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,WaitForSingleObject,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_002190BE
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_0021914E _snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_0021914E
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_0021259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_0021259B
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_002191F0 CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_002191F0
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_00212505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_00212505
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_00212447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_00212447
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_002124C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_002124C8

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D413A0 Sleep,Sleep,GetWindowLongA,CreateBitmap,CreatePatternBrush,GetVersion,GetOpenClipboardWindow,timeGetSystemTime,DeleteObject,DeleteObject,DeleteObject,Sleep,Sleep,timeGetSystemTime,GetWindowLongA,AnyPopup,IsWindow,GetThreadPriority,GetClientRect,AdjustWindowRect,SetWindowPos,SetWindowTextA,SetTimer,MessageBoxA,ReadFile,1_2_00D413A0

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: providerrpc.exeString found in binary or memory: Twitter.url1.x0 equals www.twitter.com (Twitter)
Source: providerrpc.exeString found in binary or memory: Youtube.url equals www.youtube.com (Youtube)
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.214.219.12:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 43 4c 24 7b ec cd 50 f7 68 93 72 0d 4e c1 5d 1a 86 2d 4a 92 8d 6d 91 92 bb d9 bb 72 e6 a5 27 5f d3 8f d9 4b 89 cb ab fa 7a 39 66 71 3d 09 a9 d0 02 16 0c c7 26 1f 03 b7 e5 f2 a5 eb 4e 89 df 13 8f 9d 5b 99 18 b7 07 d6 bb 2a 40 9a 97 c6 84 32 5c 50 84 54 b2 48 90 8f a4 e3 72 ae 3f 46 d1 d9 dd 28 1c 7c 8e 24 32 a5 0c 5f 96 59 c2 de fb 4a 30 77 f3 08 8e 62 62 11 c7 8a e6 60 35 f5 f9 c9 a4 f6 bf 8a 5d f4 49 f8 74 e0 cf e3 c8 f8 66 0a 60 a3 74 74 a6 23 e2 e8 bf af 83 7c 3d c8 15 2e 49 6a 1c 27 fe d1 24 89 04 fd 85 6b 05 f0 0b fa 63 e1 2b 71 81 58 a8 b6 b9 b1 3c 10 14 1f 10 05 a6 70 b5 59 51 44 cd d7 6f f1 8b f7 89 af b5 b8 4c ce f3 bb cb 24 ab 7c 09 88 05 46 1e 40 46 2b 49 9a 54 b7 d1 02 cb 76 77 10 d7 44 21 c7 e5 2
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Dec 2017 18:17:18 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65
Urls found in memory or binary dataShow sources
Source: providerrpc.exe, dnscart.exeString found in binary or memory: http://filext.com
Source: dnscart.exeString found in binary or memory: http://philip.helger.com/gt/Z
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.214.219.12:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 43 4c 24 7b ec cd 50 f7 68 93 72 0d 4e c1 5d 1a 86 2d 4a 92 8d 6d 91 92 bb d9 bb 72 e6 a5 27 5f d3 8f d9 4b 89 cb ab fa 7a 39 66 71 3d 09 a9 d0 02 16 0c c7 26 1f 03 b7 e5 f2 a5 eb 4e 89 df 13 8f 9d 5b 99 18 b7 07 d6 bb 2a 40 9a 97 c6 84 32 5c 50 84 54 b2 48 90 8f a4 e3 72 ae 3f 46 d1 d9 dd 28 1c 7c 8e 24 32 a5 0c 5f 96 59 c2 de fb 4a 30 77 f3 08 8e 62 62 11 c7 8a e6 60 35 f5 f9 c9 a4 f6 bf 8a 5d f4 49 f8 74 e0 cf e3 c8 f8 66 0a 60 a3 74 74 a6 23 e2 e8 bf af 83 7c 3d c8 15 2e 49 6a 1c 27 fe d1 24 89 04 fd 85 6b 05 f0 0b fa 63 e1 2b 71 81 58 a8 b6 b9 b1 3c 10 14 1f 10 05 a6 70 b5 59 51 44 cd d7 6f f1 8b f7 89 af b5 b8 4c ce f3 bb cb 24 ab 7c 09 88 05 46 1e 40 46 2b 49 9a 54 b7 d1 02 cb 76 77 10 d7 44 21 c7 e5 2
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.106.247.42:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 3b 67 43 72 45 45 c7 5e 76 f0 7f 35 68 f9 2f a0 fc 16 72 2b 93 b1 af fc 0a 15 e2 05 03 ca 72 52 40 31 8a a8 fe a5 6e 00 2f ce c1 2d 7f 60 84 6b ff ac f8 00 3c d2 d5 a6 1c 9c df 4c db e5 03 0f 35 f5 0c e6 80 c4 7b 56 40 38 e0 03 6d c0 51 9b a1 6c 65 9c 99 c5 78 17 fc 55 05 40 d1 2e e6 46 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 56
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 82.131.166.44:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 03 7b 15 44 8c e8 e6 1b ad 05 fa a9 97 38 4b 76 e7 1b 64 08 88 29 92 95 7b 8d b5 be 96 0a 77 4b 1d 1c 5f 21 a5 f4 a8 f6 b5 d7 ba d5 9b 4f 82 c7 50 ce 63 48 3e 24 91 19 c6 2a 16 52 58 78 ef e7 bc 89 09 28 38 d0 f0 6b 3b fa ac 3c f0 99 cb 34 70 42 fb 07 e1 f8 bc dd d6 e9 0b 86 ad 52 3a c0 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 56
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.20.243.145:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d de d6 fa b1 e6 a4 3a a6 2b 30 10 01 9c 89 23 02 2e 86 28 c5 1d 7e 69 12 8f 9c ae 23 a1 6d 19 69 0c ae 81 a9 ef 36 83 a3 6e cb 9c 0d e8 a9 fe cc 00 33 f7 a7 fd 48 aa d2 a3 26 ab 9a b2 4c 33 20 84 fd 70 63 bb 7c ee f5 07 21 b2 93 d4 f5 a7 14 8f b0 de de c2 6e b2 a6 f8 64 f4 3f e4 b6 ae 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 56
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 149.202.153.252:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 9a ef 64 70 57 3f 2f 3a 8e d4 d0 52 a2 f3 78 51 d7 cc 8b 0e 34 87 a3 39 e3 ff 1e 9c 8c 0d ab fe a7 67 e1 12 51 df 90 6f 7c 86 5a 7e 30 5f a7 ec c6 1e aa d2 96 fd f0 ca 0b c3 a6 09 c9 f0 ed e3 16 4b 4c f6 7b 45 f1 1a b1 eb 66 cb a4 20 35 ce f9 57 f9 70 8f b4 bb e5 3a b8 dd 77 d5 ea 7b 22 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 5
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 194.88.246.242:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 17 46 ef 92 98 08 ce 71 e7 a2 3f c3 e2 d0 37 d6 1d 5d 87 d6 f3 c2 a4 55 89 8c e7 7d 36 ce 36 b1 4d c9 7c 31 9a 3c 01 79 99 ec d2 29 b1 06 c7 53 ed 69 7d 17 a9 b7 c4 a4 76 2f c2 f9 2a 0f 49 93 9d c6 3a b3 d9 5f db 07 a3 40 90 2b eb d7 65 9a 8d 62 45 9e 3a eb 74 4b f8 fc 40 a9 c6 ac 33 bf 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 56
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 176.126.244.207:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 53 dd f4 a5 67 a5 c5 b1 0d ed 3a d5 b4 4d 07 0f 84 3b c9 26 16 95 2c b9 ef b8 d1 45 2e b0 34 d3 fe ce d8 c0 47 d1 c0 07 96 ed d9 10 fb 9d ec 6e 44 fd e1 b9 d6 34 1f 22 99 e5 ad ef 53 3f d4 e1 ed e5 63 9f 57 83 a7 96 a0 12 12 09 00 1e c3 cb 5b b7 13 2e d1 c7 58 5d 79 92 bd b8 28 89 f0 6e 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 5
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 49.212.135.76:443Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 43 7a bd 22 a6 80 56 80 df d6 2b 3c bb 2a ab af ab e8 65 ac ea a2 eb 19 e5 84 7f 5d 48 1a 3a e4 81 b3 61 5f 7a a2 37 a8 0c 2f 1b 0b ba 72 59 8b d0 e2 c1 cb fa 51 e4 41 22 9b 3b 35 76 8b 44 5f 14 21 52 80 d8 5e bc 27 2d a4 6e b7 54 f5 1e db 04 9e 95 3a 06 a7 1c 2b 6e 57 77 46 58 c2 4b ca 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 56 3
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 106.185.40.166:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 79 6c a1 cb 97 b9 9b 3b d8 80 63 82 f5 d2 96 46 d9 a8 22 62 0b c7 36 b0 44 be d7 90 b6 6d fd f4 cb c2 46 28 47 22 24 1f b6 27 de ef 8d 8d 2a 83 56 b0 4c 08 71 70 f1 5f 40 cc f1 90 e4 e1 43 1e 85 11 9a da 29 ba 1f 35 5d 31 be 7a 17 c9 bf ed 8f 52 7e 63 1f 49 cc e6 db 19 82 98 83 d1 ba 7a 4a 34 1f 0f 4a 91 b1 60 5e 14 f2 53 9e e3 d4 31 53 bb a3 39 da 4e f2 71 cf dc 45 e5 54 69 a8 a6 49 21 f6 a2 74 1d b0 b2 c7 6b dc 66 9b 85 d0 db 86 24 0c e5 0c 31 cb 04 50 8c 42 b1 61 56 78 bf 8f 49 e5 eb fe c9 8a 26 ee 2c bd 27 72 88 98 9a fa a7 83 4b c4 a6 b8 b4 d9 a9 41 12 b1 a2 d5 ab 96 0b b4 8f 3c 9b 31 3c 5a 0f ae be 4a 15 bb e7 ef 00 58 51 16 a7 ff 46 d8 22 19 76 91 1c 56 38 96 4e cb 22 ca 39 b7 e5 20 b7 4a ab 49 e0 56
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 65.44.220.49:7080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 3d 55 49 86 45 ca 6a 7d f9 e1 34 a8 15 a4 a0 86 2f 02 a7 02 b0 7c 06 a8 84 da 0c 49 bb 81 19 7f 68 4b 1e 64 32 b3 aa 40 b6 71 84 5c 05 8a 50 6f 4d 16 5b 6b 4f ea 0d e5 9f 8c 8d 9f 70 2a 91 cd f4 ab 2b 26 17 91 50 61 94 cc 96 7d 88 ae 97 f5 fc 99 25 6a d3 8a 2a 69 63 89 6d d0 b2 42 3a 40 89 d4 bf ad 00 50 c2 a7 13 d0 09 23 6c 1c 57 83 93 22 21 3f 0d c0 3e f9 cc 13 d2 7f 79 5b 6e 0a 16 09 84 9a 36 9e e1 17 48 30 c2 db 80 2f a2 37 14 ed 76 f7 e9 92 67 84 1a 5b 3b c5 dd 36 12 50 9d 24 6a ad 27 c4 49 d0 6a 04 3a 7e 56 2e e9 f7 df 35 27 51 eb 2a 5f cc d1 41 24 3c a4 f9 5f ad 66 78 27 fb 80 6f ab 37 5e 4f 36 06 a9 c8 3d 76 85 6b f1 b3 98 95 08 2c a4 46 41 e6 f8 a0 ce d5 19 e5 a1 64 44 1e 10 a1 92 cb bc d7 47 5e 14 3
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 195.154.58.200:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 23 4c c6 2d 3b 51 65 11 a7 5b 73 d4 5d 1c 20 76 ab 1d 1a 91 b3 de bf b2 d1 70 24 44 3a c6 c7 29 e8 8f cf e8 a7 62 a2 49 e5 5b 03 83 7c 32 c6 8c 1f 9e 5c 88 07 eb 92 58 70 77 11 7d 7f bd 25 ee 0e 32 fc 4f 49 59 c5 b4 59 02 a7 08 b9 f8 5d 92 aa fb 0b 54 f9 11 4d 17 c0 74 36 74 68 36 15 17 89 d4 bf ad 00 50 c2 a7 13 d0 09 23 6c 1c 57 83 93 22 21 3f 0d c0 3e f9 cc 13 d2 7f 79 5b 6e 0a 16 09 84 9a 36 9e e1 17 48 30 c2 db 80 2f a2 37 14 ed 76 f7 e9 92 67 84 1a 5b 3b c5 dd 36 12 50 9d 24 6a ad 27 c4 49 d0 6a 04 3a 7e 56 2e e9 f7 df 35 27 51 eb 2a 5f cc d1 41 24 3c a4 f9 5f ad 66 78 27 fb 80 6f ab 37 5e 4f 36 06 a9 c8 3d 76 85 6b f1 b3 98 95 08 2c a4 46 41 e6 f8 a0 ce d5 19 e5 a1 64 44 1e 10 a1 92 cb bc d7 47 5e 14
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 37.128.129.88:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 3c b9 4f 08 f5 bd 56 66 dc 07 cf cb 1e cd f8 75 5b 0f 9c 56 a4 ec 8f 7e 58 72 46 4c d8 8a 69 56 66 6a 60 0f 67 43 5d de 3e b7 3a af b9 ae fa b1 b8 a2 9d 77 ef 34 91 61 1c 9d 95 75 1a 50 61 b1 16 09 cb c5 e3 d4 f2 c6 e0 2e f6 f9 da 98 5b ab 09 b2 72 14 9d 89 81 a9 64 1a 79 09 5c 19 4e 42 89 d4 bf ad 00 50 c2 a7 13 d0 09 23 6c 1c 57 83 93 22 21 3f 0d c0 3e f9 cc 13 d2 7f 79 5b 6e 0a 16 09 84 9a 36 9e e1 17 48 30 c2 db 80 2f a2 37 14 ed 76 f7 e9 92 67 84 1a 5b 3b c5 dd 36 12 50 9d 24 6a ad 27 c4 49 d0 6a 04 3a 7e 56 2e e9 f7 df 35 27 51 eb 2a 5f cc d1 41 24 3c a4 f9 5f ad 66 78 27 fb 80 6f ab 37 5e 4f 36 06 a9 c8 3d 76 85 6b f1 b3 98 95 08 2c a4 46 41 e6 f8 a0 ce d5 19 e5 a1 64 44 1e 10 a1 92 cb bc d7 47 5e 14
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.24.173.30:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 50 54 87 8e af 57 9e 5b ba c3 5e ec 9a b6 e1 1a 1b 33 e3 00 7a 29 a9 36 43 31 dd 0d f4 41 db 9d 89 87 c6 b2 45 11 82 28 57 c3 d7 a4 a4 94 77 0f 9f 42 29 d5 a5 e5 8b c9 2c af 5b ad 06 c7 4b 16 de 43 80 6e 50 c9 8b 8a bd a1 6b 62 b7 51 aa cd 42 cd 9a 05 56 a3 50 0a e8 d0 54 af a2 cb 64 fb 89 d4 bf ad 00 50 c2 a7 13 d0 09 23 6c 1c 57 83 93 22 21 3f 0d c0 3e f9 cc 13 d2 7f 79 5b 6e 0a 16 09 84 9a 36 9e e1 17 48 30 c2 db 80 2f a2 37 14 ed 76 f7 e9 92 67 84 1a 5b 3b c5 dd 36 12 50 9d 24 6a ad 27 c4 49 d0 6a 04 3a 7e 56 2e e9 f7 df 35 27 51 eb 2a 5f cc d1 41 24 3c a4 f9 5f ad 66 78 27 fb 80 6f ab 37 5e 4f 36 06 a9 c8 3d 76 85 6b f1 b3 98 95 08 2c a4 46 41 e6 f8 a0 ce d5 19 e5 a1 64 44 1e 10 a1 92 cb bc d7 47 5e 14
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 142.4.9.146:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 54 7a 13 f0 6d ac f8 2b 58 e8 eb f1 b9 2e 71 da 68 77 e0 bb 35 62 b8 35 d0 ff fc 7b 77 5a ce 34 95 e5 30 a4 cb a8 99 a2 05 ac c8 34 5c 20 9c 16 49 43 ef 36 fa ca e4 da ff 80 f6 b4 1c b9 84 81 6c f9 fe c9 d8 56 0b d8 51 d4 d9 a2 ce 33 8c 19 fe 2d 73 eb c6 61 a8 3a 01 a2 fb 0f 9e 8b b8 fd 89 d4 bf ad 00 50 c2 a7 13 d0 09 23 6c 1c 57 83 93 22 21 3f 0d c0 3e f9 cc 13 d2 7f 79 5b 6e 0a 16 09 84 9a 36 9e e1 17 48 30 c2 db 80 2f a2 37 14 ed 76 f7 e9 92 67 84 1a 5b 3b c5 dd 36 12 50 9d 24 6a ad 27 c4 49 d0 6a 04 3a 7e 56 2e e9 f7 df 35 27 51 eb 2a 5f cc d1 41 24 3c a4 f9 5f ad 66 78 27 fb 80 6f ab 37 5e 4f 36 06 a9 c8 3d 76 85 6b f1 b3 98 95 08 2c a4 46 41 e6 f8 a0 ce d5 19 e5 a1 64 44 1e 10 a1 92 cb bc d7 47 5e 14 32
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 82.131.166.42:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 7e 2b b2 72 20 6d a4 3a f6 e7 11 26 96 02 a9 c8 57 14 be 09 2f 32 5f a6 dc f9 cc fb 7b e8 7c 2f 64 33 90 01 8e a1 ca a5 6f ad b8 39 46 32 48 07 b2 30 17 91 6e b4 90 c6 81 57 f4 0c 84 2c 15 51 8e dd aa 9f 4e 37 ae b5 20 da 8c 02 3e 62 88 5d d8 3f bb 28 56 ab c1 1d 3c 11 8f fe bc 47 14 7f 89 d4 bf ad 00 50 c2 a7 13 d0 09 23 6c 1c 57 83 93 22 21 3f 0d c0 3e f9 cc 13 d2 7f 79 5b 6e 0a 16 09 84 9a 36 9e e1 17 48 30 c2 db 80 2f a2 37 14 ed 76 f7 e9 92 67 84 1a 5b 3b c5 dd 36 12 50 9d 24 6a ad 27 c4 49 d0 6a 04 3a 7e 56 2e e9 f7 df 35 27 51 eb 2a 5f cc d1 41 24 3c a4 f9 5f ad 66 78 27 fb 80 6f ab 37 5e 4f 36 06 a9 c8 3d 76 85 6b f1 b3 98 95 08 2c a4 46 41 e6 f8 a0 ce d5 19 e5 a1 64 44 1e 10 a1 92 cb bc d7 47 5e 14
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 92.51.161.43:8080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 31 6c 6b 07 88 6c d4 0f 35 08 7d fc 39 a1 e9 2c 42 11 95 cd 0e 3f 97 ca e9 cf d1 61 cd 66 ff 45 70 96 0e 05 c3 fa 9a b2 84 22 ed e6 bf 1b 65 a4 f9 dd 70 81 eb f0 38 ae 04 df 9d 43 ec 06 92 62 ef 30 1c fe 4b 12 30 55 69 89 75 bd aa b7 65 8d 00 30 81 e1 f7 fb d9 c8 e8 7f 2e bc b2 45 b3 a0 89 d4 bf ad 00 50 c2 a7 13 d0 09 23 6c 1c 57 83 93 22 21 3f 0d c0 3e f9 cc 13 d2 7f 79 5b 6e 0a 16 09 84 9a 36 9e e1 17 48 30 c2 db 80 2f a2 37 14 ed 76 f7 e9 92 67 84 1a 5b 3b c5 dd 36 12 50 9d 24 6a ad 27 c4 49 d0 6a 04 3a 7e 56 2e e9 f7 df 35 27 51 eb 2a 5f cc d1 41 24 3c a4 f9 5f ad 66 78 27 fb 80 6f ab 37 5e 4f 36 06 a9 c8 3d 76 85 6b f1 b3 98 95 08 2c a4 46 41 e6 f8 a0 ce d5 19 e5 a1 64 44 1e 10 a1 92 cb bc d7 47 5e 14 3
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49165 -> 87.106.247.42:8080
Source: global trafficTCP traffic: 192.168.2.2:49166 -> 82.131.166.44:8080
Source: global trafficTCP traffic: 192.168.2.2:49167 -> 198.20.243.145:8080
Source: global trafficTCP traffic: 192.168.2.2:49168 -> 149.202.153.252:8080
Source: global trafficTCP traffic: 192.168.2.2:49170 -> 176.126.244.207:8080
Source: global trafficTCP traffic: 192.168.2.2:49172 -> 106.185.40.166:8080
Source: global trafficTCP traffic: 192.168.2.2:49173 -> 65.44.220.49:7080
Source: global trafficTCP traffic: 192.168.2.2:49174 -> 195.154.58.200:8080
Source: global trafficTCP traffic: 192.168.2.2:49175 -> 37.128.129.88:8080
Source: global trafficTCP traffic: 192.168.2.2:49176 -> 185.24.173.30:8080
Source: global trafficTCP traffic: 192.168.2.2:49177 -> 142.4.9.146:8080
Source: global trafficTCP traffic: 192.168.2.2:49178 -> 82.131.166.42:8080
Source: global trafficTCP traffic: 192.168.2.2:49179 -> 92.51.161.43:8080
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 7080
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.2:49169 -> 194.88.246.242:443

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00119960 StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_00119960

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Users\user\Desktop\dnscart.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\user\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Windows\System32\providerrpc.exeKey value created or modified: C:\Users\Public\Documents

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\dnscart.exePE file moved: C:\Windows\System32\providerrpc.exe
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\providerrpc.exeExecutable created and started: C:\Windows\System32\providerrpc.exe

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: dnscart.exeStatic PE information: section name: P
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D4CC2D push esi; ret 1_2_00D4CC2E
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D4A7BC push esi; retf 1_2_00D4A7C8
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D42A0F push esi; ret 1_2_00D42A11
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D4A032 push ss; iretd 1_2_00D4A033

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001B1C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,1_2_001B1C31
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00101C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,2_2_00101C31
Source: C:\Windows\System32\providerrpc.exeCode function: 3_2_00161C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,3_2_00161C31
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_00201C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,4_2_00201C31

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: dnscart.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: dnscart.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: @ntdll.dllkernel32.dllLdrGetProcedureAddress*...WindowsProgram Files\samplemlwr_smplartifact.exec:\TEQUILABOOMBOOMWilbertSCCWX:\Symbols\aagmmc.pdbadminSystemITKLONE_X64-PCJohn DoeBEA-CHIJohnC:\take_screenshot.ps1C:\loaddll.exeC:\email.docC:\email.htmC:\123\email.docC:\123\email.docxC:\a\foobar.bmpC:\a\foobar.docC:\a\foobar.gif source: providerrpc.exe
Source: Binary string: agmmc.pdb source: providerrpc.exe
Source: Binary string: FH2puGwCc1.pdb source: providerrpc.exe, dnscart.exe
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.troj.winEXE@8/0@0/16
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: CreateServiceW,2_2_001197B3
Source: C:\Windows\System32\providerrpc.exeCode function: CreateServiceW,4_2_002197B3
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_0011992A GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetProcessHeap,HeapFree,2_2_0011992A
PE file has an executable .text section and no other executable sectionShow sources
Source: dnscart.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: dnscart.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\dnscart.exe 'C:\Users\user\Desktop\dnscart.exe'
Source: unknownProcess created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: unknownProcess created: C:\Windows\System32\providerrpc.exe C:\Windows\system32\providerrpc.exe
Source: unknownProcess created: C:\Windows\System32\providerrpc.exe C:\Windows\system32\providerrpc.exe
Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Users\user\Desktop\dnscart.exeProcess created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: C:\Windows\System32\providerrpc.exeProcess created: C:\Windows\System32\providerrpc.exe C:\Windows\system32\providerrpc.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00112220 CreateProcessAsUserW,2_2_00112220
Creates mutexesShow sources
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\MDB98E05
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I45BD1CA5
Source: C:\Windows\System32\providerrpc.exeMutant created: \BaseNamedObjects\MC92454C8
Source: C:\Windows\System32\providerrpc.exeMutant created: \BaseNamedObjects\Global\I45BD1CA5
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M45BD1CA5
Deletes Windows filesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile deleted: C:\Windows\System32\providerrpc.exe:Zone.Identifier
Reads the hosts fileShow sources
Source: C:\Windows\System32\providerrpc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\providerrpc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: dnscart.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamegtbasic.dll( vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamegtbasic.dll( vs dnscart.exe
Source: dnscart.exeBinary or memory string: System.OriginalFileName vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamegtbasic.dll( vs dnscart.exe

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\dnscart.exeSystem information queried: KernelDebuggerInformation
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_002E1BE0 mov eax, dword ptr fs:[00000030h]1_2_002E1BE0
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00111BE0 mov eax, dword ptr fs:[00000030h]2_2_00111BE0
Source: C:\Windows\System32\providerrpc.exeCode function: 3_2_001A1BE0 mov eax, dword ptr fs:[00000030h]3_2_001A1BE0
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_00211BE0 mov eax, dword ptr fs:[00000030h]4_2_00211BE0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001B2E9A GetLastError,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,SetLastError,GetCurrentProcess,GetLastError,wsprintfA,SetLastError,GetCurrentProcessId,1_2_001B2E9A
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001B1C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,1_2_001B1C31
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00101C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,2_2_00101C31
Source: C:\Windows\System32\providerrpc.exeCode function: 3_2_00161C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,3_2_00161C31
Source: C:\Windows\System32\providerrpc.exeCode function: 4_2_00201C31 lstrlenW,lstrlenW,lstrcatW,FindFirstFileW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,malloc,lstrcpyW,FindNextFileW,FindNextFileW,FindClose,4_2_00201C31
Program exit pointsShow sources
Source: C:\Windows\System32\providerrpc.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\providerrpc.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\System32\providerrpc.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: EnumServicesStatusExW,OpenServiceW,2_2_0011985F
Source: C:\Users\user\Desktop\dnscart.exeCode function: EnumServicesStatusExW,GetLastError,2_2_001197F3
Source: C:\Windows\System32\providerrpc.exeCode function: EnumServicesStatusExW,OpenServiceW,4_2_0021985F
Source: C:\Windows\System32\providerrpc.exeCode function: EnumServicesStatusExW,GetLastError,4_2_002197F3
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\dnscart.exeAPI coverage: 9.0 %
Source: C:\Windows\System32\providerrpc.exeAPI coverage: 7.4 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\dnscart.exe TID: 3340Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\providerrpc.exe TID: 3400Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 3696Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 3760Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 2428Thread sleep time: -60000s >= -60000s
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
This sample likely uses some variantion of time evasionsShow sources

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 7080

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D413A0 Sleep,Sleep,GetWindowLongA,CreateBitmap,CreatePatternBrush,GetVersion,GetOpenClipboardWindow,timeGetSystemTime,DeleteObject,DeleteObject,DeleteObject,Sleep,Sleep,timeGetSystemTime,GetWindowLongA,AnyPopup,IsWindow,GetThreadPriority,GetClientRect,AdjustWindowRect,SetWindowPos,SetWindowTextA,SetTimer,MessageBoxA,ReadFile,1_2_00D413A0
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001B23FA GetUserNameA,GetUserNameA,GetComputerNameA,GetComputerNameA,GetComputerNameExA,GetComputerNameExA,lstrlen,1_2_001B23FA
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D413A0 Sleep,Sleep,GetWindowLongA,CreateBitmap,CreatePatternBrush,GetVersion,GetOpenClipboardWindow,timeGetSystemTime,DeleteObject,DeleteObject,DeleteObject,Sleep,Sleep,timeGetSystemTime,GetWindowLongA,AnyPopup,IsWindow,GetThreadPriority,GetClientRect,AdjustWindowRect,SetWindowPos,SetWindowTextA,SetTimer,MessageBoxA,ReadFile,1_2_00D413A0
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\dnscart.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\providerrpc.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 41099 Sample:  dnscart.exe Startdate:  27/12/2017 Architecture:  WINDOWS Score:  72 1reduced Processes exeeded maximum capacity for this level. 1 process has been hidden. main->1reduced      started     1 dnscart.exe main->1      started     3 providerrpc.exe main->3      started     5 WmiApSrv.exe main->5      started     3863sig Drops executables to the windows directory (C:\Windows) and starts them 3864sig Drops executables to the windows directory (C:\Windows) and starts them 522d1e238816sig Detected TCP or UDP traffic on non-standard ports 522d1e238817sig Detected TCP or UDP traffic on non-standard ports 522d1e238819sig Detected TCP or UDP traffic on non-standard ports 522d1e238820sig Detected TCP or UDP traffic on non-standard ports 522d1e238821sig Detected TCP or UDP traffic on non-standard ports 522d1e238822sig Detected TCP or UDP traffic on non-standard ports 522d1e238823sig Detected TCP or UDP traffic on non-standard ports 522d1e238824sig Detected TCP or UDP traffic on non-standard ports 522d1e238825sig Detected TCP or UDP traffic on non-standard ports 522d1e238829sig Detected TCP or UDP traffic on non-standard ports 522d1e238830sig Detected TCP or UDP traffic on non-standard ports 522d1e238831sig Detected TCP or UDP traffic on non-standard ports 522d1e238832sig Detected TCP or UDP traffic on non-standard ports d1e238816reduced Connected ips exeeded maximum capacity for this level. 3 connected ips have been hidden. d1e238816 37.128.129.88, 8080 MEMSETGB United Kingdom d1e238816->522d1e238816sig d1e238817 65.44.220.49, 7080 XO-AS15-XOCommunicationsUS United States d1e238817->522d1e238817sig d1e238819 198.20.243.145, 8080 UNIFIEDLAYER-AS-1-UnifiedLayerUS United States d1e238819->522d1e238819sig d1e238820 176.126.244.207, 8080 BHOSTGB United Kingdom d1e238820->522d1e238820sig d1e238821 195.154.58.200, 8080 AS12876FR France d1e238821->522d1e238821sig d1e238822 82.131.166.44, 8080 INVITECHHU Hungary d1e238822->522d1e238822sig d1e238823 92.51.161.43, 8080 HOSTEUROPE-ASDE Germany d1e238823->522d1e238823sig d1e238824 82.131.166.42, 8080 INVITECHHU Hungary d1e238824->522d1e238824sig d1e238825 87.106.247.42, 8080 ONEANDONE-ASBrauerstrasse48DE Germany d1e238825->522d1e238825sig d1e238829 142.4.9.146, 8080 UNIFIEDLAYER-AS-1-UnifiedLayerUS United States d1e238829->522d1e238829sig d1e238830 149.202.153.252, 8080 OVHFR France d1e238830->522d1e238830sig d1e238831 106.185.40.166, 8080 KDDIKDDICORPORATIONJP Japan d1e238831->522d1e238831sig d1e238832 185.24.173.30, 8080 LEASEWEB-NLNetherlandsNL Netherlands d1e238832->522d1e238832sig 2 dnscart.exe 1 1->2      started     3->3863sig 4 providerrpc.exe 2 9 3->4      started     4->3864sig 4->d1e238816reduced 4->d1e238816 4->d1e238817 4->d1e238819 4->d1e238820 4->d1e238821 4->d1e238822 4->d1e238823 4->d1e238824 4->d1e238825 4->d1e238829 4->d1e238830 4->d1e238831 4->d1e238832 process1 signatures1 process2 dnsIp2 signatures2 fileCreated2

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
dnscart.exe18%virustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
87.106.247.42Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 87.106.247.42:8080/
Emotet.doccaa404591cb437f0d037e10f6ad7ddfec9ee310fbf0cfc48a2b4ccd6e7ee2722maliciousBrowse
  • 87.106.247.42:8080/
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 87.106.247.42:8080/
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 87.106.247.42:8080/
Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 87.106.247.42:8080/
http://chaoticzoo.com/Outstanding-Invoices/maliciousBrowse
  • 87.106.247.42:8080/
http://siquierofotografia.com/Purchases-2017/maliciousBrowse
  • 87.106.247.42:8080/
Emotet.doccaa404591cb437f0d037e10f6ad7ddfec9ee310fbf0cfc48a2b4ccd6e7ee2722maliciousBrowse
  • 87.106.247.42:8080/
9025.exef4f126fd810329548277650feecd3e932f8fd1f945445b98aa5b56a727774e4cmaliciousBrowse
  • 87.106.247.42:8080/
194.88.246.242http://cinetiux.com/LLC/?newinvoice01.docmaliciousBrowse
  • 194.88.246.242:443/
New invoice 27310021.doc46093d6ede042d6383382585cae9b1fdb678263f27d329114c0fa5c2e9d52d8fmaliciousBrowse
  • 194.88.246.242:443/
24175368.exece05e5c5368e41bea72958e05ba6ea43263e24351684998cd5f0d583ac9beb82maliciousBrowse
  • 194.88.246.242:443/
New invoice # 613952179.docbbce7972501609e4d640ab6034b06e9ca903f89841e56e21362f9ec690741337maliciousBrowse
  • 194.88.246.242:443/
http://www.detoxyourbodytoday.com/Invoices-attached/maliciousBrowse
  • 194.88.246.242:443/
file.doc3fd2dd5c3355823eb430075b7ecf648943c9c201014b5dbd4520cbf59fb181fbmaliciousBrowse
  • 194.88.246.242:443/
UPS_ 24068_DH#BGV (04 Nov 17).docd7072a33d5ecd44cc89f356bc608009afce038b6be9fa0d5f362c6e201db1adfmaliciousBrowse
  • 194.88.246.242:443/
UPS_ 24068_DH#BGV (04 Nov 17).docd7072a33d5ecd44cc89f356bc608009afce038b6be9fa0d5f362c6e201db1adfmaliciousBrowse
  • 194.88.246.242:443/
1.doc1a6afc1493e33971fca254cbac8d34b6b131f66d87512d0c4f63c2a0ea288613maliciousBrowse
  • 194.88.246.242:443/
xyv.exe6344bd2a7d40a666ed16efada1a2271edffd139f00d0f02817dd22877201029amaliciousBrowse
  • 194.88.246.242:443/
Emotet.doc9ff757e0459190c45649b539e739c0749573f14a4f3d122f2074ed72fd1503bbmaliciousBrowse
  • 194.88.246.242:443/
30337496.exe86709093443b871ae5f098236ba1270c73f27177d33782c918dadba8dc14458amaliciousBrowse
  • 194.88.246.242:443/
file.doc3fd2dd5c3355823eb430075b7ecf648943c9c201014b5dbd4520cbf59fb181fbmaliciousBrowse
  • 194.88.246.242:443/
http://www.bourgetbros.com/Invoice-Number-60195/maliciousBrowse
  • 194.88.246.242:443/
9025.exef4f126fd810329548277650feecd3e932f8fd1f945445b98aa5b56a727774e4cmaliciousBrowse
  • 194.88.246.242:443/
198.20.243.145Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 198.20.243.145:8080/
Emotet.doccaa404591cb437f0d037e10f6ad7ddfec9ee310fbf0cfc48a2b4ccd6e7ee2722maliciousBrowse
  • 198.20.243.145:8080/
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 198.20.243.145:8080/
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 198.20.243.145:8080/
Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 198.20.243.145:8080/
http://chaoticzoo.com/Outstanding-Invoices/maliciousBrowse
  • 198.20.243.145:8080/
http://siquierofotografia.com/Purchases-2017/maliciousBrowse
  • 198.20.243.145:8080/
Emotet.doccaa404591cb437f0d037e10f6ad7ddfec9ee310fbf0cfc48a2b4ccd6e7ee2722maliciousBrowse
  • 198.20.243.145:8080/
176.126.244.2079025.exef4f126fd810329548277650feecd3e932f8fd1f945445b98aa5b56a727774e4cmaliciousBrowse
  • 176.126.244.207:8080/
82.131.166.44Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 82.131.166.44:8080/
Emotet.doccaa404591cb437f0d037e10f6ad7ddfec9ee310fbf0cfc48a2b4ccd6e7ee2722maliciousBrowse
  • 82.131.166.44:8080/
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 82.131.166.44:8080/
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 82.131.166.44:8080/
Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 82.131.166.44:8080/
http://chaoticzoo.com/Outstanding-Invoices/maliciousBrowse
  • 82.131.166.44:8080/
http://siquierofotografia.com/Purchases-2017/maliciousBrowse
  • 82.131.166.44:8080/
Emotet.doccaa404591cb437f0d037e10f6ad7ddfec9ee310fbf0cfc48a2b4ccd6e7ee2722maliciousBrowse
  • 82.131.166.44:8080/

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
STRATOSTRATOAGDEEmotet.doced80b3e9fbb903696b483c208700b977cc732178084c821604fd3296fde3ef02maliciousBrowse
  • 81.169.145.161
http://flame-guild.de/FKKZ28427maliciousBrowse
  • 81.169.145.154
filename.exe7f0edd658862842c1102de650585e8023b836bf03fdc7b63ca429fc6d1a5fb04maliciousBrowse
  • 81.169.145.151
65Payment Cop.exe4cfe66e094750f7bee976aa3255893ce25b55e9923e86d3d718e2bb3569245bfmaliciousBrowse
  • 81.169.145.72
Emotet2.doc27690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3maliciousBrowse
  • 81.169.145.76
edvberger.docdb4633d43e42ed3662323acec76c23dedb66dc2dafef35d0f70a49106b01c59cmaliciousBrowse
  • 81.169.145.159
Bill address.doc62e10bc262f1f2b0b17dd81b4654e22fe2a67a421bff2496590d4c19ce596d14maliciousBrowse
  • 81.169.145.88
Emotet.doce6d39de69395d9ea63a5965a104c89f238e12fea01c8feb23145b6dae19df7ccmaliciousBrowse
  • 81.169.145.72
Bill address.doc62e10bc262f1f2b0b17dd81b4654e22fe2a67a421bff2496590d4c19ce596d14maliciousBrowse
  • 81.169.145.88
Emotet.doce6d39de69395d9ea63a5965a104c89f238e12fea01c8feb23145b6dae19df7ccmaliciousBrowse
  • 81.169.145.72
Emotet.docf8ba36c6114b3a5f4a00187cdd61fe909d3f53c949a3630251c3fcc30e679b04maliciousBrowse
  • 81.169.145.149
SKM_C554e16055812971.vbs76c027656d2f3d6b8f1aae8feb05f689dc1e4d86a239cf213442bcb34fff08a4maliciousBrowse
  • 81.169.145.159
7NY4ggQ43.exe349c55374ca2c48990d171f52556e6bf695d42600b62edf41aec3e8a6fe4ec00maliciousBrowse
  • 85.214.224.206
emotet.doccbdbe2bf74d0aeb7e47be9244266cef33446e3954a941df8ff47e8f06a39b47amaliciousBrowse
  • 81.169.145.93
Emotet.doc3f75ee07639bbcebf9b904debae1b40ae1e2f2cbfcef44caeda21a9dae71c982maliciousBrowse
  • 81.169.145.88
Emotet1.doc1dccd84b95c3f482f2f2ece54e0e64d3671d5817cdd52d0e486023a22b481615maliciousBrowse
  • 81.169.145.80
Emotet1.doc1dccd84b95c3f482f2f2ece54e0e64d3671d5817cdd52d0e486023a22b481615maliciousBrowse
  • 81.169.145.80
Emotet2.doc99391bcec56d263090c5efffeef1ce38a7463469918acf74a3beeded03a7458dmaliciousBrowse
  • 81.169.145.86
Emotet.doc8eea064f002e132572a85d5a276814cc56000b46add7b895d386e18f80f78cfamaliciousBrowse
  • 81.169.145.76
dings.docdcdc27797ad905dc65c627006dd7f08e51bb25bf1390d2e37d8b31c37ae05814maliciousBrowse
  • 81.169.145.160
AS12876FRr.exe3cc984eac1c88f7d5eb6ea85e79a2be3430bf7dcbfc03bfa12acde8f60657198maliciousBrowse
  • 62.210.141.69
invoce.doc.exebe468f7a7eb00e890482de26fdb560188c2b2f04c8ea1df624026ac58295f78amaliciousBrowse
  • 212.83.146.230
jun.exe07fbbb5eb8d6c7fa8c6471088c5b01548474e42aacebbf7be685a92659155f5emaliciousBrowse
  • 212.83.146.230
6wraWQWLS.exec9c47d0a210f600da3ab52ef474a9f56cea0a8d09cfec9544944fb4a63e7f841maliciousBrowse
  • 163.172.149.155
20170927_655387.doc5623b81db50cf778713612e599b7efe8173dd50246182ec63f02de0fbabdbd3dmaliciousBrowse
  • 163.172.153.154
20170927_230269.doc5d97db906fd9d67258665d16fe8d2ca91551d1067383b34bf9fd203b07bda824maliciousBrowse
  • 163.172.153.154
40Purchase Orders.exe37c1c3e98319c165d611b206c038ae492904c9127f74b13492ff6cadbddc05c8maliciousBrowse
  • 195.154.21.65
11qqAtwZjQcJ.exe1b8e1c6957039a820070b56c0755188a310aa7abd26203ed866d63ad66239889maliciousBrowse
  • 195.154.151.36
rt.exee1143efc15b55bd6a622b24b6712e40fb63a31e7cff920ab0859aa6b57be9ad3maliciousBrowse
  • 51.15.13.245
12#0.exe4b0aba923ba39e443e3a9ba5bec5b858db2b9ecca413606d57bf66530bb33d07maliciousBrowse
  • 212.83.146.230
php.exe57b374e2d2f002c11c69b454fcf1aa57bd971cd0638eca12c6691cdb6a2f011cmaliciousBrowse
  • 195.154.164.243
New payment notice #537.doc2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24maliciousBrowse
  • 212.83.146.230
jun.exe07fbbb5eb8d6c7fa8c6471088c5b01548474e42aacebbf7be685a92659155f5emaliciousBrowse
  • 212.83.146.230
trezarcoin-qt.exef497ecaec8724b98e7d62b605b3141e8863a604f3e81043381edbfb3c2d80a39maliciousBrowse
  • 62.210.131.147
Wollin_Info.doc229c479ee2ad6ee880ce9fa196c453c0d0b7d8deb9bcfd8b9c5b695d3e786c13maliciousBrowse
  • 163.172.175.174
HealthStream Doc.pdfd032acc5a81f58cd4ef60f2a50b48ace13f6bf2d175ca98a01ccacf6219f910fmaliciousBrowse
  • 62.210.146.162
emotet.doc9cdfee7af473d4df32f6ae5d4da0d87559fef76bfabb4be5082a221f7bd702b6maliciousBrowse
  • 62.210.187.97
Emotet.docdb1ba6f50f367209db4733b94e8d22c8703665bf5b90716bfc754b3639d4c76amaliciousBrowse
  • 212.83.146.230
Scan_26314.docb2742002bcce4688faa48e69644deef9d369980f33e234910bde3aa1f9ebfecemaliciousBrowse
  • 163.172.153.154
file.docmec9d519ea6c683f8813af50db2135a51bab17afd610095464ad7fda1cf836ae7maliciousBrowse
  • 62.210.90.164
BHOSTGB9025.exef4f126fd810329548277650feecd3e932f8fd1f945445b98aa5b56a727774e4cmaliciousBrowse
  • 176.126.244.207
UNIFIEDLAYER-AS-1-UnifiedLayerUS3transcrip.exea995bae77a7621466172bbacb719ccc287c4c7745106efa68b6469f7cb254dd1maliciousBrowse
  • 192.254.190.168
81fil.exe67a5c532f2680b80df3692faf75b240469264a7dd12acbcca706f306f95cdeb5maliciousBrowse
  • 192.254.190.168
.exe15c56eb1dd33ee600a86eecb2de6c73c61b0b9c3ba3ed7a5ca7334986e210b6fmaliciousBrowse
  • 192.254.190.168
21gjj.exe1f6a51b1f854974b68c3b1f913f7e1d6d1dc52ae4555e4d53144dcaba36ff8e2maliciousBrowse
  • 192.254.190.168
65readm.exe4879e150697d7fd7aa7b073ba7e1a5521524c75b28e4d168255f3024dbc5d017maliciousBrowse
  • 192.254.190.168
49youtube.exe9fc52b06f79046f3b0d2f22dbbb0df3a603f83ae6260b791e63cc5ee044d15f0maliciousBrowse
  • 192.254.190.168
53lette.exe927450af7ad7f12dac92643f15a1751cf65304e8ed3e281fca5cce3523d111a6maliciousBrowse
  • 192.254.190.168
11.html .exe3113b878f3c6c44c39ca8a8117f6f2922ad6130337a9c52fc7340f569a705ceemaliciousBrowse
  • 192.254.190.168
65Fil.exe1d16d13887917df11398e81e88a2ef619a70e05b4beb2d31c061ebc673943363maliciousBrowse
  • 192.254.190.168
52Fil.exe78c7e52b486ca13ae3a373640168fe79122ce54da32c5de3b7fd6fa469e2e23cmaliciousBrowse
  • 192.254.190.168
.exe086e132b327fcbf28b5e8a86e8f235333ad606a18037c1d00d58e5e6a0658ccamaliciousBrowse
  • 192.254.190.168
1pjmdd.exe5b7f86425827330fccfda2ea66c34ca565e00f0739e8d85494f88a60b7e9f2d1maliciousBrowse
  • 192.254.190.168
Emotet.doc9b0b9dd4e1e9e1baebd83b323c18aa032a9e8914e3435c94e61e47d80d5cd938maliciousBrowse
  • 69.89.21.79
54tex.exe1d2986f6d1c750a6802be224e8d66520c156cd31518271b3335af65f6bc7faf8maliciousBrowse
  • 192.254.190.168
57text.txt .exe3c809a60ee8f6cd40be48be772db6c1ceb99d2d77e3ee802b37cc7b3f8ea640bmaliciousBrowse
  • 192.254.190.168
.exe03ef4b79e3f417274b49a6284efaf29ea821e2b04f92ecacdc05471e63386202maliciousBrowse
  • 192.254.190.168
49QOQAsYEJoB.exe2f9919f720e08b4afbc3385f03052c8a5b8a18d4a79a88a3c3cef9abca77c3d4maliciousBrowse
  • 192.254.190.168
90eqohxP24pE.exe526372b3d733173746015478e1d4b790ff783465f3b69e007de114d8dc7835b0maliciousBrowse
  • 192.254.190.168
88messag.exeed75edcb20cbef891ebf1036dc383b7a880a18bd366e0def69d83ef6ce7b138dmaliciousBrowse
  • 192.254.190.168
15youtube.exeaf71c8ceaa470396e96a3160d96b2f074c7eb6c0170af2e7ea98a002f6cd0740maliciousBrowse
  • 192.254.190.168
XO-AS15-XOCommunicationsUSkovter.exe0d0a07d32295b94fd665ac39d4755014a00381c6b06c2b4a6aeffa0344ac956amaliciousBrowse
  • 67.93.97.183
17MESSAGE.EXE7ac84a829d1091db57619fb241c62bde21b07db7cecda17c67e4897fdd789e7dmaliciousBrowse
  • 64.0.103.180
Purchase Order 8736772514.jsdb852ae645290013405806699a821ebfacfe463d68a0bde741679dcb3dad425emaliciousBrowse
  • 65.44.220.51
Purchase Order 8736772514.jsdb852ae645290013405806699a821ebfacfe463d68a0bde741679dcb3dad425emaliciousBrowse
  • 65.44.220.51
57lette.exe36446262191092247a6b66424a75dc1d31a4588bb85efbd6b19d88d57849d0ccmaliciousBrowse
  • 65.45.49.94
Purchase Order 4948777206.jsb1c5f04d52f9afe919ef8816c12a7c6abf88458a17a89d64fb9c13ec2d74b6b9maliciousBrowse
  • 65.44.220.51
7documen.exe384b4a7601bb8f9f8d734c5a79414362aa503985a3c19972855c90e7babea826maliciousBrowse
  • 67.92.182.62
11mai.exe998c9fe333d8d299c09a8e23fe197077653404be27b056fe4bb121df81fe9b19maliciousBrowse
  • 64.221.133.226
Purchase Order 4948777206.jsb1c5f04d52f9afe919ef8816c12a7c6abf88458a17a89d64fb9c13ec2d74b6b9maliciousBrowse
  • 65.44.220.51
INVITECHHUedvberger.docdb4633d43e42ed3662323acec76c23dedb66dc2dafef35d0f70a49106b01c59cmaliciousBrowse
  • 217.13.106.249
http://app-asia.com.sg/Invoice/maliciousBrowse
  • 217.13.106.241
Tracking-210647491_IN-HQQ (18 Nov 17).doc25ab22afbe847130039965706f06cb077c7ab7ba343e1307d8f2e086e919e01dmaliciousBrowse
  • 217.13.106.249
emoteexe.exefc16abe6701e8ef4c8c1129c2e0a5f8e309ec3c3f3e54dc6b3f16b3f5b453a15maliciousBrowse
  • 217.13.106.249
http://cinetiux.com/LLC/?newinvoice01.docmaliciousBrowse
  • 217.13.106.249
Emotet.doc0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79maliciousBrowse
  • 217.13.106.246
Emotet.doc0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79maliciousBrowse
  • 217.13.106.246
Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 82.131.166.44
New invoice 27310021.doc46093d6ede042d6383382585cae9b1fdb678263f27d329114c0fa5c2e9d52d8fmaliciousBrowse
  • 217.13.106.16
24175368.exece05e5c5368e41bea72958e05ba6ea43263e24351684998cd5f0d583ac9beb82maliciousBrowse
  • 217.13.106.249
Download.doc.doc164245625fabdfc0af1296b6deb4cccce5aab179c973d9f5659be9f4b3fce51dmaliciousBrowse
  • 217.13.106.241
New invoice # 613952179.docbbce7972501609e4d640ab6034b06e9ca903f89841e56e21362f9ec690741337maliciousBrowse
  • 217.13.106.241
scan # 69729093351.doc0ed16fb62f107250d88a18d365befc21851942eee0d1381fe1c22273e3412b02maliciousBrowse
  • 217.13.106.249
Emotet.doccaa404591cb437f0d037e10f6ad7ddfec9ee310fbf0cfc48a2b4ccd6e7ee2722maliciousBrowse
  • 82.131.166.44
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 82.131.166.44
Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
  • 82.131.166.44
Holidays eCard.doc98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391maliciousBrowse
  • 82.131.166.44
Emotet1.doc0258fd5d31e2db5bca73b492ac0926efb50e1cff43489f11f673a5f5b8174849maliciousBrowse
  • 217.13.106.249
New invoice # 613952179.docbbce7972501609e4d640ab6034b06e9ca903f89841e56e21362f9ec690741337maliciousBrowse
  • 217.13.106.249
http://chaoticzoo.com/Outstanding-Invoices/maliciousBrowse
  • 82.131.166.44

Dropped Files

No context

Screenshot