Play interactive tour
Edit tourAnalysis Report 6Rn5G1VWPB
Overview
General Information
| Sample Name: | 6Rn5G1VWPB (renamed file extension from none to exe) |
| Analysis ID: | 412365 |
| MD5: | c12fea2da39e5173fa674ab5e22a928f |
| SHA1: | ef3754b85ecd9f789bc9bbf8a8c6b36be41cc996 |
| SHA256: | 19f2d4a6fe01ce9e0bc8362933e41f0d707df28bf9ab662db7dc7504aef3845a |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "SMTP Info": "info@garciadelacruz.comsc9v6b2nmail.garciadelacruz.comwilliamslucy570@gmail.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| Click to see the 6 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 1 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0B3CA958 | |
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Installs a global keyboard hook | Show sources | ||
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Window created: | Jump to behavior | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Code function: | 0_2_00627DA2 | |
| Source: | Code function: | 0_2_0107C2B0 | |
| Source: | Code function: | 0_2_01079968 | |
| Source: | Code function: | 0_2_0B3C8330 | |
| Source: | Code function: | 0_2_0B3C8340 | |
| Source: | Code function: | 0_2_0B3C4100 | |
| Source: | Code function: | 0_2_0B3C3160 | |
| Source: | Code function: | 2_2_007D7DA2 | |
| Source: | Code function: | 2_2_010C7560 | |
| Source: | Code function: | 2_2_010CBDB8 | |
| Source: | Code function: | 2_2_010C0040 | |
| Source: | Code function: | 2_2_010C5B38 | |
| Source: | Code function: | 2_2_010C3770 | |
| Source: | Code function: | 2_2_010C8010 | |
| Source: | Code function: | 2_2_010CD878 | |
| Source: | Code function: | 2_2_010D6178 | |
| Source: | Code function: | 2_2_010D68B0 | |
| Source: | Code function: | 2_2_010D5B40 | |
| Source: | Code function: | 2_2_010D3698 | |
| Source: | Code function: | 2_2_010E5D68 | |
| Source: | Code function: | 2_2_010E09C6 | |
| Source: | Code function: | 2_2_010EA1C4 | |
| Source: | Code function: | 2_2_010EAC38 | |
| Source: | Code function: | 2_2_010E9098 | |
| Source: | Code function: | 2_2_010ECF80 | |
| Source: | Code function: | 2_2_010EE210 | |
| Source: | Code function: | 2_2_010E70B8 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_010704E2 | |
| Source: | Code function: | 2_2_010DB599 | |
| Source: | Static PE information: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_010CF08C | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection112 | Masquerading1 | OS Credential Dumping2 | Query Registry1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | Input Capture111 | Security Software Discovery211 | Remote Desktop Protocol | Input Capture111 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion131 | Credentials in Registry1 | Process Discovery2 | SMB/Windows Admin Shares | Archive Collected Data11 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection112 | NTDS | Virtualization/Sandbox Evasion131 | Distributed Component Object Model | Data from Local System2 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Deobfuscate/Decode Files or Information1 | LSA Secrets | Application Window Discovery1 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information3 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Software Packing3 | DCSync | System Information Discovery114 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 27% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| mail.garciadelacruz.com | 86.109.178.195 | true | true | unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low |
Contacted IPs |
|---|
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 412365 |
| Start date: | 12.05.2021 |
| Start time: | 16:39:38 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 42s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | 6Rn5G1VWPB (renamed file extension from none to exe) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 14 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/2@2/2 |
| EGA Information: |
|
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 16:40:28 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 86.109.178.195 | Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| mail.garciadelacruz.com | Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| ABANSYS_AND_HOSTYTEC-ASCCharlesRobertDarwin11ES | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\6Rn5G1VWPB.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1314 |
| Entropy (8bit): | 5.350128552078965 |
| Encrypted: | false |
| SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR |
| MD5: | 1DC1A2DCC9EFAA84EABF4F6D6066565B |
| SHA1: | B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9 |
| SHA-256: | 28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF |
| SHA-512: | 95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7 |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\6Rn5G1VWPB.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.7006690334145785 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ |
| MD5: | A7FE10DA330AD03BF22DC9AC76BBB3E4 |
| SHA1: | 1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803 |
| SHA-256: | 8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8 |
| SHA-512: | 1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.694119021117804 |
| TrID: |
|
| File name: | 6Rn5G1VWPB.exe |
| File size: | 1162752 |
| MD5: | c12fea2da39e5173fa674ab5e22a928f |
| SHA1: | ef3754b85ecd9f789bc9bbf8a8c6b36be41cc996 |
| SHA256: | 19f2d4a6fe01ce9e0bc8362933e41f0d707df28bf9ab662db7dc7504aef3845a |
| SHA512: | 26bd4ff8262c9b5bb684889ab89b373a10f33b9fe61b88ee0ec7bea69390e1c461b62c17280f3e2e68ef48cce67be523559647552d6fdae1fd9b166e82f9ff0e |
| SSDEEP: | 24576:N6bI6jw9IkyU4BbYDW/X/4W7TPds2fSc8SfhJAwIdvLe6:0ESkkEkl7DdsDc5+VdvL |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..`..............P..0...........N... ...`....@.. ....................... ............@................................ |
File Icon |
|---|
 | |
| Icon Hash: | d28ab3b0e0ab96c4 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4f4eb2 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x609BC077 [Wed May 12 11:48:07 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf4e60 | 0x4f | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf6000 | 0x288f8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x120000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xf4d28 | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xf2eb8 | 0xf3000 | False | 0.913331082819 | data | 7.89681221538 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xf6000 | 0x288f8 | 0x28a00 | False | 0.348028846154 | data | 5.39732699522 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x120000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xf62b0 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | ||
| RT_ICON | 0x106ad8 | 0x94a8 | data | ||
| RT_ICON | 0x10ff80 | 0x5488 | data | ||
| RT_ICON | 0x115408 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 | ||
| RT_ICON | 0x119630 | 0x25a8 | data | ||
| RT_ICON | 0x11bbd8 | 0x10a8 | data | ||
| RT_ICON | 0x11cc80 | 0x988 | data | ||
| RT_ICON | 0x11d608 | 0x468 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0x11da70 | 0x76 | data | ||
| RT_GROUP_ICON | 0x11dae8 | 0x14 | data | ||
| RT_VERSION | 0x11dafc | 0x394 | data | ||
| RT_MANIFEST | 0x11de90 | 0xa65 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Macroeconomist |
| Assembly Version | 4.1.2.1 |
| InternalName | NullableMarshaler.exe |
| FileVersion | 4.1.2.1 |
| CompanyName | Macroeconomist 2021 |
| LegalTrademarks | |
| Comments | |
| ProductName | GlobalizationExtensions |
| ProductVersion | 4.1.2.1 |
| FileDescription | GlobalizationExtensions |
| OriginalFilename | NullableMarshaler.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 05/12/21-16:42:13.863185 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| 05/12/21-16:42:16.929135 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 12, 2021 16:42:13.134754896 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.211566925 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.211824894 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.377419949 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.378144026 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.454828024 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.455018044 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.456748009 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.535165071 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.535989046 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.617292881 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.619561911 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.697374105 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.697834969 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.781431913 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.781960964 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.860829115 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.863184929 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.863420963 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.864106894 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.864223957 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:13.940037012 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:13.940723896 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:14.269522905 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:14.318522930 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:15.774117947 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:15.851397991 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:15.852571011 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:15.853324890 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:15.853451967 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:15.933919907 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.297874928 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.374768019 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.374926090 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.454835892 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.455365896 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.532181978 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.532442093 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.535346985 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.612245083 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.612946033 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.690330029 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.690743923 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.767704010 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.768399000 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.846424103 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.846874952 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.926548004 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:16.928909063 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.929135084 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.929260969 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.929411888 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.929640055 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.929826021 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.929915905 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:16.930042982 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
| May 12, 2021 16:42:17.007592916 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:17.008039951 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:17.008965969 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:17.008979082 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:17.420620918 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 |
| May 12, 2021 16:42:17.475102901 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 12, 2021 16:40:18.445195913 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:18.495414019 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:19.896186113 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:19.944896936 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:20.977637053 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:21.030966997 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:22.337939978 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:22.389678001 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:23.664412022 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:23.717228889 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:24.927752018 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:24.980926037 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:26.547545910 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:26.599379063 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:27.727233887 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:27.775940895 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:30.397442102 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:30.446260929 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:31.586272001 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:31.635117054 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:32.475155115 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:32.532696962 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:33.587733984 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:33.647283077 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:34.448817015 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:34.500467062 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:35.432074070 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:35.480787992 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:37.240926027 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:37.289674044 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:38.215845108 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:38.276186943 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:39.350717068 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:39.400345087 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:42.640199900 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:42.689085960 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:40:47.615437031 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:40:47.675681114 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:03.036144018 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:03.250905037 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:03.817640066 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:03.877968073 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:04.456588984 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:04.546590090 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:04.760132074 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:04.817827940 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:04.977973938 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:05.036331892 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:05.634725094 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:05.683474064 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:06.247292995 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:06.304621935 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:06.758164883 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:06.820440054 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:07.621284008 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:07.680427074 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:08.857274055 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:08.914813042 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:09.355947018 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:09.413249016 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:12.174837112 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:12.236542940 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:22.057522058 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:22.117943048 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:22.240628958 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:22.299323082 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:24.312402964 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:24.371192932 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:41:58.178168058 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:41:58.235702991 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:42:00.238121033 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:42:00.304614067 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:42:12.913924932 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:42:13.008151054 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
| May 12, 2021 16:42:16.233340979 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
| May 12, 2021 16:42:16.293699980 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| May 12, 2021 16:42:12.913924932 CEST | 192.168.2.4 | 8.8.8.8 | 0xf629 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 12, 2021 16:42:16.233340979 CEST | 192.168.2.4 | 8.8.8.8 | 0xe06 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| May 12, 2021 16:42:13.008151054 CEST | 8.8.8.8 | 192.168.2.4 | 0xf629 | No error (0) | 86.109.178.195 | A (IP address) | IN (0x0001) | ||
| May 12, 2021 16:42:16.293699980 CEST | 8.8.8.8 | 192.168.2.4 | 0xe06 | No error (0) | 86.109.178.195 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| May 12, 2021 16:42:13.377419949 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 220 h0226.hostytec.com ESMTP Postfix |
| May 12, 2021 16:42:13.378144026 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 | EHLO 813848 |
| May 12, 2021 16:42:13.455018044 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 250-h0226.hostytec.com 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 CHUNKING |
| May 12, 2021 16:42:13.456748009 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 | AUTH login aW5mb0BnYXJjaWFkZWxhY3J1ei5jb20= |
| May 12, 2021 16:42:13.535165071 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| May 12, 2021 16:42:13.617292881 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| May 12, 2021 16:42:13.619561911 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 | MAIL FROM:<info@garciadelacruz.com> |
| May 12, 2021 16:42:13.697374105 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 250 2.1.0 Ok |
| May 12, 2021 16:42:13.697834969 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 | RCPT TO:<williamslucy570@gmail.com> |
| May 12, 2021 16:42:13.781431913 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 250 2.1.5 Ok |
| May 12, 2021 16:42:13.781960964 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 | DATA |
| May 12, 2021 16:42:13.860829115 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| May 12, 2021 16:42:13.864223957 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 | . |
| May 12, 2021 16:42:14.269522905 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 250 2.0.0 Ok: queued as B83851082C54E |
| May 12, 2021 16:42:15.774117947 CEST | 49765 | 587 | 192.168.2.4 | 86.109.178.195 | QUIT |
| May 12, 2021 16:42:15.851397991 CEST | 587 | 49765 | 86.109.178.195 | 192.168.2.4 | 221 2.0.0 Bye |
| May 12, 2021 16:42:16.454835892 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 220 h0226.hostytec.com ESMTP Postfix |
| May 12, 2021 16:42:16.455365896 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 | EHLO 813848 |
| May 12, 2021 16:42:16.532442093 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 250-h0226.hostytec.com 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 CHUNKING |
| May 12, 2021 16:42:16.535346985 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 | AUTH login aW5mb0BnYXJjaWFkZWxhY3J1ei5jb20= |
| May 12, 2021 16:42:16.612245083 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| May 12, 2021 16:42:16.690330029 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| May 12, 2021 16:42:16.690743923 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 | MAIL FROM:<info@garciadelacruz.com> |
| May 12, 2021 16:42:16.767704010 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 250 2.1.0 Ok |
| May 12, 2021 16:42:16.768399000 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 | RCPT TO:<williamslucy570@gmail.com> |
| May 12, 2021 16:42:16.846424103 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 250 2.1.5 Ok |
| May 12, 2021 16:42:16.846874952 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 | DATA |
| May 12, 2021 16:42:16.926548004 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| May 12, 2021 16:42:16.930042982 CEST | 49766 | 587 | 192.168.2.4 | 86.109.178.195 | . |
| May 12, 2021 16:42:17.420620918 CEST | 587 | 49766 | 86.109.178.195 | 192.168.2.4 | 250 2.0.0 Ok: queued as C80EF108681F7 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 16:40:26 |
| Start date: | 12/05/2021 |
| Path: | C:\Users\user\Desktop\6Rn5G1VWPB.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 1162752 bytes |
| MD5 hash: | C12FEA2DA39E5173FA674AB5E22A928F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 16:40:30 |
| Start date: | 12/05/2021 |
| Path: | C:\Users\user\Desktop\6Rn5G1VWPB.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7d0000 |
| File size: | 1162752 bytes |
| MD5 hash: | C12FEA2DA39E5173FA674AB5E22A928F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Execution Graph |
|---|
| Execution Coverage: | 10.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 114 |
| Total number of Limit Nodes: | 9 |
Graph
Executed Functions |
|---|
Function 0B3CA958, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107BBB8, Relevance: 1.7, APIs: 1, Instructions: 201COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107DC6D, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01076D51, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01076DC0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3C6EE0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01076DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3C2778, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3C6568, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3CC280, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3CA060, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3C6D5E, Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D4D8, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101D01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D4D3, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101D017, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D7FD, Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D7FC, Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 0B3C8340, Relevance: 4.0, Strings: 3, Instructions: 228COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3C8330, Relevance: 2.7, Strings: 2, Instructions: 223COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3C4100, Relevance: 1.5, Strings: 1, Instructions: 260COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0B3C3160, Relevance: 1.3, Strings: 1, Instructions: 77COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0107C2B0, Relevance: .5, Instructions: 522COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01079968, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00627DA2, Relevance: .2, Instructions: 211COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 13.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 48 |
| Total number of Limit Nodes: | 6 |
Graph
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010D0A70, Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 984libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010D1A66, Relevance: 1.7, APIs: 1, Instructions: 170COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010D1AAE, Relevance: 1.7, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010D1AF6, Relevance: 1.7, APIs: 1, Instructions: 156COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010D1B3E, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|