Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:41978
Start time:21:32:17
Joe Sandbox Product:CloudBasic
Start date:08.01.2018
Overall analysis duration:0h 6m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:dnscart.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal52.troj.winEXE@6/0@0/2
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 84
  • Number of non-executed functions: 134
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 33.6% (good quality ratio 25.7%)
  • Quality average: 49.3%
  • Quality standard deviation: 37%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold520 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00302447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_00302447
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00302505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_00302505
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_0030259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_0030259B
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_003024C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_003024C8
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_0022231E memset,CryptAcquireContextW,4_2_0022231E
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_0022914E _snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_0022914E
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_00222357 CryptDecodeObjectEx,CryptReleaseContext,4_2_00222357
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_002290BE memset,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,WaitForSingleObject,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_002290BE
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_002224C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_002224C8
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_002223CC CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_002223CC
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_002223AE CryptGenKey,CryptDestroyKey,CryptReleaseContext,4_2_002223AE
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_0022259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_0022259B
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_00222387 CryptImportKey,LocalFree,CryptReleaseContext,4_2_00222387
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_00222505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_00222505
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_002291F0 CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_002291F0
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_00222447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_00222447

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_00222387 CryptImportKey,LocalFree,CryptReleaseContext,4_2_00222387

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_00221EB9 GetProcessHeap,RtlAllocateHeap,InternetReadFile,InternetReadFile,GetProcessHeap,HeapFree,4_2_00221EB9
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.16.193.12:4143Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 93 65 e7 13 e1 e7 a7 51 a0 4f f3 29 6c 47 23 2f 36 6c 2e 0f ff 39 6c 07 c7 8f d6 af 5f ed 7d a5 ab 2e 0a ec bf 1b 31 53 08 f9 33 e4 5a 7c c2 16 ec 05 0b ef ba 93 16 00 60 7c 00 2a b7 be ed b8 17 3f 0e af 6e e1 70 30 a1 cf 6d b9 70 89 2e 83 fe 4f 9a e5 65 f8 70 11 20 a9 13 11 1c 99 5a e1 7b 4c 81 7d fa e3 74 b9 46 b5 3d 1e 4c a9 b9 b2 0d 57 21 eb 23 20 aa 26 c3 89 3e 37 03 e9 36 0a e1 10 73 d4 ed 03 f3 f6 be db 43 72 3b d4 0e 93 e1 cf 4f 7f 19 05 25 b0 27 3e d1 a0 1a 84 94 82 5e 52 d6 42 a6 d1 b4 d0 cd 8d 19 70 40 57 53 b2 26 8a c0 9a 02 a0 45 b3 0e 9e bd 90 86 32 6a bb 06 4b d4 2b 70 f3 6c 5a 0c d1 1b f1 9f 8a 12 44 42 c0 a3 c8 7b 57 24 73 fb 40 f6 74 ab 72 6f 3d e6 dc 95 92 da 86 1a 59 76 6c 7e db af e5 87 4
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.16.193.12:4143Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 93 65 e7 13 e1 e7 a7 51 a0 4f f3 29 6c 47 23 2f 36 6c 2e 0f ff 39 6c 07 c7 8f d6 af 5f ed 7d a5 ab 2e 0a ec bf 1b 31 53 08 f9 33 e4 5a 7c c2 16 ec 05 0b ef ba 93 16 00 60 7c 00 2a b7 be ed b8 17 3f 0e af 6e e1 70 30 a1 cf 6d b9 70 89 2e 83 fe 4f 9a e5 65 f8 70 11 20 a9 13 11 1c 99 5a e1 7b 4c 81 7d fa e3 74 b9 46 b5 3d 1e 4c a9 b9 b2 0d 57 21 eb 23 20 aa 26 c3 89 3e 37 03 e9 36 0a e1 10 73 d4 ed 03 f3 f6 be db 43 72 3b d4 0e 93 e1 cf 4f 7f 19 05 25 b0 27 3e d1 a0 1a 84 94 82 5e 52 d6 42 a6 d1 b4 d0 cd 8d 19 70 40 57 53 b2 26 8a c0 9a 02 a0 45 b3 0e 9e bd 90 86 32 6a bb 06 4b d4 2b 70 f3 6c 5a 0c d1 1b f1 9f 8a 12 44 42 c0 a3 c8 7b 57 24 73 fb 40 f6 74 ab 72 6f 3d e6 dc 95 92 da 86 1a 59 76 6c 7e db af e5 87 4
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 178.32.255.132:7080Content-Length: 324Connection: Keep-AliveCache-Control: no-cacheData Raw: 40 76 d0 f9 58 3f 30 8c 60 8e 79 f3 93 83 78 4e be 64 23 47 9b 3f c0 78 89 62 d3 4f d5 65 fd 73 8e 59 63 31 e5 c3 a6 94 56 5a 2e 2a 71 fa ee 4c 05 83 25 79 fa c6 15 ef d9 c3 14 23 fa 54 84 4f b5 61 38 ec 32 6d 3e 65 24 27 d1 7d 96 61 3f 14 03 8f cf 62 3f 85 a9 f4 e1 05 cf e0 7c 87 f5 6c e6 09 e7 e4 17 1d 00 43 a4 6a 18 a6 93 75 88 60 8b 6f 41 40 77 5f 42 99 da 5b a8 54 f6 b7 09 7d 22 7a 88 75 a3 ca 0f a2 4c 17 73 51 7b 16 ba 1a fb 78 cb 4e e7 41 3f a5 9f a0 e8 ea 29 bb ce 85 e0 e3 f5 6f 62 bb 6a 2b 34 fe 6a ac 67 83 49 3e 93 bb 13 3d e7 56 bd 3a a6 0b 3b b0 3c 6d c9 81 e8 3f 0e 33 91 01 ae 8e 47 ac 3e 05 45 62 dc 9a 43 5c f7 b9 5b ef 2e cc fb f7 ca 43 21 95 b8 4e 5d d3 28 00 6f 8c f0 88 0b cd 6e 7b 24 2f 31
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49164 -> 69.16.193.12:4143
Source: global trafficTCP traffic: 192.168.2.2:49165 -> 178.32.255.132:7080
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 4143
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7080

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00309960 StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_00309960

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\dnscart.exePE file moved: C:\Windows\System32\crypttime.exe
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\crypttime.exeExecutable created and started: C:\Windows\System32\crypttime.exe

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.10790918737
PE file contains an invalid checksumShow sources
Source: dnscart.exeStatic PE information: real checksum: 0x1 should be: 0x2d77f
PE file contains sections with non-standard namesShow sources
Source: dnscart.exeStatic PE information: section name: 6xOsN5y
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D147E4 push 00000048h; iretd 1_2_00D147E6
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D1572F push ebp; retf 1_2_00D15738
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00D14ABA push ebp; ret 1_2_00D14AC4

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: dnscart.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: dnscart.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: !!22ewW.pdb source: crypttime.exe, dnscart.exe
Classification labelShow sources
Source: classification engineClassification label: mal52.troj.winEXE@6/0@0/2
Contains functionality to create servicesShow sources
Source: C:\Windows\System32\crypttime.exeCode function: CreateServiceW,4_2_002297B3
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_0022214F CreateToolhelp32Snapshot,4_2_0022214F
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00309960 StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_00309960
PE file has an executable .text section and no other executable sectionShow sources
Source: dnscart.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\dnscart.exe 'C:\Users\user\Desktop\dnscart.exe'
Source: unknownProcess created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: unknownProcess created: C:\Windows\System32\crypttime.exe C:\Windows\system32\crypttime.exe
Source: unknownProcess created: C:\Windows\System32\crypttime.exe C:\Windows\system32\crypttime.exe
Source: C:\Users\user\Desktop\dnscart.exeProcess created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: C:\Windows\System32\crypttime.exeProcess created: C:\Windows\System32\crypttime.exe C:\Windows\system32\crypttime.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00302220 CreateProcessAsUserW,2_2_00302220
Creates mutexesShow sources
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\MDB98E05
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M5F197D37
Source: C:\Windows\System32\crypttime.exeMutant created: \BaseNamedObjects\MC7845B8F
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I5F197D37
Source: C:\Windows\System32\crypttime.exeMutant created: \BaseNamedObjects\Global\I5F197D37
Deletes Windows filesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile deleted: C:\Windows\System32\crypttime.exe:Zone.Identifier
PE file contains executable resources (Code or Archives)Show sources
Source: dnscart.exeStatic PE information: Resource name: RT_VERSION type: VAX COFF executable not stripped - version 79
Reads the hosts fileShow sources
Source: C:\Windows\System32\crypttime.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\crypttime.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: dnscart.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: System.OriginalFileName vs dnscart.exe

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\dnscart.exeSystem information queried: KernelDebuggerInformation
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00291BE0 mov eax, dword ptr fs:[00000030h]1_2_00291BE0
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00301BE0 mov eax, dword ptr fs:[00000030h]2_2_00301BE0
Source: C:\Windows\System32\crypttime.exeCode function: 3_2_00651BE0 mov eax, dword ptr fs:[00000030h]3_2_00651BE0
Source: C:\Windows\System32\crypttime.exeCode function: 4_2_00221BE0 mov eax, dword ptr fs:[00000030h]4_2_00221BE0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00182088 GetLastError,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,SetLastError,GetCurrentProcess,GetLastError,wsprintfA,SetLastError,GetCurrentProcessId,1_2_00182088
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Analysis System Evasion:

barindex
Program exit pointsShow sources
Source: C:\Windows\System32\crypttime.exeAPI call chain: ExitProcess graph end nodegraph_4-6356
Source: C:\Windows\System32\crypttime.exeAPI call chain: ExitProcess graph end nodegraph_4-6265
Queries a list of all running processesShow sources
Source: C:\Windows\System32\crypttime.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: EnumServicesStatusExW,OpenServiceW,2_2_0030985F
Source: C:\Users\user\Desktop\dnscart.exeCode function: EnumServicesStatusExW,GetLastError,2_2_003097F3
Source: C:\Windows\System32\crypttime.exeCode function: EnumServicesStatusExW,OpenServiceW,4_2_0022985F
Source: C:\Windows\System32\crypttime.exeCode function: EnumServicesStatusExW,GetLastError,4_2_002297F3
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\dnscart.exeAPI coverage: 6.4 %
Source: C:\Windows\System32\crypttime.exeAPI coverage: 5.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\dnscart.exe TID: 3348Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\crypttime.exe TID: 3412Thread sleep time: -60000s >= -60000s
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 4143
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7080

Language, Device and Operating System Detection:

barindex
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00298DA0 RtlGetVersion,GetNativeSystemInfo,1_2_00298DA0
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\dnscart.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\crypttime.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 41978 Sample: dnscart.exe Startdate: 08/01/2018 Architecture: WINDOWS Score: 52 21 Detected TCP or UDP traffic on non-standard ports 2->21 23 Uses known network protocols on non-standard ports 2->23 6 crypttime.exe 2->6         started        9 dnscart.exe 2->9         started        process3 signatures4 27 Drops executables to the windows directory (C:\Windows) and starts them 6->27 11 crypttime.exe 2 9 6->11         started        14 dnscart.exe 1 9->14         started        process5 dnsIp6 16 178.32.255.132, 49165, 7080 OVHFR France 11->16 19 69.16.193.12, 4143, 49164 LIQUID-WEB-INC-LiquidWebLLCUS United States 11->19 signatures7 25 Detected TCP or UDP traffic on non-standard ports 19->25

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
69.16.193.12cssvs.doce1834f24a6c23a1cd598e6f883113eb6660f856df27c87c4db32b6ac587eb078maliciousBrowse
  • 69.16.193.12:4143/
http://www.rbkmaster.ru/cli/UPS-US/08-Jan-18-09-30-33maliciousBrowse
  • 69.16.193.12:4143/
http://www.thevisionaire.net/Invoice-31882146/maliciousBrowse
  • 69.16.193.12:4143/
refugee.docd038049d22c876e826cf41e0f69089d9a01654f48790c53202cbfa98bcf8c6ebmaliciousBrowse
  • 69.16.193.12:4143/
refugee.docd038049d22c876e826cf41e0f69089d9a01654f48790c53202cbfa98bcf8c6ebmaliciousBrowse
  • 69.16.193.12:4143/
cssvs.doce1834f24a6c23a1cd598e6f883113eb6660f856df27c87c4db32b6ac587eb078maliciousBrowse
  • 69.16.193.12:4143/
178.32.255.132cssvs.doce1834f24a6c23a1cd598e6f883113eb6660f856df27c87c4db32b6ac587eb078maliciousBrowse
  • 178.32.255.132:7080/
http://www.rbkmaster.ru/cli/UPS-US/08-Jan-18-09-30-33maliciousBrowse
  • 178.32.255.132:7080/
http://www.thevisionaire.net/Invoice-31882146/maliciousBrowse
  • 178.32.255.132:7080/
refugee.docd038049d22c876e826cf41e0f69089d9a01654f48790c53202cbfa98bcf8c6ebmaliciousBrowse
  • 178.32.255.132:7080/
refugee.docd038049d22c876e826cf41e0f69089d9a01654f48790c53202cbfa98bcf8c6ebmaliciousBrowse
  • 178.32.255.132:7080/
cssvs.doce1834f24a6c23a1cd598e6f883113eb6660f856df27c87c4db32b6ac587eb078maliciousBrowse
  • 178.32.255.132:7080/

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
OVHFR1XCDFRVVCDE.js04a233e32a9c805a7a0ba86637cedbb4471cbd2e6782e1eeb78a866fbbc6c468maliciousBrowse
  • 94.23.193.139
54PI#80477.INV-2017.exe7f15cca9c4c593200ed6ce0ed35dfae25ac9e11c111b2bbc2a5f023a5c58078emaliciousBrowse
  • 158.69.33.229
vfd.exec86fd81aede1a694f978ee09be2f16c6bcd335741538e666883d69dbb9c4c1aemaliciousBrowse
  • 142.4.204.111
3CNNBFHFJE.jsf7f7a636a47b436d6bce52dec222f44fe8b1f0cf74435ab9461f38d3fe21f0f9maliciousBrowse
  • 94.23.220.50
1.exe27f7e3c15ed7a253fb9eabf7163c424b582cc9f7e90ff9571c9e76a0e82dc5b1maliciousBrowse
  • 151.80.147.153
Emotet.doc9e7a51d4c86a41a01d0e6bcac1c7720ebae68bb08b7840cad7f35003a0105527maliciousBrowse
  • 167.114.121.80
Conference_on_Cyber_Conflict (2).doce5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179aemaliciousBrowse
  • 91.134.203.113
.........exe6fa7da5f3026074b6c2a4b98865175f024941057a8c55d5516797f928a737195maliciousBrowse
  • 176.31.8.247
http://ilab.ee/aliofficevericheck/aliofficevericheckmaliciousBrowse
  • 198.27.103.128
https://www.radioz.es/wp-includes/Text/ble/index.php?userid=billy.bubba@bubba.commaliciousBrowse
  • 149.202.91.84
Emotet2.doc27690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3maliciousBrowse
  • 151.80.45.148
https://r717.net/Frage-zur-Rechnung/maliciousBrowse
  • 91.90.88.5
invoce.doc.exebe468f7a7eb00e890482de26fdb560188c2b2f04c8ea1df624026ac58295f78amaliciousBrowse
  • 167.114.121.80
jun.exe07fbbb5eb8d6c7fa8c6471088c5b01548474e42aacebbf7be685a92659155f5emaliciousBrowse
  • 167.114.121.80
49STATEMENT OF ACCOUNT - 1300017506.exee45ac9b897f7079d36f33467d45d24c31bf6a36f3fca03e3d3d6614cb5ef1ed2maliciousBrowse
  • 198.27.115.53
67New_P.O.#6_11_201.exe6c0d725538e4688541bd73252c558520352d646b795eb710164ef24cc2e1ef53maliciousBrowse
  • 46.105.161.50
47New_P.O.#6_11_201.exe67f7ef59986dc7019e4bc7cf1c01e36d5deb6504e24e3c4c141fbe5d0d15ccfamaliciousBrowse
  • 46.105.161.50
67NEW_P.O_#76556756_pd.exef485911b6c07c4e7ba622e1009d65832bcb3303c462c6e4fddc24c6064b566abmaliciousBrowse
  • 46.105.161.50
70iUuqJ39i.exeabf10dea3a51b324d955c18c3ef3691fcc099158c0be6e9517a4d70c4fa35014maliciousBrowse
  • 5.39.43.144
57Sample_#3245.exe66d3a51680884a7bfd7407b4e8778b6405b6815aef8770e1eb2f22c54d22d0b1maliciousBrowse
  • 198.100.157.176
LIQUID-WEB-INC-LiquidWebLLCUShttp://www.cwinauto.com/indezxx.phpmaliciousBrowse
  • 67.227.129.132
13documen.exede8a2298b9753d681fba9102d19f0181f89c3439f3aae09e55bb712c87d2fc66maliciousBrowse
  • 69.16.227.189
https://lojassantoantonio.com.br/reuin.htmmaliciousBrowse
  • 67.227.155.126
117purchase order.exedd47e24758f137f2aadd3bf694272c6237fb3556dc5ba8b26f0128237a9d0688maliciousBrowse
  • 67.225.190.156
https://jenniferboggett.com/blog/stand/office360/maliciousBrowse
  • 208.86.154.72
www.1000-brussel.be/themes/ad_novus/ad_novus-fluid/merchant.php?missing=gq2n8g4z8c3maliciousBrowse
  • 184.106.55.82
http://www.detoxyourbodytoday.com/Invoices-attached/maliciousBrowse
  • 184.106.55.63
http://negociotoponline.net/PAYPAL/LLC/maliciousBrowse
  • 67.225.176.8
cssvs.doce1834f24a6c23a1cd598e6f883113eb6660f856df27c87c4db32b6ac587eb078maliciousBrowse
  • 69.16.193.12
http://www.rbkmaster.ru/cli/UPS-US/08-Jan-18-09-30-33maliciousBrowse
  • 69.16.193.12
http://api.htmlobfuscator.com/?getsrc=ok&ref=http%3A%2F%2Fdanangcuisine.com%2Freviews%2Fto-where-fish-sauce-is-made%2F&url=http%3A%2F%2Fdanangcuisine.com%2Fwp-content%2Fplugins%2Fsimple-convertor%2Fwidget.htmlmaliciousBrowse
  • 67.227.226.240
CDoc414.pdf8238259b2b053b39662058d9c23c3b38afd9d089889fed1bdf3e5400e570cabbmaliciousBrowse
  • 50.28.56.107
F1.exef025dcef71cfc6397dca40985c024505d043d9d0e9fdaa9d662fbc89d616488bmaliciousBrowse
  • 67.227.192.122
Emotet1812.docfdd6288747eb976a863966935b7800b1ed839ded3fe15dfa039a2c6f68b940b5maliciousBrowse
  • 184.106.55.63
https://awesomespecials.net/xcmooiiokmaliciousBrowse
  • 67.227.145.203
http://www.thevisionaire.net/Invoice-31882146/maliciousBrowse
  • 69.16.193.12
refugee.docd038049d22c876e826cf41e0f69089d9a01654f48790c53202cbfa98bcf8c6ebmaliciousBrowse
  • 69.16.193.12
Emotet1812.docfdd6288747eb976a863966935b7800b1ed839ded3fe15dfa039a2c6f68b940b5maliciousBrowse
  • 184.106.55.63
ACHIEVE-1 CONTRACT.pdf24bea02fcf153e6c4ff26fd45fb256f6f807a27458b4ba3a5bd22675d972c68fmaliciousBrowse
  • 69.167.130.70
7tex.exe0410aa6e3d0ed6c22c0e953fa05c057c0a66bf62736b93e1e7c7aee97d116617maliciousBrowse
  • 50.28.8.76

Dropped Files

No context

Screenshot