Play interactive tour
Edit tourAnalysis Report Factura PO 1541973.exe
Overview
General Information
| Sample Name: | Factura PO 1541973.exe |
| Analysis ID: | 433037 |
| MD5: | 429a3063db13e84f8e0843f46b60753e |
| SHA1: | de9221c73fe3610393f1f9197dfecf0896ed776c |
| SHA256: | 62e122a12ea4ccace679e22b13975e1f0e476dda8373279d99b757635c8b06dc |
| Tags: | AgentTeslaexe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "SMTP Info": "dubai@skycomex.com@EHbqYU1us2.smtp.mailhostbox.com"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 8 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 3 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Code function: | 0_2_013BC3A0 | |
| Source: | Code function: | 0_2_013BA758 | |
| Source: | Code function: | 0_2_05D9B628 | |
| Source: | Code function: | 0_2_05D9C048 | |
| Source: | Code function: | 0_2_05D9822E | |
| Source: | Code function: | 0_2_05D9AD98 | |
| Source: | Code function: | 0_2_05D9CFB0 | |
| Source: | Code function: | 0_2_05D97B00 | |
| Source: | Code function: | 0_2_05D97550 | |
| Source: | Code function: | 0_2_05D97540 | |
| Source: | Code function: | 0_2_05D9F530 | |
| Source: | Code function: | 0_2_05D9B618 | |
| Source: | Code function: | 0_2_05D9A190 | |
| Source: | Code function: | 0_2_05D9A1A0 | |
| Source: | Code function: | 0_2_05D9F098 | |
| Source: | Code function: | 0_2_05D9B050 | |
| Source: | Code function: | 0_2_05D90040 | |
| Source: | Code function: | 0_2_05D9B060 | |
| Source: | Code function: | 0_2_05D90007 | |
| Source: | Code function: | 0_2_05D9C038 | |
| Source: | Code function: | 0_2_05D9F2D0 | |
| Source: | Code function: | 0_2_05D9AD92 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | Metadefender: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_013B0442 | |
| Source: | Code function: | 0_2_013B043A | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Uses schtasks.exe or at.exe to add and modify task schedules | Show sources | ||
| Source: | Process created: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM3 | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File opened / queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | File and Directory Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | System Information Discovery114 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing3 | NTDS | Security Software Discovery321 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Process Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion141 | Cached Domain Credentials | Virtualization/Sandbox Evasion141 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection112 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | Virustotal | Browse | ||
| 23% | Metadefender | Browse | ||
| 34% | ReversingLabs | ByteCode-MSIL.Spyware.Negasteal |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 23% | Metadefender | Browse | ||
| 34% | ReversingLabs | ByteCode-MSIL.Spyware.Negasteal |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | 208.91.199.223 | true | false | high |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| low |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.91.199.223 | us2.smtp.mailhostbox.com | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 433037 |
| Start date: | 11.06.2021 |
| Start time: | 08:03:27 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 9m 43s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Factura PO 1541973.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 19 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/5@1/1 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 08:04:17 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 208.91.199.223 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\Factura PO 1541973.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 1314 |
| Entropy (8bit): | 5.350128552078965 |
| Encrypted: | false |
| SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR |
| MD5: | 1DC1A2DCC9EFAA84EABF4F6D6066565B |
| SHA1: | B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9 |
| SHA-256: | 28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF |
| SHA-512: | 95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7 |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Factura PO 1541973.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1643 |
| Entropy (8bit): | 5.189995397126082 |
| Encrypted: | false |
| SSDEEP: | 24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGNtn:cbhK79lNQR/rydbz9I3YODOLNdq3A |
| MD5: | 581656AAF565B7599C874A18536B35B2 |
| SHA1: | C24E3A41792AD6831F9E8091CC6A52D90DC07E92 |
| SHA-256: | F5ECCB10AA1D316BF2E4EFEC8DB454A3D6CCCDE50C043EE0E1CA582A897EE11C |
| SHA-512: | C10C89D107C70488128EEB6D741BDFF1983972FEA38A812723412D8B2D2FD7232158C23BFF3ADDE8E6B99950F93A0305E0D975DB73FE53B752EDFD2634978744 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Factura PO 1541973.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 952832 |
| Entropy (8bit): | 7.634813259762412 |
| Encrypted: | false |
| SSDEEP: | 12288:t1+m5ABVldpNU3FVYWCMWrE0ak3wIJFr8JgoD1py2JeiluZM4e/ZUdtb:tPeeFVYAi3wIYJPDD5pluNeBUdt |
| MD5: | 429A3063DB13E84F8E0843F46B60753E |
| SHA1: | DE9221C73FE3610393F1F9197DFECF0896ED776C |
| SHA-256: | 62E122A12EA4CCACE679E22B13975E1F0E476DDA8373279D99B757635C8B06DC |
| SHA-512: | 876D20B1E4ED70710184895303799CE258F98795B41180B90FDAEDCA572EF1CD45460B5B91DEB4C11A54545C2F38D1C00BEC3B72979E30C22DDB4D9ABA5ABB0A |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Factura PO 1541973.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Factura PO 1541973.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.7006690334145785 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ |
| MD5: | A7FE10DA330AD03BF22DC9AC76BBB3E4 |
| SHA1: | 1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803 |
| SHA-256: | 8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8 |
| SHA-512: | 1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.634813259762412 |
| TrID: |
|
| File name: | Factura PO 1541973.exe |
| File size: | 952832 |
| MD5: | 429a3063db13e84f8e0843f46b60753e |
| SHA1: | de9221c73fe3610393f1f9197dfecf0896ed776c |
| SHA256: | 62e122a12ea4ccace679e22b13975e1f0e476dda8373279d99b757635c8b06dc |
| SHA512: | 876d20b1e4ed70710184895303799ce258f98795b41180b90fdaedca572ef1cd45460b5b91deb4c11a54545c2f38d1c00bec3b72979e30c22ddb4d9aba5abb0a |
| SSDEEP: | 12288:t1+m5ABVldpNU3FVYWCMWrE0ak3wIJFr8JgoD1py2JeiluZM4e/ZUdtb:tPeeFVYAi3wIYJPDD5pluNeBUdt |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............v.... ... ....@.. ....................................@................................ |
File Icon |
|---|
 | |
| Icon Hash: | 8c8caa8e9692aa00 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4c0176 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x60C21B8B [Thu Jun 10 14:02:51 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc0124 | 0x4f | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc2000 | 0x2a394 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xee000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xbffec | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xbe17c | 0xbe200 | False | 0.949855666502 | 370 sysV pure executable not stripped | 7.96018720186 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xc2000 | 0x2a394 | 0x2a400 | False | 0.124404816938 | data | 4.17231984784 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xee000 | 0xc | 0x200 | False | 0.041015625 | data | 0.0776331623432 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xc2200 | 0x2326 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
| RT_ICON | 0xc4538 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | ||
| RT_ICON | 0xd4d70 | 0x94a8 | data | ||
| RT_ICON | 0xde228 | 0x5488 | data | ||
| RT_ICON | 0xe36c0 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 | ||
| RT_ICON | 0xe78f8 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
| RT_ICON | 0xe9eb0 | 0x10a8 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 | ||
| RT_ICON | 0xeaf68 | 0x988 | data | ||
| RT_ICON | 0xeb900 | 0x468 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0xebd78 | 0x84 | data | ||
| RT_VERSION | 0xebe0c | 0x388 | data | ||
| RT_MANIFEST | 0xec1a4 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
|---|
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Paul Harris 2016 |
| Assembly Version | 251.2.0.0 |
| InternalName | ConstructorInfo.exe |
| FileVersion | 251.2.0.0 |
| CompanyName | Paul Harris |
| LegalTrademarks | |
| Comments | 1992 Alpine A 610 |
| ProductName | ReloadManager |
| ProductVersion | 251.2.0.0 |
| FileDescription | ReloadManager |
| OriginalFilename | ConstructorInfo.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 06/11/21-08:06:02.993426 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| 06/11/21-08:06:06.279511 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 11, 2021 08:06:01.240387917 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:01.404711008 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:01.404921055 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:01.980102062 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:01.980814934 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.145400047 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:02.145451069 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:02.147583961 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.315876007 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:02.316389084 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.483670950 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:02.484386921 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.649792910 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:02.650073051 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.825508118 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:02.825818062 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.992470026 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:02.993426085 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.993542910 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.994645119 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:02.994695902 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:03.157859087 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:03.159264088 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:03.280250072 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:03.330709934 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:04.768742085 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:04.933777094 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:04.933795929 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:04.933985949 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:04.934179068 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:04.935074091 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:05.099284887 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.099436998 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.099498987 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:05.270102024 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.270399094 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:05.434314966 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.434417009 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.434684992 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:05.602807999 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.603249073 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:05.769443035 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.769814968 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:05.934775114 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:05.935218096 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.108582973 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:06.109487057 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.275418997 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:06.279030085 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.279510975 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.279810905 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.280102015 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.280495882 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.280710936 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.280910969 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.281122923 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
| Jun 11, 2021 08:06:06.446223021 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:06.446441889 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:06.446964979 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:06.447500944 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:06.547502041 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 |
| Jun 11, 2021 08:06:06.596929073 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 11, 2021 08:04:09.735510111 CEST | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:11.649197102 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:11.699404955 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:16.222839117 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:16.275559902 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:17.100451946 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:17.153492928 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:18.480669022 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:18.531339884 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:19.458003044 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:19.511290073 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:20.500994921 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:20.553800106 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:21.511910915 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:21.564140081 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:22.466965914 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:22.517554045 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:23.354130030 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:23.414649963 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:24.302028894 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:24.356265068 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:25.222007990 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:25.281595945 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:26.335386038 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:26.390681028 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:27.319438934 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:27.370568991 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:28.258600950 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:28.317204952 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:30.816145897 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:30.867733955 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:31.863389015 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:31.921552896 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:34.004097939 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:34.064551115 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:36.558356047 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:36.608555079 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:38.909733057 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:38.972330093 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:55.652265072 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:55.793745041 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:56.362415075 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:56.451003075 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:56.504664898 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:56.521023035 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:57.255492926 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:57.317070961 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:57.803144932 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:57.864692926 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:58.480649948 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:58.544281960 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:59.142040968 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:59.203213930 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:04:59.832164049 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:04:59.893954992 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:00.731894016 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:00.795730114 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:01.641452074 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:01.704530954 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:02.185380936 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:02.247342110 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:04.751456022 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:04.813363075 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:14.338932037 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:14.343724012 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:14.412621975 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:14.413042068 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:17.289112091 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:17.351978064 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:48.938035965 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:48.996527910 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:05:50.675123930 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:05:50.746380091 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 08:06:01.064519882 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 08:06:01.126252890 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jun 11, 2021 08:06:01.064519882 CEST | 192.168.2.4 | 8.8.8.8 | 0xaf7 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jun 11, 2021 08:06:01.126252890 CEST | 8.8.8.8 | 192.168.2.4 | 0xaf7 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| Jun 11, 2021 08:06:01.126252890 CEST | 8.8.8.8 | 192.168.2.4 | 0xaf7 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Jun 11, 2021 08:06:01.126252890 CEST | 8.8.8.8 | 192.168.2.4 | 0xaf7 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Jun 11, 2021 08:06:01.126252890 CEST | 8.8.8.8 | 192.168.2.4 | 0xaf7 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jun 11, 2021 08:06:01.980102062 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Jun 11, 2021 08:06:01.980814934 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 | EHLO 247525 |
| Jun 11, 2021 08:06:02.145451069 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Jun 11, 2021 08:06:02.147583961 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 | AUTH login ZHViYWlAc2t5Y29tZXguY29t |
| Jun 11, 2021 08:06:02.315876007 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Jun 11, 2021 08:06:02.483670950 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Jun 11, 2021 08:06:02.484386921 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 | MAIL FROM:<dubai@skycomex.com> |
| Jun 11, 2021 08:06:02.649792910 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 250 2.1.0 Ok |
| Jun 11, 2021 08:06:02.650073051 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 | RCPT TO:<dubai@skycomex.com> |
| Jun 11, 2021 08:06:02.825508118 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 250 2.1.5 Ok |
| Jun 11, 2021 08:06:02.825818062 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 | DATA |
| Jun 11, 2021 08:06:02.992470026 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Jun 11, 2021 08:06:02.994695902 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 | . |
| Jun 11, 2021 08:06:03.280250072 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 250 2.0.0 Ok: queued as B8ED218586B |
| Jun 11, 2021 08:06:04.768742085 CEST | 49771 | 587 | 192.168.2.4 | 208.91.199.223 | QUIT |
| Jun 11, 2021 08:06:04.933777094 CEST | 587 | 49771 | 208.91.199.223 | 192.168.2.4 | 221 2.0.0 Bye |
| Jun 11, 2021 08:06:05.270102024 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Jun 11, 2021 08:06:05.270399094 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 | EHLO 247525 |
| Jun 11, 2021 08:06:05.434417009 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Jun 11, 2021 08:06:05.434684992 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 | AUTH login ZHViYWlAc2t5Y29tZXguY29t |
| Jun 11, 2021 08:06:05.602807999 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Jun 11, 2021 08:06:05.769443035 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Jun 11, 2021 08:06:05.769814968 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 | MAIL FROM:<dubai@skycomex.com> |
| Jun 11, 2021 08:06:05.934775114 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 250 2.1.0 Ok |
| Jun 11, 2021 08:06:05.935218096 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 | RCPT TO:<dubai@skycomex.com> |
| Jun 11, 2021 08:06:06.108582973 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 250 2.1.5 Ok |
| Jun 11, 2021 08:06:06.109487057 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 | DATA |
| Jun 11, 2021 08:06:06.275418997 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Jun 11, 2021 08:06:06.281122923 CEST | 49772 | 587 | 192.168.2.4 | 208.91.199.223 | . |
| Jun 11, 2021 08:06:06.547502041 CEST | 587 | 49772 | 208.91.199.223 | 192.168.2.4 | 250 2.0.0 Ok: queued as 09EC61857D9 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 08:04:16 |
| Start date: | 11/06/2021 |
| Path: | C:\Users\user\Desktop\Factura PO 1541973.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x960000 |
| File size: | 952832 bytes |
| MD5 hash: | 429A3063DB13E84F8E0843F46B60753E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 08:04:20 |
| Start date: | 11/06/2021 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x9e0000 |
| File size: | 185856 bytes |
| MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 08:04:20 |
| Start date: | 11/06/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff724c50000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 08:04:21 |
| Start date: | 11/06/2021 |
| Path: | C:\Users\user\Desktop\Factura PO 1541973.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x610000 |
| File size: | 952832 bytes |
| MD5 hash: | 429A3063DB13E84F8E0843F46B60753E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 05D9AD98, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9AD92, Relevance: 1.4, Strings: 1, Instructions: 193COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9CFB0, Relevance: .3, Instructions: 290COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9822E, Relevance: .2, Instructions: 244COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D97B00, Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9B618, Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9B628, Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9C048, Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9C038, Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9A0F0, Relevance: 2.5, Strings: 2, Instructions: 43COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9A0EA, Relevance: 2.5, Strings: 2, Instructions: 43COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BBA50, Relevance: 1.7, APIs: 1, Instructions: 199COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BAAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BDF0D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013B7009, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013B7078, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013B7080, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BBC40, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BE160, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BE159, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D989A0, Relevance: 1.4, Strings: 1, Instructions: 187COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D98416, Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96928, Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D95ED8, Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9B7F8, Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9B928, Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9B808, Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD4D8, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9D5B0, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0120D1D4, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0120D01C, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D966F4, Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9BDB2, Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9BDC0, Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96440, Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD4D3, Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0120D017, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0120D1CF, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96700, Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D97041, Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD771, Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD770, Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9D6E0, Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96E98, Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96F38, Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9C189, Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96409, Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D981D0, Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9BA50, Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9A0A0, Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96F90, Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D95E90, Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D981E0, Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9A96F, Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96DF5, Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D96E00, Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9A535, Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9C219, Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9C26A, Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 05D90040, Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D97540, Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BA758, Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D97550, Relevance: .3, Instructions: 264COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9B050, Relevance: .2, Instructions: 248COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9B060, Relevance: .2, Instructions: 246COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013BC3A0, Relevance: .2, Instructions: 217COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9F2D0, Relevance: .2, Instructions: 161COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9F530, Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D90007, Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9F098, Relevance: .1, Instructions: 113COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9A1A0, Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05D9A190, Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |