Play interactive tour
Edit tourAnalysis Report Quote-TSL-1037174_4810.exe
Overview
General Information
| Sample Name: | Quote-TSL-1037174_4810.exe |
| Analysis ID: | 433217 |
| MD5: | deb5412f0b0201d045e2007503bbb283 |
| SHA1: | 4086c81e9c51db9e242c604bfa99ad217a45986d |
| SHA256: | c770d9d870614a8a39844cd1f564bb823944f8d4d25f7d68f15b1401fb08e4e9 |
| Tags: | AgentTeslaexe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "SMTP Info": "accounts@buynsell.com.pkTZaQ}N$m+6$vmail.buynsell.com.pkmaria@tradzilanilaw.co.za"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 21 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 13 entries | ||||
Sigma Overview |
|---|
Networking: |   |
|---|
| Sigma detected: MSBuild connects to smtp port | Show sources | ||
| Source: | Author: Joe Security: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | ReversingLabs: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | ReversingLabs: | ||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Networking: | |
|---|
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Installs a global keyboard hook | Show sources | ||
| Source: | Windows user hook set: | ||
| Source: | Code function: | ||
| Source: | Window created: | ||
Spam, unwanted Advertisements and Ransom Demands: | |
|---|
| Modifies the hosts file | Show sources | ||
| Source: | File written: | Jump to behavior | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | Show sources | ||
| Source: | Large array initialization: | ||
| Source: | Large array initialization: | ||
| Source: | Large array initialization: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | Window detected: | ||
| Source: | File opened: | ||
| Source: | Key opened: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Creates multiple autostart registry keys | Show sources | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources | ||
| Source: | File opened: | ||
| Source: | Registry key monitored for changes: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
Malware Analysis System Evasion: | |
|---|
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File opened / queried: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Window / User API: | ||
| Source: | Window / User API: | ||
| Source: | Window / User API: | ||
| Source: | Window / User API: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Process token adjusted: | ||
| Source: | Process token adjusted: | ||
| Source: | Process token adjusted: | ||
| Source: | Memory allocated: | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| .NET source code references suspicious native API functions | Show sources | ||
| Source: | Reference to suspicious API methods: | ||
| Source: | Reference to suspicious API methods: | ||
| Source: | Reference to suspicious API methods: | ||
| Source: | Reference to suspicious API methods: | ||
| Source: | Reference to suspicious API methods: | ||
| Source: | Reference to suspicious API methods: | ||
| Maps a DLL or memory area into another process | Show sources | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Modifies the hosts file | Show sources | ||
| Source: | File written: | Jump to behavior | ||
| Writes to foreign memory regions | Show sources | ||
| Source: | Memory written: | ||
| Source: | Memory written: | ||
| Source: | Memory written: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Key value queried: | ||
Lowering of HIPS / PFW / Operating System Security Settings: | |
|---|
| Modifies the hosts file | Show sources | ||
| Source: | File written: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection212 | File and Directory Permissions Modification1 | OS Credential Dumping2 | Account Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
| Default Accounts | Native API11 | Registry Run Keys / Startup Folder11 | Scheduled Task/Job1 | Disable or Modify Tools1 | Input Capture11 | File and Directory Discovery2 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | Scheduled Task/Job1 | Logon Script (Windows) | Registry Run Keys / Startup Folder11 | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | System Information Discovery116 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture11 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | Security Software Discovery221 | SSH | Clipboard Data2 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Masquerading1 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Virtualization/Sandbox Evasion141 | DCSync | Virtualization/Sandbox Evasion141 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection212 | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Hidden Files and Directories1 | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 14% | Metadefender | Browse | ||
| 59% | ReversingLabs | Win32.Backdoor.Androm | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 14% | Metadefender | Browse | ||
| 59% | ReversingLabs | Win32.Backdoor.Androm |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1137482 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | TR/Patched.Ren.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1137482 | Download File | ||
| 100% | Avira | HEUR/AGEN.1137482 | Download File | ||
| 100% | Avira | HEUR/AGEN.1137482 | Download File | ||
| 100% | Avira | TR/Spy.Gen8 | Download File | ||
| 100% | Avira | HEUR/AGEN.1137482 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138205 | Download File | ||
| 100% | Avira | HEUR/AGEN.1137482 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| buynsell.com.pk | 194.28.84.37 | true | true | unknown | |
| mail.buynsell.com.pk | unknown | unknown | true | unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 194.28.84.37 | buynsell.com.pk | Ukraine | 196645 | HOSTPRO-ASUA | true |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 433217 |
| Start date: | 11.06.2021 |
| Start time: | 13:18:18 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 10m 52s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Sample file name: | Quote-TSL-1037174_4810.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 22 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.spre.troj.adwa.spyw.evad.winEXE@13/18@2/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 13:19:03 | Autostart | |
| 13:19:11 | Autostart | |
| 13:19:12 | API Interceptor | |
| 13:19:14 | API Interceptor | |
| 13:19:49 | Autostart | |
| 13:19:57 | Autostart |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 194.28.84.37 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| HOSTPRO-ASUA | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsg8314.tmp\System.dll | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Created / dropped Files |
|---|
| Process: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 841 |
| Entropy (8bit): | 5.356220854328477 |
| Encrypted: | false |
| SSDEEP: | 24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj |
| MD5: | 486580834B084C92AE1F3866166C9C34 |
| SHA1: | C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF |
| SHA-256: | 65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB |
| SHA-512: | 2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 222208 |
| Entropy (8bit): | 7.999115710953568 |
| Encrypted: | true |
| SSDEEP: | 3072:vaBXEtCG5OYajI1w+Z/rT/uh0uZn1k79bG3E6I4Wwu31L676SM98/1ORmcILLQE7:vsmVGCz9uZn6Z6I4YY8mrPLlQGz |
| MD5: | C64EDB818138FCBAD02DA4F40AFB504E |
| SHA1: | E312998ABA653E46AA64AD17EC06B23C123C363A |
| SHA-256: | 10F9B7D302BECDA98408F7A361A7F8DE8ECF2149876D7B2D14C08FD62B7FADB5 |
| SHA-512: | F49E83E1DA717D275C85455C797579560F33D1570410BDBD418866F5F6FA8C9C82A6309FE8E06789ABB50F837E5DD4E013205A0FDFA49C57066CE043A8CF0B39 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62417 |
| Entropy (8bit): | 4.988447505730978 |
| Encrypted: | false |
| SSDEEP: | 1536:INzvOIagVy6DOiz8TlJbvuPt0P63/dXT5KJC2GaNjpmSRGT:INzv3zRDiJCWCvJuC7KjU |
| MD5: | D966D7333A785DDFF7B56A403AB8388B |
| SHA1: | 130361814DC909C9036E9554B90381265EF37CA7 |
| SHA-256: | 32CD0E78D96E6CBF2962685077C0287F5301B5BD788F2F4F4ADAFFF0A05B757E |
| SHA-512: | B4369E11DC82B7694A7C3941492145EDDA05CCBB52E766D1B0D2FB66BA46C76FACAAEDB4E15121592C8BC51068F79067D34E53073C044DCEC7A006461FD1037F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 317921 |
| Entropy (8bit): | 7.545162398623952 |
| Encrypted: | false |
| SSDEEP: | 6144:UXAsmVGCz9uZn6Z6I4YY8mrPLlQGcNzvthxuYKbt:XsGGyoJ6kf8meGcNzvtnuYKp |
| MD5: | EBCC27E483829E2E2E519538BDF71B7E |
| SHA1: | 81FDE871249D5723415F6A5A0B1F7E83788A70E6 |
| SHA-256: | 86D71D31A0037F33C03921ADAA1D9ABC3E849E8BB6DD935B783AE5DED46E4EE4 |
| SHA-512: | 51339B61CBA1CE0B0F63FEE6C2AE6EFDFE88FBDEB08898F6816115C7E40B174BBCEEE4BF86C8CDED945EA2BE3A29C1D3AA750721D0ACCD643165C6CC25E78332 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.855045165595541 |
| Encrypted: | false |
| SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
| MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
| SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
| SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
| SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 317921 |
| Entropy (8bit): | 7.545162398623952 |
| Encrypted: | false |
| SSDEEP: | 6144:UXAsmVGCz9uZn6Z6I4YY8mrPLlQGcNzvthxuYKbt:XsGGyoJ6kf8meGcNzvtnuYKp |
| MD5: | EBCC27E483829E2E2E519538BDF71B7E |
| SHA1: | 81FDE871249D5723415F6A5A0B1F7E83788A70E6 |
| SHA-256: | 86D71D31A0037F33C03921ADAA1D9ABC3E849E8BB6DD935B783AE5DED46E4EE4 |
| SHA-512: | 51339B61CBA1CE0B0F63FEE6C2AE6EFDFE88FBDEB08898F6816115C7E40B174BBCEEE4BF86C8CDED945EA2BE3A29C1D3AA750721D0ACCD643165C6CC25E78332 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.855045165595541 |
| Encrypted: | false |
| SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
| MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
| SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
| SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
| SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 317921 |
| Entropy (8bit): | 7.545162398623952 |
| Encrypted: | false |
| SSDEEP: | 6144:UXAsmVGCz9uZn6Z6I4YY8mrPLlQGcNzvthxuYKbt:XsGGyoJ6kf8meGcNzvtnuYKp |
| MD5: | EBCC27E483829E2E2E519538BDF71B7E |
| SHA1: | 81FDE871249D5723415F6A5A0B1F7E83788A70E6 |
| SHA-256: | 86D71D31A0037F33C03921ADAA1D9ABC3E849E8BB6DD935B783AE5DED46E4EE4 |
| SHA-512: | 51339B61CBA1CE0B0F63FEE6C2AE6EFDFE88FBDEB08898F6816115C7E40B174BBCEEE4BF86C8CDED945EA2BE3A29C1D3AA750721D0ACCD643165C6CC25E78332 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.855045165595541 |
| Encrypted: | false |
| SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
| MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
| SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
| SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
| SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 261728 |
| Entropy (8bit): | 6.1750840449797675 |
| Encrypted: | false |
| SSDEEP: | 3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu |
| MD5: | D621FD77BD585874F9686D3A76462EF1 |
| SHA1: | ABCAE05EE61EE6292003AABD8C80583FA49EDDA2 |
| SHA-256: | 2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6 |
| SHA-512: | 2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 448961 |
| Entropy (8bit): | 6.069011681162613 |
| Encrypted: | false |
| SSDEEP: | 6144:usUlNPJU0e7dkV3ZLFJVsA2mQ7fGUgYCrQOd:sPJU1763Z7VPw7+Ugfxd |
| MD5: | DEB5412F0B0201D045E2007503BBB283 |
| SHA1: | 4086C81E9C51DB9E242C604BFA99AD217A45986D |
| SHA-256: | C770D9D870614A8A39844CD1F564BB823944F8D4D25F7D68F15B1401FB08E4E9 |
| SHA-512: | 9310A18A3602D175DD5235AC464CED734AEB1BC5542BC94B45D1BE1B3D8580FB9ACC8FD3834D27025983B87A54DDAACBED9C923E2A79205BFE0CE0AA09E2CF78 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 11 |
| Entropy (8bit): | 2.663532754804255 |
| Encrypted: | false |
| SSDEEP: | 3:iLE:iLE |
| MD5: | B24D295C1F84ECBFB566103374FB91C5 |
| SHA1: | 6A750D3F8B45C240637332071D34B403FA1FF55A |
| SHA-256: | 4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4 |
| SHA-512: | 9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA |
| Malicious: | true |
| Preview: |
|
| Process: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 298 |
| Entropy (8bit): | 4.943030742860529 |
| Encrypted: | false |
| SSDEEP: | 6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+ |
| MD5: | 6A9888952541A41F033EB114C24DC902 |
| SHA1: | 41903D7C8F31013C44572E09D97B9AAFBBCE77E6 |
| SHA-256: | 41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE |
| SHA-512: | E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.069011681162613 |
| TrID: |
|
| File name: | Quote-TSL-1037174_4810.exe |
| File size: | 448961 |
| MD5: | deb5412f0b0201d045e2007503bbb283 |
| SHA1: | 4086c81e9c51db9e242c604bfa99ad217a45986d |
| SHA256: | c770d9d870614a8a39844cd1f564bb823944f8d4d25f7d68f15b1401fb08e4e9 |
| SHA512: | 9310a18a3602d175dd5235ac464ced734aeb1bc5542bc94b45d1be1b3d8580fb9acc8fd3834d27025983b87a54ddaacbed9c923e2a79205bfe0ce0aa09e2cf78 |
| SSDEEP: | 6144:usUlNPJU0e7dkV3ZLFJVsA2mQ7fGUgYCrQOd:sPJU1763Z7VPw7+Ugfxd |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\......... |
File Icon |
|---|
 | |
| Icon Hash: | 0000000000000000 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x40323c |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 099c0646ea7282d232219f8807883be0 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| sub esp, 00000180h |
| push ebx |
| push ebp |
| push esi |
| xor ebx, ebx |
| push edi |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 00409130h |
| xor esi, esi |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [00407030h] |
| push 00008001h |
| call dword ptr [004070B4h] |
| push ebx |
| call dword ptr [0040727Ch] |
| push 00000008h |
| mov dword ptr [00423F58h], eax |
| call 00007FBB987DD88Eh |
| mov dword ptr [00423EA4h], eax |
| push ebx |
| lea eax, dword ptr [esp+34h] |
| push 00000160h |
| push eax |
| push ebx |
| push 0041F458h |
| call dword ptr [00407158h] |
| push 004091B8h |
| push 004236A0h |
| call 00007FBB987DD541h |
| call dword ptr [004070B0h] |
| mov edi, 00429000h |
| push eax |
| push edi |
| call 00007FBB987DD52Fh |
| push ebx |
| call dword ptr [0040710Ch] |
| cmp byte ptr [00429000h], 00000022h |
| mov dword ptr [00423EA0h], eax |
| mov eax, edi |
| jne 00007FBB987DAC8Ch |
| mov byte ptr [esp+14h], 00000022h |
| mov eax, 00429001h |
| push dword ptr [esp+14h] |
| push eax |
| call 00007FBB987DD022h |
| push eax |
| call dword ptr [0040721Ch] |
| mov dword ptr [esp+1Ch], eax |
| jmp 00007FBB987DACE5h |
| cmp cl, 00000020h |
| jne 00007FBB987DAC88h |
| inc eax |
| cmp byte ptr [eax], 00000020h |
| je 00007FBB987DAC7Ch |
| cmp byte ptr [eax], 00000022h |
| mov byte ptr [eax+eax+00h], 00000000h |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73a4 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2c000 | 0x28e70 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x28c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5a5a | 0x5c00 | False | 0.660453464674 | data | 6.41769823686 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x1190 | 0x1200 | False | 0.4453125 | data | 5.18162709925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x1af98 | 0x400 | False | 0.55859375 | data | 4.70902740305 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .ndata | 0x24000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x2c000 | 0x28e70 | 0x29000 | False | 0.0739269721799 | data | 0.988562741976 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x2c310 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
| RT_ICON | 0x3cb38 | 0x94a8 | data | English | United States |
| RT_ICON | 0x45fe0 | 0x5488 | data | English | United States |
| RT_ICON | 0x4b468 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294965503, next used block 4280287231 | English | United States |
| RT_ICON | 0x4f690 | 0x25a8 | data | English | United States |
| RT_ICON | 0x51c38 | 0x10a8 | data | English | United States |
| RT_ICON | 0x52ce0 | 0xdc8 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
| RT_ICON | 0x53aa8 | 0x988 | data | English | United States |
| RT_ICON | 0x54430 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_DIALOG | 0x54898 | 0x100 | data | English | United States |
| RT_DIALOG | 0x54998 | 0x11c | data | English | United States |
| RT_DIALOG | 0x54ab8 | 0x60 | data | English | United States |
| RT_GROUP_ICON | 0x54b18 | 0x84 | data | English | United States |
| RT_MANIFEST | 0x54ba0 | 0x2cc | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA |
| USER32.dll | EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 11, 2021 13:21:04.454927921 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:04.528718948 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:04.528865099 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:04.716147900 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:04.716617107 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:04.790772915 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:04.791491032 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:04.868208885 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:04.915411949 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:04.938837051 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.026505947 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.026534081 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.026546001 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.026560068 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.026655912 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.026715994 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.032466888 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.043819904 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.118057013 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.165466070 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.430200100 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.504817963 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.506795883 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.581099033 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.583034992 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.662856102 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.664150953 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.738085985 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.738545895 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.849030018 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.849663973 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.923571110 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.925147057 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.925338984 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.926058054 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.926398039 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
| Jun 11, 2021 13:21:05.999243975 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.999295950 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:05.999651909 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:06.000081062 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:06.005424976 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
| Jun 11, 2021 13:21:06.056117058 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 11, 2021 13:18:55.702606916 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:18:55.753992081 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:18:56.664014101 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:18:56.717088938 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:18:57.796488047 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:18:57.847105026 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:18:59.114075899 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:18:59.167464018 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:00.006516933 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:00.059524059 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:01.478553057 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:01.529217958 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:02.276595116 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:02.327080011 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:03.767395020 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:03.825901985 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:04.950159073 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:05.000334978 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:06.167848110 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:06.218069077 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:07.657063961 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:07.711707115 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:09.470839024 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:09.522155046 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:11.051964998 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:11.102130890 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:12.425761938 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:12.476281881 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:13.363559961 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:13.413616896 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:14.357387066 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:14.407419920 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:15.631155014 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:15.681289911 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:16.423212051 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:16.476000071 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:18.661943913 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:18.712230921 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:26.758990049 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:26.828430891 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:43.680207014 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:43.818207026 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:44.414587021 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:44.476222992 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:44.631582022 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:44.707420111 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:45.062336922 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:45.126400948 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:45.606440067 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:45.759912014 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:46.322932959 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:46.385080099 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:46.977027893 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:47.041770935 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:47.529011965 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:47.590732098 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:48.420711994 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:48.482470036 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:49.372217894 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:49.434217930 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:49.993207932 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:50.043271065 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:19:50.986712933 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:19:51.049527884 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:20:01.154119015 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:20:01.214184999 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:20:01.389753103 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:20:01.448281050 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:20:03.952881098 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:20:04.014728069 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:20:35.171495914 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:20:35.240530968 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:20:36.984265089 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:20:37.034384966 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:21:04.146356106 CEST | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:21:04.207077026 CEST | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
| Jun 11, 2021 13:21:04.229811907 CEST | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 11, 2021 13:21:04.319475889 CEST | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jun 11, 2021 13:21:04.146356106 CEST | 192.168.2.4 | 8.8.8.8 | 0x1834 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jun 11, 2021 13:21:04.229811907 CEST | 192.168.2.4 | 8.8.8.8 | 0xc471 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jun 11, 2021 13:21:04.207077026 CEST | 8.8.8.8 | 192.168.2.4 | 0x1834 | No error (0) | buynsell.com.pk | CNAME (Canonical name) | IN (0x0001) | ||
| Jun 11, 2021 13:21:04.207077026 CEST | 8.8.8.8 | 192.168.2.4 | 0x1834 | No error (0) | 194.28.84.37 | A (IP address) | IN (0x0001) | ||
| Jun 11, 2021 13:21:04.319475889 CEST | 8.8.8.8 | 192.168.2.4 | 0xc471 | No error (0) | buynsell.com.pk | CNAME (Canonical name) | IN (0x0001) | ||
| Jun 11, 2021 13:21:04.319475889 CEST | 8.8.8.8 | 192.168.2.4 | 0xc471 | No error (0) | 194.28.84.37 | A (IP address) | IN (0x0001) |
SMTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jun 11, 2021 13:21:04.716147900 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 | 220-iron.fastbighost.net ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 14:21:04 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jun 11, 2021 13:21:04.716617107 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 | EHLO 066656 |
| Jun 11, 2021 13:21:04.790772915 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 | 250-iron.fastbighost.net Hello 066656 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jun 11, 2021 13:21:04.791491032 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 | STARTTLS |
| Jun 11, 2021 13:21:04.868208885 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 | 220 TLS go ahead |
Code Manipulations |
|---|
Statistics |
|---|
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 13:19:01 |
| Start date: | 11/06/2021 |
| Path: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 448961 bytes |
| MD5 hash: | DEB5412F0B0201D045E2007503BBB283 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 13:19:02 |
| Start date: | 11/06/2021 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x980000 |
| File size: | 261728 bytes |
| MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | moderate |
General |
|---|
| Start time: | 13:19:11 |
| Start date: | 11/06/2021 |
| Path: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 448961 bytes |
| MD5 hash: | DEB5412F0B0201D045E2007503BBB283 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 13:19:12 |
| Start date: | 11/06/2021 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1c0000 |
| File size: | 261728 bytes |
| MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | moderate |
General |
|---|
| Start time: | 13:19:19 |
| Start date: | 11/06/2021 |
| Path: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 448961 bytes |
| MD5 hash: | DEB5412F0B0201D045E2007503BBB283 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 13:19:21 |
| Start date: | 11/06/2021 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 261728 bytes |
| MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | moderate |
General |
|---|
| Start time: | 13:19:57 |
| Start date: | 11/06/2021 |
| Path: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x120000 |
| File size: | 261728 bytes |
| MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Antivirus matches: |
|
| Reputation: | moderate |
General |
|---|
| Start time: | 13:19:58 |
| Start date: | 11/06/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff724c50000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 13:20:06 |
| Start date: | 11/06/2021 |
| Path: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xcd0000 |
| File size: | 261728 bytes |
| MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Reputation: | moderate |
General |
|---|
| Start time: | 13:20:06 |
| Start date: | 11/06/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff724c50000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
Disassembly |
|---|
Code Analysis |
|---|