Analysis Report Quote-TSL-1037174_4810.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Exfil Mode": "SMTP", "SMTP Info": "accounts@buynsell.com.pkTZaQ}N$m+6$vmail.buynsell.com.pkmaria@tradzilanilaw.co.za"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 21 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 13 entries |
Sigma Overview |
---|
Networking: |
---|
Sigma detected: MSBuild connects to smtp port | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: |
Source: | Code function: |
Source: | Window created: |
Spam, unwanted Advertisements and Ransom Demands: |
---|
Modifies the hosts file | Show sources |
Source: | File written: | Jump to behavior |
System Summary: |
---|
.NET source code contains very large array initializations | Show sources |
Source: | Large array initialization: | ||
Source: | Large array initialization: | ||
Source: | Large array initialization: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Task registration methods: | ||
Source: | Task registration methods: | ||
Source: | Task registration methods: | ||
Source: | Task registration methods: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Window detected: |
Source: | File opened: |
Source: | Key opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Creates multiple autostart registry keys | Show sources |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File opened / queried: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
.NET source code references suspicious native API functions | Show sources |
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Modifies the hosts file | Show sources |
Source: | File written: | Jump to behavior |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
Modifies the hosts file | Show sources |
Source: | File written: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection212 | File and Directory Permissions Modification1 | OS Credential Dumping2 | Account Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
Default Accounts | Native API11 | Registry Run Keys / Startup Folder11 | Scheduled Task/Job1 | Disable or Modify Tools1 | Input Capture11 | File and Directory Discovery2 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Scheduled Task/Job1 | Logon Script (Windows) | Registry Run Keys / Startup Folder11 | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | System Information Discovery116 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Query Registry1 | Distributed Component Object Model | Input Capture11 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | Security Software Discovery221 | SSH | Clipboard Data2 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Masquerading1 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Virtualization/Sandbox Evasion141 | DCSync | Virtualization/Sandbox Evasion141 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection212 | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Hidden Files and Directories1 | /etc/passwd and /etc/shadow | System Owner/User Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | Remote System Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
14% | Metadefender | Browse | ||
59% | ReversingLabs | Win32.Backdoor.Androm | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
14% | Metadefender | Browse | ||
59% | ReversingLabs | Win32.Backdoor.Androm |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | HEUR/AGEN.1138205 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
buynsell.com.pk | 194.28.84.37 | true | true | unknown | |
mail.buynsell.com.pk | unknown | unknown | true | unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.28.84.37 | buynsell.com.pk | Ukraine | 196645 | HOSTPRO-ASUA | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 433217 |
Start date: | 11.06.2021 |
Start time: | 13:18:18 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 10m 52s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Quote-TSL-1037174_4810.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.spre.troj.adwa.spyw.evad.winEXE@13/18@2/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
13:19:03 | Autostart | |
13:19:11 | Autostart | |
13:19:12 | API Interceptor | |
13:19:14 | API Interceptor | |
13:19:49 | Autostart | |
13:19:57 | Autostart |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
194.28.84.37 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HOSTPRO-ASUA | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsg8314.tmp\System.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
File Type: | |
Category: | modified |
Size (bytes): | 841 |
Entropy (8bit): | 5.356220854328477 |
Encrypted: | false |
SSDEEP: | 24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj |
MD5: | 486580834B084C92AE1F3866166C9C34 |
SHA1: | C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF |
SHA-256: | 65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB |
SHA-512: | 2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 222208 |
Entropy (8bit): | 7.999115710953568 |
Encrypted: | true |
SSDEEP: | 3072:vaBXEtCG5OYajI1w+Z/rT/uh0uZn1k79bG3E6I4Wwu31L676SM98/1ORmcILLQE7:vsmVGCz9uZn6Z6I4YY8mrPLlQGz |
MD5: | C64EDB818138FCBAD02DA4F40AFB504E |
SHA1: | E312998ABA653E46AA64AD17EC06B23C123C363A |
SHA-256: | 10F9B7D302BECDA98408F7A361A7F8DE8ECF2149876D7B2D14C08FD62B7FADB5 |
SHA-512: | F49E83E1DA717D275C85455C797579560F33D1570410BDBD418866F5F6FA8C9C82A6309FE8E06789ABB50F837E5DD4E013205A0FDFA49C57066CE043A8CF0B39 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 62417 |
Entropy (8bit): | 4.988447505730978 |
Encrypted: | false |
SSDEEP: | 1536:INzvOIagVy6DOiz8TlJbvuPt0P63/dXT5KJC2GaNjpmSRGT:INzv3zRDiJCWCvJuC7KjU |
MD5: | D966D7333A785DDFF7B56A403AB8388B |
SHA1: | 130361814DC909C9036E9554B90381265EF37CA7 |
SHA-256: | 32CD0E78D96E6CBF2962685077C0287F5301B5BD788F2F4F4ADAFFF0A05B757E |
SHA-512: | B4369E11DC82B7694A7C3941492145EDDA05CCBB52E766D1B0D2FB66BA46C76FACAAEDB4E15121592C8BC51068F79067D34E53073C044DCEC7A006461FD1037F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 317921 |
Entropy (8bit): | 7.545162398623952 |
Encrypted: | false |
SSDEEP: | 6144:UXAsmVGCz9uZn6Z6I4YY8mrPLlQGcNzvthxuYKbt:XsGGyoJ6kf8meGcNzvtnuYKp |
MD5: | EBCC27E483829E2E2E519538BDF71B7E |
SHA1: | 81FDE871249D5723415F6A5A0B1F7E83788A70E6 |
SHA-256: | 86D71D31A0037F33C03921ADAA1D9ABC3E849E8BB6DD935B783AE5DED46E4EE4 |
SHA-512: | 51339B61CBA1CE0B0F63FEE6C2AE6EFDFE88FBDEB08898F6816115C7E40B174BBCEEE4BF86C8CDED945EA2BE3A29C1D3AA750721D0ACCD643165C6CC25E78332 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.855045165595541 |
Encrypted: | false |
SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 317921 |
Entropy (8bit): | 7.545162398623952 |
Encrypted: | false |
SSDEEP: | 6144:UXAsmVGCz9uZn6Z6I4YY8mrPLlQGcNzvthxuYKbt:XsGGyoJ6kf8meGcNzvtnuYKp |
MD5: | EBCC27E483829E2E2E519538BDF71B7E |
SHA1: | 81FDE871249D5723415F6A5A0B1F7E83788A70E6 |
SHA-256: | 86D71D31A0037F33C03921ADAA1D9ABC3E849E8BB6DD935B783AE5DED46E4EE4 |
SHA-512: | 51339B61CBA1CE0B0F63FEE6C2AE6EFDFE88FBDEB08898F6816115C7E40B174BBCEEE4BF86C8CDED945EA2BE3A29C1D3AA750721D0ACCD643165C6CC25E78332 |
Malicious: | false |
Preview: |
|
Process: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.855045165595541 |
Encrypted: | false |
SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
Malicious: | false |
Antivirus: |
|
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 317921 |
Entropy (8bit): | 7.545162398623952 |
Encrypted: | false |
SSDEEP: | 6144:UXAsmVGCz9uZn6Z6I4YY8mrPLlQGcNzvthxuYKbt:XsGGyoJ6kf8meGcNzvtnuYKp |
MD5: | EBCC27E483829E2E2E519538BDF71B7E |
SHA1: | 81FDE871249D5723415F6A5A0B1F7E83788A70E6 |
SHA-256: | 86D71D31A0037F33C03921ADAA1D9ABC3E849E8BB6DD935B783AE5DED46E4EE4 |
SHA-512: | 51339B61CBA1CE0B0F63FEE6C2AE6EFDFE88FBDEB08898F6816115C7E40B174BBCEEE4BF86C8CDED945EA2BE3A29C1D3AA750721D0ACCD643165C6CC25E78332 |
Malicious: | false |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.855045165595541 |
Encrypted: | false |
SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
Malicious: | false |
Antivirus: |
|
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 261728 |
Entropy (8bit): | 6.1750840449797675 |
Encrypted: | false |
SSDEEP: | 3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu |
MD5: | D621FD77BD585874F9686D3A76462EF1 |
SHA1: | ABCAE05EE61EE6292003AABD8C80583FA49EDDA2 |
SHA-256: | 2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6 |
SHA-512: | 2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Process: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 448961 |
Entropy (8bit): | 6.069011681162613 |
Encrypted: | false |
SSDEEP: | 6144:usUlNPJU0e7dkV3ZLFJVsA2mQ7fGUgYCrQOd:sPJU1763Z7VPw7+Ugfxd |
MD5: | DEB5412F0B0201D045E2007503BBB283 |
SHA1: | 4086C81E9C51DB9E242C604BFA99AD217A45986D |
SHA-256: | C770D9D870614A8A39844CD1F564BB823944F8D4D25F7D68F15B1401FB08E4E9 |
SHA-512: | 9310A18A3602D175DD5235AC464CED734AEB1BC5542BC94B45D1BE1B3D8580FB9ACC8FD3834D27025983B87A54DDAACBED9C923E2A79205BFE0CE0AA09E2CF78 |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | modified |
Size (bytes): | 11 |
Entropy (8bit): | 2.663532754804255 |
Encrypted: | false |
SSDEEP: | 3:iLE:iLE |
MD5: | B24D295C1F84ECBFB566103374FB91C5 |
SHA1: | 6A750D3F8B45C240637332071D34B403FA1FF55A |
SHA-256: | 4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4 |
SHA-512: | 9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA |
Malicious: | true |
Preview: |
|
Process: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 298 |
Entropy (8bit): | 4.943030742860529 |
Encrypted: | false |
SSDEEP: | 6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+ |
MD5: | 6A9888952541A41F033EB114C24DC902 |
SHA1: | 41903D7C8F31013C44572E09D97B9AAFBBCE77E6 |
SHA-256: | 41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE |
SHA-512: | E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.069011681162613 |
TrID: |
|
File name: | Quote-TSL-1037174_4810.exe |
File size: | 448961 |
MD5: | deb5412f0b0201d045e2007503bbb283 |
SHA1: | 4086c81e9c51db9e242c604bfa99ad217a45986d |
SHA256: | c770d9d870614a8a39844cd1f564bb823944f8d4d25f7d68f15b1401fb08e4e9 |
SHA512: | 9310a18a3602d175dd5235ac464ced734aeb1bc5542bc94b45d1be1b3d8580fb9acc8fd3834d27025983b87a54ddaacbed9c923e2a79205bfe0ce0aa09e2cf78 |
SSDEEP: | 6144:usUlNPJU0e7dkV3ZLFJVsA2mQ7fGUgYCrQOd:sPJU1763Z7VPw7+Ugfxd |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\......... |
File Icon |
---|
Icon Hash: | 0000000000000000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40323c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 099c0646ea7282d232219f8807883be0 |
Entrypoint Preview |
---|
Instruction |
---|
sub esp, 00000180h |
push ebx |
push ebp |
push esi |
xor ebx, ebx |
push edi |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409130h |
xor esi, esi |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [00407030h] |
push 00008001h |
call dword ptr [004070B4h] |
push ebx |
call dword ptr [0040727Ch] |
push 00000008h |
mov dword ptr [00423F58h], eax |
call 00007FBB987DD88Eh |
mov dword ptr [00423EA4h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 00000160h |
push eax |
push ebx |
push 0041F458h |
call dword ptr [00407158h] |
push 004091B8h |
push 004236A0h |
call 00007FBB987DD541h |
call dword ptr [004070B0h] |
mov edi, 00429000h |
push eax |
push edi |
call 00007FBB987DD52Fh |
push ebx |
call dword ptr [0040710Ch] |
cmp byte ptr [00429000h], 00000022h |
mov dword ptr [00423EA0h], eax |
mov eax, edi |
jne 00007FBB987DAC8Ch |
mov byte ptr [esp+14h], 00000022h |
mov eax, 00429001h |
push dword ptr [esp+14h] |
push eax |
call 00007FBB987DD022h |
push eax |
call dword ptr [0040721Ch] |
mov dword ptr [esp+1Ch], eax |
jmp 00007FBB987DACE5h |
cmp cl, 00000020h |
jne 00007FBB987DAC88h |
inc eax |
cmp byte ptr [eax], 00000020h |
je 00007FBB987DAC7Ch |
cmp byte ptr [eax], 00000022h |
mov byte ptr [eax+eax+00h], 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73a4 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2c000 | 0x28e70 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x28c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5a5a | 0x5c00 | False | 0.660453464674 | data | 6.41769823686 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1190 | 0x1200 | False | 0.4453125 | data | 5.18162709925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1af98 | 0x400 | False | 0.55859375 | data | 4.70902740305 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x24000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x2c000 | 0x28e70 | 0x29000 | False | 0.0739269721799 | data | 0.988562741976 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x2c310 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x3cb38 | 0x94a8 | data | English | United States |
RT_ICON | 0x45fe0 | 0x5488 | data | English | United States |
RT_ICON | 0x4b468 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294965503, next used block 4280287231 | English | United States |
RT_ICON | 0x4f690 | 0x25a8 | data | English | United States |
RT_ICON | 0x51c38 | 0x10a8 | data | English | United States |
RT_ICON | 0x52ce0 | 0xdc8 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x53aa8 | 0x988 | data | English | United States |
RT_ICON | 0x54430 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0x54898 | 0x100 | data | English | United States |
RT_DIALOG | 0x54998 | 0x11c | data | English | United States |
RT_DIALOG | 0x54ab8 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x54b18 | 0x84 | data | English | United States |
RT_MANIFEST | 0x54ba0 | 0x2cc | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA |
USER32.dll | EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow |
GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject |
SHELL32.dll | SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation |
ADVAPI32.dll | RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 13:21:04.454927921 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:04.528718948 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:04.528865099 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:04.716147900 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:04.716617107 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:04.790772915 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:04.791491032 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:04.868208885 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:04.915411949 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:04.938837051 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.026505947 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.026534081 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.026546001 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.026560068 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.026655912 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.026715994 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.032466888 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.043819904 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.118057013 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.165466070 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.430200100 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.504817963 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.506795883 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.581099033 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.583034992 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.662856102 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.664150953 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.738085985 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.738545895 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.849030018 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.849663973 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.923571110 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.925147057 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.925338984 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.926058054 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.926398039 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
Jun 11, 2021 13:21:05.999243975 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.999295950 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:05.999651909 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:06.000081062 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:06.005424976 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 |
Jun 11, 2021 13:21:06.056117058 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 13:18:55.702606916 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:18:55.753992081 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:18:56.664014101 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:18:56.717088938 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:18:57.796488047 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:18:57.847105026 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:18:59.114075899 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:18:59.167464018 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:00.006516933 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:00.059524059 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:01.478553057 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:01.529217958 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:02.276595116 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:02.327080011 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:03.767395020 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:03.825901985 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:04.950159073 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:05.000334978 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:06.167848110 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:06.218069077 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:07.657063961 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:07.711707115 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:09.470839024 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:09.522155046 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:11.051964998 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:11.102130890 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:12.425761938 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:12.476281881 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:13.363559961 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:13.413616896 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:14.357387066 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:14.407419920 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:15.631155014 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:15.681289911 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:16.423212051 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:16.476000071 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:18.661943913 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:18.712230921 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:26.758990049 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:26.828430891 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:43.680207014 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:43.818207026 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:44.414587021 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:44.476222992 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:44.631582022 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:44.707420111 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:45.062336922 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:45.126400948 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:45.606440067 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:45.759912014 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:46.322932959 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:46.385080099 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:46.977027893 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:47.041770935 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:47.529011965 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:47.590732098 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:48.420711994 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:48.482470036 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:49.372217894 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:49.434217930 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:49.993207932 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:50.043271065 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:19:50.986712933 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:19:51.049527884 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:20:01.154119015 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:20:01.214184999 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:20:01.389753103 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:20:01.448281050 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:20:03.952881098 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:20:04.014728069 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:20:35.171495914 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:20:35.240530968 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:20:36.984265089 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:20:37.034384966 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:21:04.146356106 CEST | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:21:04.207077026 CEST | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 13:21:04.229811907 CEST | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 13:21:04.319475889 CEST | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 11, 2021 13:21:04.146356106 CEST | 192.168.2.4 | 8.8.8.8 | 0x1834 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jun 11, 2021 13:21:04.229811907 CEST | 192.168.2.4 | 8.8.8.8 | 0xc471 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 11, 2021 13:21:04.207077026 CEST | 8.8.8.8 | 192.168.2.4 | 0x1834 | No error (0) | buynsell.com.pk | CNAME (Canonical name) | IN (0x0001) | ||
Jun 11, 2021 13:21:04.207077026 CEST | 8.8.8.8 | 192.168.2.4 | 0x1834 | No error (0) | 194.28.84.37 | A (IP address) | IN (0x0001) | ||
Jun 11, 2021 13:21:04.319475889 CEST | 8.8.8.8 | 192.168.2.4 | 0xc471 | No error (0) | buynsell.com.pk | CNAME (Canonical name) | IN (0x0001) | ||
Jun 11, 2021 13:21:04.319475889 CEST | 8.8.8.8 | 192.168.2.4 | 0xc471 | No error (0) | 194.28.84.37 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jun 11, 2021 13:21:04.716147900 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 | 220-iron.fastbighost.net ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 14:21:04 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jun 11, 2021 13:21:04.716617107 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 | EHLO 066656 |
Jun 11, 2021 13:21:04.790772915 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 | 250-iron.fastbighost.net Hello 066656 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Jun 11, 2021 13:21:04.791491032 CEST | 49770 | 587 | 192.168.2.4 | 194.28.84.37 | STARTTLS |
Jun 11, 2021 13:21:04.868208885 CEST | 587 | 49770 | 194.28.84.37 | 192.168.2.4 | 220 TLS go ahead |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 13:19:01 |
Start date: | 11/06/2021 |
Path: | C:\Users\user\Desktop\Quote-TSL-1037174_4810.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 448961 bytes |
MD5 hash: | DEB5412F0B0201D045E2007503BBB283 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 13:19:02 |
Start date: | 11/06/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x980000 |
File size: | 261728 bytes |
MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 13:19:11 |
Start date: | 11/06/2021 |
Path: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 448961 bytes |
MD5 hash: | DEB5412F0B0201D045E2007503BBB283 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 13:19:12 |
Start date: | 11/06/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1c0000 |
File size: | 261728 bytes |
MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 13:19:19 |
Start date: | 11/06/2021 |
Path: | C:\Users\user\AppData\Roaming\bnqw\amve.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 448961 bytes |
MD5 hash: | DEB5412F0B0201D045E2007503BBB283 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 13:19:21 |
Start date: | 11/06/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 261728 bytes |
MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 13:19:57 |
Start date: | 11/06/2021 |
Path: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x120000 |
File size: | 261728 bytes |
MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Antivirus matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 13:19:58 |
Start date: | 11/06/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff724c50000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:20:06 |
Start date: | 11/06/2021 |
Path: | C:\Users\user\AppData\Roaming\NewApp\NewApp.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xcd0000 |
File size: | 261728 bytes |
MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | moderate |
General |
---|
Start time: | 13:20:06 |
Start date: | 11/06/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff724c50000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|