Windows Analysis Report S5ol5p3Ywd
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Exfil Mode": "SMTP", "Username": "vehicle@ccsp-india.com", "Password": "Lkp$CcsP1008", "Host": "smtp.ccsp-india.com"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
Click to see the 3 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
Networking: |
---|
Sigma detected: MSBuild connects to smtp port | Show sources |
Source: | Author: Joe Security: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Code function: | 1_2_00876095 | |
Source: | Code function: | 1_2_00879990 | |
Source: | Code function: | 1_2_0087DA28 | |
Source: | Code function: | 1_2_00879320 | |
Source: | Code function: | 1_2_00870B7F | |
Source: | Code function: | 1_2_00872E88 | |
Source: | Code function: | 1_2_00873614 | |
Source: | Code function: | 1_2_0087E848 | |
Source: | Code function: | 1_2_00882D50 | |
Source: | Code function: | 1_2_0088E298 | |
Source: | Code function: | 1_2_00882618 | |
Source: | Code function: | 1_2_00881FE0 | |
Source: | Code function: | 1_2_0088AB78 | |
Source: | Code function: | 1_2_0088BDE1 | |
Source: | Code function: | 1_2_00888FF8 | |
Source: | Code function: | 1_2_00A6D690 | |
Source: | Code function: | 1_2_00A68C60 | |
Source: | Code function: | 1_2_00A69078 | |
Source: | Code function: | 1_2_00A6B458 | |
Source: | Code function: | 1_2_00A64B80 | |
Source: | Code function: | 1_2_00A69DE0 | |
Source: | Code function: | 1_2_00A60145 | |
Source: | Code function: | 1_2_00A652D0 | |
Source: | Code function: | 1_2_00A653C8 | |
Source: | Code function: | 1_2_00B43834 |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_00887E41 |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 1_2_0087DA28 |
Source: | Code function: | 0_2_022106DA | |
Source: | Code function: | 0_2_022108EE | |
Source: | Code function: | 0_2_02210A1C | |
Source: | Code function: | 0_2_0221099F | |
Source: | Code function: | 0_2_022109DE |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | Jump to behavior |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: | Jump to behavior |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection212 | Masquerading1 | OS Credential Dumping2 | Query Registry1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | Input Capture1 | Security Software Discovery111 | Remote Desktop Protocol | Input Capture1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion131 | Credentials in Registry1 | Process Discovery2 | SMB/Windows Admin Shares | Archive Collected Data1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection212 | NTDS | Virtualization/Sandbox Evasion131 | Distributed Component Object Model | Data from Local System2 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information1 | LSA Secrets | Application Window Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing1 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery114 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | ReversingLabs | Win32.Trojan.Razy | ||
100% | Avira | TR/Crypt.ZPACK.Gen |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1138205 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.ZPACK.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
smtp.ccsp-india.com.netsolmail.net | 206.188.198.65 | true | false | high | |
smtp.ccsp-india.com | unknown | unknown | true | unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
206.188.198.65 | smtp.ccsp-india.com.netsolmail.net | United States | 55002 | DEFENSE-NETUS | false |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 452689 |
Start date: | 22.07.2021 |
Start time: | 18:07:46 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | S5ol5p3Ywd (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.spre.troj.spyw.evad.winEXE@3/1@4/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:08:58 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
206.188.198.65 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
smtp.ccsp-india.com.netsolmail.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
DEFENSE-NETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 0.6970840431455908 |
Encrypted: | false |
SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.423524571065457 |
TrID: |
|
File name: | S5ol5p3Ywd.exe |
File size: | 396842 |
MD5: | 29e9ad8d44e49d2a2fa76ab14d6881cc |
SHA1: | bdc37994f00f36ce6c20261f395a25cb6f142267 |
SHA256: | 8bf2c9097f211f15879c233eacd3c5b6e767d768c5941765d986ab61ba877341 |
SHA512: | 3efc9b48804a7d978fd00385c5adf4135f3f699507ac6e3621e9eaf3cdbe75973c34f67778baca5ab31d3133ca782ba0b44c222bcba5b2249361901d4e18cbb6 |
SSDEEP: | 6144:kUdGmTN22PVgsSvSe5BGdHjhk6tvQBWsx9kVa11v2yAUl64mUulBbcUXZVpB3T:JT742tkoQZTp2yLnulmy7pB3T |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.t.Lb'.Lb'.Lb'.4.'.Lb'.Lc'.Lb'.4.'.Lb'.4.'.Lb'.4.'.Lb'Rich.Lb'........PE..L....W.`.....................................0....@ |
File Icon |
---|
Icon Hash: | f0f2f8f8e0f9b0e0 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401000 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x60F95795 [Thu Jul 22 11:33:41 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 63b0867460dd31e465a337a5e3e003e6 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 00000670h |
mov byte ptr [ebp-00000288h], FFFFFFE9h |
mov byte ptr [ebp-00000287h], FFFFFF90h |
mov byte ptr [ebp-00000286h], 00000000h |
mov byte ptr [ebp-00000285h], 00000000h |
mov byte ptr [ebp-00000284h], 00000000h |
mov byte ptr [ebp-00000283h], 00000055h |
mov byte ptr [ebp-00000282h], FFFFFF8Bh |
mov byte ptr [ebp-00000281h], FFFFFFECh |
mov byte ptr [ebp-00000280h], 00000056h |
mov byte ptr [ebp-0000027Fh], FFFFFF8Bh |
mov byte ptr [ebp-0000027Eh], 00000075h |
mov byte ptr [ebp-0000027Dh], 00000008h |
mov byte ptr [ebp-0000027Ch], FFFFFFBAh |
mov byte ptr [ebp-0000027Bh], 0000001Bh |
mov byte ptr [ebp-0000027Ah], 0000000Eh |
mov byte ptr [ebp-00000279h], 00000000h |
mov byte ptr [ebp-00000278h], 00000000h |
mov byte ptr [ebp-00000277h], 00000057h |
mov byte ptr [ebp-00000276h], FFFFFFEBh |
mov byte ptr [ebp-00000275h], 0000000Eh |
mov byte ptr [ebp-00000274h], FFFFFF8Bh |
mov byte ptr [ebp-00000273h], FFFFFFCAh |
mov byte ptr [ebp-00000272h], FFFFFFD1h |
mov byte ptr [ebp-00000271h], FFFFFFE8h |
mov byte ptr [ebp-00000270h], FFFFFFC1h |
mov byte ptr [ebp-0000026Fh], FFFFFFE1h |
mov byte ptr [ebp-0000026Eh], 00000007h |
mov byte ptr [ebp+00000000h], 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3070 | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4000 | 0x27a28 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x10d8 | 0x1200 | False | 0.474175347222 | data | 4.70070274292 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x234 | 0x400 | False | 0.3125 | data | 2.64202346139 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x4000 | 0x27a28 | 0x27c00 | False | 0.481156643082 | data | 6.11102695818 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x4268 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x14a90 | 0x94a8 | data | English | United States |
RT_ICON | 0x1df38 | 0x5488 | data | English | United States |
RT_ICON | 0x233c0 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 248, next used block 520093696 | English | United States |
RT_ICON | 0x275e8 | 0x25a8 | data | English | United States |
RT_ICON | 0x29b90 | 0x10a8 | data | English | United States |
RT_ICON | 0x2ac38 | 0x988 | data | English | United States |
RT_ICON | 0x2b5c0 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_GROUP_ICON | 0x41f0 | 0x76 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
USER32.dll | GetDC, GrayStringA |
OLEAUT32.dll | VarCyFromI4, VARIANT_UserSize, DispGetIDsOfNames, VariantChangeTypeEx, VarI4FromI1, SafeArrayGetElement, VarDecFromUI1, VarR8FromI4, VarDiv |
WINSPOOL.DRV | ConnectToPrinterDlg, AddPortW, DeleteFormW, EnumPrintProcessorDatatypesA |
dbghelp.dll | MakeSureDirectoryPathExists, SymGetLineFromAddr64 |
WS2_32.dll | WSAAsyncGetProtoByNumber, htons, WSACleanup, getprotobynumber, ntohs |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
07/22/21-18:10:30.312323 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
07/22/21-18:10:34.539225 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 22, 2021 18:10:29.092978001 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:29.238730907 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:29.238892078 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:29.393724918 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:29.395386934 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:29.541147947 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:29.541187048 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:29.542845011 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:29.688291073 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:29.688854933 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:29.865175009 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:29.868025064 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:30.013956070 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:30.015482903 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:30.163815022 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:30.164330959 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:30.310708046 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:30.312323093 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:30.312355042 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:30.312824011 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:30.312891960 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:30.457878113 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:30.458400011 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:30.587764025 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:30.636301994 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:31.954263926 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:32.100791931 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:32.100963116 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:32.101042032 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:32.101541996 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:32.247302055 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:33.311096907 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:33.459732056 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:33.460920095 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:33.615350008 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:33.619690895 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:33.768762112 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:33.768794060 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:33.769200087 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:33.917810917 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:33.918951988 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.088537931 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.089003086 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.237868071 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.238291025 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.387082100 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.388519049 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.537503004 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.538984060 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.539225101 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.539334059 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.539433002 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.539581060 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.539701939 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.539777994 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.539856911 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
Jul 22, 2021 18:10:34.689202070 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.689455032 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.689471006 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.815499067 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 |
Jul 22, 2021 18:10:34.871160984 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 22, 2021 18:08:33.390384912 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:33.442338943 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:34.168965101 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:34.231354952 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:34.985819101 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:35.035039902 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:36.186767101 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:36.250977039 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:36.326626062 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:36.378582954 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:37.670350075 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:37.727324963 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:39.012231112 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:39.066178083 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:40.288574934 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:40.345947981 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:41.234500885 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:41.291266918 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:42.142219067 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:42.199259043 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:42.965595007 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:43.014672041 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:43.924236059 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:43.973972082 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:45.204530954 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:45.256814957 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:46.253062010 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:46.305377960 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:47.062294960 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:47.114308119 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:48.188538074 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:48.248224974 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:49.041968107 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:49.101777077 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:50.011109114 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:50.063071012 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:08:51.513200045 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:08:51.572911024 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:03.645977020 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:03.716909885 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:09.055929899 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:09.113380909 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:27.080077887 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:27.139035940 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:28.436912060 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:28.487279892 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:29.961843014 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:30.069127083 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:30.925252914 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:30.983562946 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:31.320944071 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:31.403682947 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:31.408488035 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:31.457633972 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:31.634721041 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:31.716274977 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:32.367038012 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:32.428637028 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:33.409073114 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:33.469281912 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:34.069996119 CEST | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:34.133254051 CEST | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:35.556178093 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:35.616170883 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:36.704319000 CEST | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:36.761745930 CEST | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:37.633666992 CEST | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:37.691725016 CEST | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:38.021142006 CEST | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:38.078427076 CEST | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:09:38.575212002 CEST | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:09:38.636823893 CEST | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:10:28.632456064 CEST | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:10:28.915991068 CEST | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:10:28.939475060 CEST | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:10:29.001329899 CEST | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:10:31.750498056 CEST | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:10:31.816099882 CEST | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:10:32.675518990 CEST | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:10:32.949801922 CEST | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Jul 22, 2021 18:10:33.249434948 CEST | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jul 22, 2021 18:10:33.309463978 CEST | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jul 22, 2021 18:10:28.632456064 CEST | 192.168.2.3 | 8.8.8.8 | 0x95ba | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:10:28.939475060 CEST | 192.168.2.3 | 8.8.8.8 | 0xd8ea | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:10:32.675518990 CEST | 192.168.2.3 | 8.8.8.8 | 0xa64 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jul 22, 2021 18:10:33.249434948 CEST | 192.168.2.3 | 8.8.8.8 | 0x5ef2 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jul 22, 2021 18:10:28.915991068 CEST | 8.8.8.8 | 192.168.2.3 | 0x95ba | No error (0) | smtp.ccsp-india.com.netsolmail.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 22, 2021 18:10:28.915991068 CEST | 8.8.8.8 | 192.168.2.3 | 0x95ba | No error (0) | 206.188.198.65 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:10:29.001329899 CEST | 8.8.8.8 | 192.168.2.3 | 0xd8ea | No error (0) | smtp.ccsp-india.com.netsolmail.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 22, 2021 18:10:29.001329899 CEST | 8.8.8.8 | 192.168.2.3 | 0xd8ea | No error (0) | 206.188.198.65 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:10:32.949801922 CEST | 8.8.8.8 | 192.168.2.3 | 0xa64 | No error (0) | smtp.ccsp-india.com.netsolmail.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 22, 2021 18:10:32.949801922 CEST | 8.8.8.8 | 192.168.2.3 | 0xa64 | No error (0) | 206.188.198.65 | A (IP address) | IN (0x0001) | ||
Jul 22, 2021 18:10:33.309463978 CEST | 8.8.8.8 | 192.168.2.3 | 0x5ef2 | No error (0) | smtp.ccsp-india.com.netsolmail.net | CNAME (Canonical name) | IN (0x0001) | ||
Jul 22, 2021 18:10:33.309463978 CEST | 8.8.8.8 | 192.168.2.3 | 0x5ef2 | No error (0) | 206.188.198.65 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jul 22, 2021 18:10:29.393724918 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 220 mailpod.hostingplatform.com ESMTP |
Jul 22, 2021 18:10:29.395386934 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 | EHLO 284992 |
Jul 22, 2021 18:10:29.541187048 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 250-mailpod.hostingplatform.com 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 65000000 250 AUTH LOGIN PLAIN CRAM-MD5 |
Jul 22, 2021 18:10:29.542845011 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 | AUTH login dmVoaWNsZUBjY3NwLWluZGlhLmNvbQ== |
Jul 22, 2021 18:10:29.688291073 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Jul 22, 2021 18:10:29.865175009 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 235 ok, go ahead (#2.0.0) |
Jul 22, 2021 18:10:29.868025064 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 | MAIL FROM:<vehicle@ccsp-india.com> |
Jul 22, 2021 18:10:30.013956070 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 250 ok |
Jul 22, 2021 18:10:30.015482903 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 | RCPT TO:<text@dividekings.com> |
Jul 22, 2021 18:10:30.163815022 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 250 ok |
Jul 22, 2021 18:10:30.164330959 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 | DATA |
Jul 22, 2021 18:10:30.310708046 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 354 go ahead |
Jul 22, 2021 18:10:30.312891960 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 | . |
Jul 22, 2021 18:10:30.587764025 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 250 ok 1626970230 qp 40355 |
Jul 22, 2021 18:10:31.954263926 CEST | 49749 | 587 | 192.168.2.3 | 206.188.198.65 | QUIT |
Jul 22, 2021 18:10:32.100791931 CEST | 587 | 49749 | 206.188.198.65 | 192.168.2.3 | 221 mailpod.hostingplatform.com |
Jul 22, 2021 18:10:33.615350008 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 220 mailpod.hostingplatform.com ESMTP |
Jul 22, 2021 18:10:33.619690895 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 | EHLO 284992 |
Jul 22, 2021 18:10:33.768794060 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 250-mailpod.hostingplatform.com 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 65000000 250 AUTH LOGIN PLAIN CRAM-MD5 |
Jul 22, 2021 18:10:33.769200087 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 | AUTH login dmVoaWNsZUBjY3NwLWluZGlhLmNvbQ== |
Jul 22, 2021 18:10:33.917810917 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Jul 22, 2021 18:10:34.088537931 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 235 ok, go ahead (#2.0.0) |
Jul 22, 2021 18:10:34.089003086 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 | MAIL FROM:<vehicle@ccsp-india.com> |
Jul 22, 2021 18:10:34.237868071 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 250 ok |
Jul 22, 2021 18:10:34.238291025 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 | RCPT TO:<text@dividekings.com> |
Jul 22, 2021 18:10:34.387082100 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 250 ok |
Jul 22, 2021 18:10:34.388519049 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 | DATA |
Jul 22, 2021 18:10:34.537503004 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 354 go ahead |
Jul 22, 2021 18:10:34.539856911 CEST | 49751 | 587 | 192.168.2.3 | 206.188.198.65 | . |
Jul 22, 2021 18:10:34.815499067 CEST | 587 | 49751 | 206.188.198.65 | 192.168.2.3 | 250 ok 1626970234 qp 40596 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:08:40 |
Start date: | 22/07/2021 |
Path: | C:\Users\user\Desktop\S5ol5p3Ywd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 396842 bytes |
MD5 hash: | 29E9AD8D44E49D2A2FA76AB14D6881CC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 18:08:40 |
Start date: | 22/07/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1a0000 |
File size: | 261728 bytes |
MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401000, Relevance: 357.7, APIs: 2, Strings: 202, Instructions: 663COMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02210ECE, Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 591processthreadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02210AB5, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 022108EE, Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 022109DE, Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02210A1C, Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0221099F, Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
Function 0087DA28, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 400libraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00881FE0, Relevance: 4.3, Strings: 3, Instructions: 515COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A60145, Relevance: 3.9, Instructions: 3920COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00870B7F, Relevance: 2.0, Instructions: 1973COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00873614, Relevance: 1.9, Strings: 1, Instructions: 664COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00879990, Relevance: 1.8, Strings: 1, Instructions: 576COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0088E298, Relevance: 1.4, Instructions: 1391COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0088AB78, Relevance: 1.0, Instructions: 973COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00876095, Relevance: .9, Instructions: 929COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00882D50, Relevance: .9, Instructions: 882COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B43834, Relevance: .8, Instructions: 753COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A6D690, Relevance: .7, Instructions: 717COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A64B80, Relevance: .6, Instructions: 602COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00872E88, Relevance: .6, Instructions: 577COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00879320, Relevance: .5, Instructions: 498COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00882618, Relevance: .4, Instructions: 441COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A69078, Relevance: .4, Instructions: 402COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A69DE0, Relevance: .4, Instructions: 391COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A68C60, Relevance: .3, Instructions: 271COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0087E478, Relevance: 1.6, APIs: 1, Instructions: 129COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0087E5DF, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4F711, Relevance: 1.5, APIs: 1, Instructions: 29comCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008ED53C, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008FD01C, Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008ED537, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008FD017, Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 00888FF8, Relevance: 2.2, Strings: 1, Instructions: 975COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A653C8, Relevance: 1.8, Instructions: 1755COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0088BDE1, Relevance: 1.6, Strings: 1, Instructions: 369COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0087E848, Relevance: 1.6, Strings: 1, Instructions: 336COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A652D0, Relevance: .9, Instructions: 945COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |