Play interactive tour

Edit tour

Windows Analysis Report TMB1fxNaqR

Overview

General Information

Sample Name:	TMB1fxNaqR (renamed file extension from none to exe)
Analysis ID:	458974
MD5:	a92922a71a9bf58cc2d95a6039c9a1b6
SHA1:	f419ba1e6da5dfc295857598e44b0a4eb0b3ecfc
SHA256:	213ea943865069cf1210a58860c619a8fa8928258abe8919fee8180feafea547
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Creates processes via WMI

Contains functionality to dynamically determine API calls

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

TMB1fxNaqR.exe (PID: 1740 cmdline: 'C:\Users\user\Desktop\TMB1fxNaqR.exe' MD5: A92922A71A9BF58CC2D95A6039C9A1B6)

conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

TMB1fxNaqR.exe (PID: 4704 cmdline: 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a MD5: A92922A71A9BF58CC2D95A6039C9A1B6)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: google.vrthcobj.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\sqlite.dll

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: TMB1fxNaqR.exe	Virustotal: Detection: 44%			Perma Link
Source: TMB1fxNaqR.exe	ReversingLabs: Detection: 59%

Source: TMB1fxNaqR.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:58824 -> 34.97.69.225:53

Source: Joe Sandbox View

IP Address: 172.67.146.70 172.67.146.70

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: a.goatgame.co

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2

Source: TMB1fxNaqR.exe, 00000000.00000002.199960320.000000000075A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004048FD

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD

Source: TMB1fxNaqR.exe, 00000000.00000002.200008451.00000000020F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000000.197015002.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215054840.00000000021B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.214734311.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215069964.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215033311.0000000002110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215017751.0000000002100000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215012630.00000000020F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe

Source: TMB1fxNaqR.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.winEXE@5/2@3/1

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_01

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dat

Jump to behavior

Source: TMB1fxNaqR.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: TMB1fxNaqR.exe	Virustotal: Detection: 44%
Source: TMB1fxNaqR.exe	ReversingLabs: Detection: 59%

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File read: C:\Users\user\Desktop\TMB1fxNaqR.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe'
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004065A0 push eax; ret

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 3148	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 5076	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Code function: 0_2_004053C0 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Code function: 0_2_004053D2 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_0040268E EntryPoint,GetVersion,GetCommandLineA,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TMB1fxNaqR.exe	45%	Virustotal		Browse
TMB1fxNaqR.exe	59%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	14%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
google.vrthcobj.com	8%	Virustotal		Browse
a.goatgame.co	2%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.vrthcobj.com	34.97.69.225	true	true	8%, Virustotal, Browse	unknown
a.goatgame.co	172.67.146.70	true	false	2%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.146.70	a.goatgame.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458974
Start date:	03.08.2021
Start time:	23:37:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	TMB1fxNaqR (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.winEXE@5/2@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 93.6%) Quality average: 79.3% Quality standard deviation: 28.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, rundll32.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.209.183, 20.189.173.20, 23.211.6.115, 104.43.193.48, 52.255.188.83 Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, onedsblobprdwus15.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:38:09	API Interceptor	4x Sleep call for process: TMB1fxNaqR.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.146.70	LRios3pM39.exe	Get hash	malicious	Browse
	85d8c.exe	Get hash	malicious	Browse
	QfVER41Fwx.exe	Get hash	malicious	Browse
	O3h9kRdG7d.exe	Get hash	malicious	Browse
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse
	U7HCBc2SVy.exe	Get hash	malicious	Browse
	76xAf6BYg8.exe	Get hash	malicious	Browse
	E4lwAiXNCE.exe	Get hash	malicious	Browse
	pLF8TJmHlD.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
google.vrthcobj.com	LRios3pM39.exe	Get hash	malicious	Browse	34.97.69.225
	85d8c.exe	Get hash	malicious	Browse	34.97.69.225
	QfVER41Fwx.exe	Get hash	malicious	Browse	34.97.69.225
	93ejLcdBh5.exe	Get hash	malicious	Browse	34.97.69.225
	k2VFD3gNGE.exe	Get hash	malicious	Browse	34.97.69.225
	MIN56KgzBN.exe	Get hash	malicious	Browse	34.97.69.225
	U7HCBc2SVy.exe	Get hash	malicious	Browse	34.97.69.225
	TIoFSlDlv6.exe	Get hash	malicious	Browse	34.97.69.225
	76xAf6BYg8.exe	Get hash	malicious	Browse	34.97.69.225
	E4lwAiXNCE.exe	Get hash	malicious	Browse	34.97.69.225
	pLF8TJmHlD.exe	Get hash	malicious	Browse	34.97.69.225
	sonia_6.exe	Get hash	malicious	Browse	34.97.69.225
	5H4iRfY1ek.exe	Get hash	malicious	Browse	34.97.69.225
	Copy.exe	Get hash	malicious	Browse	34.97.69.225
	pMVkvSyeIy.exe	Get hash	malicious	Browse	34.97.69.225
	w7pR0EOMwd.exe	Get hash	malicious	Browse	34.97.69.225
	BoLQVCmIZB.exe	Get hash	malicious	Browse	34.97.69.225
	DhWFvSKvSb.exe	Get hash	malicious	Browse	34.97.69.225
	U2HHCJvDj4.exe	Get hash	malicious	Browse	34.97.69.225
	CLnraL1yNc.exe	Get hash	malicious	Browse	34.97.69.225
a.goatgame.co	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	85d8c.exe	Get hash	malicious	Browse	104.21.79.144
	85d8c.exe	Get hash	malicious	Browse	172.67.146.70
	QfVER41Fwx.exe	Get hash	malicious	Browse	172.67.146.70
	O3h9kRdG7d.exe	Get hash	malicious	Browse	172.67.146.70
	puzlXYxqKK.exe	Get hash	malicious	Browse	104.21.79.144
	k2VFD3gNGE.exe	Get hash	malicious	Browse	104.21.79.144
	MIN56KgzBN.exe	Get hash	malicious	Browse	104.21.79.144
	U7HCBc2SVy.exe	Get hash	malicious	Browse	172.67.146.70
	TIoFSlDlv6.exe	Get hash	malicious	Browse	104.21.79.144
	76xAf6BYg8.exe	Get hash	malicious	Browse	172.67.146.70
	E4lwAiXNCE.exe	Get hash	malicious	Browse	172.67.146.70
	pLF8TJmHlD.exe	Get hash	malicious	Browse	172.67.146.70
	sonia_6.exe	Get hash	malicious	Browse	104.21.79.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	State Settlement Copy.html	Get hash	malicious	Browse	172.67.75.3
	Request Quotation.exe	Get hash	malicious	Browse	172.67.188.154
	invoice.vbs	Get hash	malicious	Browse	162.159.130.233
	kKZZ0J8y0c.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 29.exe	Get hash	malicious	Browse	104.21.19.200
	ATT80307.HTM	Get hash	malicious	Browse	104.16.19.94
	2C.TA9.HTML	Get hash	malicious	Browse	104.18.11.207
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	172.67.145.176
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	172.67.188.154
	sbcss_Richard.DeNava_#inv0549387TWQYqzTPaYeqvaYMnpdIfJAwwzbguzauViQVRRplvOktNmAire.HTM	Get hash	malicious	Browse	104.16.18.94
	Fake.HTM	Get hash	malicious	Browse	104.16.19.94
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	172.67.188.154
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41
	#Ud83d#Udda8rocket.com 7335931#Ufffd90-queue-1675.htm	Get hash	malicious	Browse	104.16.19.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	24um7vU1BD.exe	Get hash	malicious	Browse	172.67.146.70
	JQ2bNBDOcO.exe	Get hash	malicious	Browse	172.67.146.70
	Dpwipnj1gx.exe	Get hash	malicious	Browse	172.67.146.70
	19G1ZLyqr2.exe	Get hash	malicious	Browse	172.67.146.70
	ULylDR5F36.exe	Get hash	malicious	Browse	172.67.146.70
	SecuriteInfo.com.W32.AIDetect.malware2.26285.exe	Get hash	malicious	Browse	172.67.146.70
	banload.msi	Get hash	malicious	Browse	172.67.146.70
	yQShMhZ7Hi.exe	Get hash	malicious	Browse	172.67.146.70
	zW4oE2ASRB.exe	Get hash	malicious	Browse	172.67.146.70
	run.exe	Get hash	malicious	Browse	172.67.146.70
	RNrtE1qOSL.exe	Get hash	malicious	Browse	172.67.146.70
	hDJzf1oo7U.exe	Get hash	malicious	Browse	172.67.146.70
	hpDcwMoScr.exe	Get hash	malicious	Browse	172.67.146.70
	JGJtVyC9dr.exe	Get hash	malicious	Browse	172.67.146.70
	QqcQ1EteWS.exe	Get hash	malicious	Browse	172.67.146.70
	Ya50avl5OT.exe	Get hash	malicious	Browse	172.67.146.70
	8xCetBLoAt.exe	Get hash	malicious	Browse	172.67.146.70
	7xt9iOfzN2.exe	Get hash	malicious	Browse	172.67.146.70
	5mTnLT28B7.exe	Get hash	malicious	Browse	172.67.146.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	LRios3pM39.exe	Get hash	malicious	Browse
	CyLELjM5zk.exe	Get hash	malicious	Browse
	setup_x86_x64_install.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\sqlite.dat Download File
Process:	C:\Users\user\Desktop\TMB1fxNaqR.exe
File Type:	data
Category:	dropped
Size (bytes):	578669
Entropy (8bit):	7.965453587440716
Encrypted:	false
SSDEEP:	12288:C11ticqWIMMXa2ad3KNjZi+VUYgokNxcg8aVg1gKtY7SQgCO:ePeBaRKNjoklalbVygKtY7xgd
MD5:	C78BF51EE294161707A6766E71CEE582
SHA1:	3BB4FF0B06FC5B3753AB39F21E959895834BF7F8
SHA-256:	BE449F187EC6EE4C4FA40642E698FFA3BFA19EC08848F4E0273B70427A1F1FC2
SHA-512:	B2D7D6D8C12B0DBDD677BC8ACD764AB0687E976268E46F461B98C5CF941197785B5D5718D2E3A734EAE49B0D358064EE23D9AAE217AF5F98DA5252A8A11D531D
Malicious:	false
Reputation:	low
Preview:	.<..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V...)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..jj.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2\|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i\|..y.Q'....k...}FT.X.jY..Y....o......y..=\|6..%..z/........s....>.j.-s.k../.:..........>\|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...\|/h..jfDX.S...`&...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^.......aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./

C:\Users\user\AppData\Local\Temp\sqlite.dll Download File
Process:	C:\Users\user\Desktop\TMB1fxNaqR.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	6.295064838876099
Encrypted:	false
SSDEEP:	1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8//
MD5:	05250AA12AD3C6A86DAB6DAB708D17FF
SHA1:	E41AD72C9A43070BB11FD7411800F71DDDF6BDD8
SHA-256:	7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
SHA-512:	A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 15%
Joe Sandbox View:	Filename: LRios3pM39.exe, Detection: malicious, Browse Filename: CyLELjM5zk.exe, Detection: malicious, Browse Filename: setup_x86_x64_install.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..f.x.5.x.5.x.5..r5.x.5..p5dx.5..q5.x.5@..4.x.5@..4.x.5@..4.x.5...5.x.5.x.5Jx.5...4.x.5...4.x.5..\|5.x.5...4.x.5Rich.x.5........................PE..L...f@.a...........!................8........................................p............@..........................&..L...<'..(....P.......................`...... ...p...................0...........@............................................text...M........................... ..`.rdata...].......^..................@..@.data........0....... ..............@....rsrc........P.......(..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.581071120397606
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TMB1fxNaqR.exe
File size:	57344
MD5:	a92922a71a9bf58cc2d95a6039c9a1b6
SHA1:	f419ba1e6da5dfc295857598e44b0a4eb0b3ecfc
SHA256:	213ea943865069cf1210a58860c619a8fa8928258abe8919fee8180feafea547
SHA512:	0bb8f350ab4ba4570806b70e6bf82d986782d4635f5058eaf8c36550b1ba9e3bd6b6e5df098fbb9167dece0684bbae047824822bb55f54ee8a17993f29fd8007
SSDEEP:	768:URFJRVA3O2pxNojkTnJQ6XWzQjkpC/xbjNxxuCqXKClZt9:MMoITVXGpC5bpHPmlZt9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L...RF.a.................p.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40268e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x61074652 [Mon Aug 2 01:11:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2cdeda7a0aa27475a825e9c41d4d95f0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00408150h
push 00403E48h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00408050h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CF70h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CF6Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CF68h], ecx
shr eax, 10h
mov dword ptr [0040CF64h], eax
push 00000001h
call 00007FE49C86475Bh
pop ecx
test eax, eax
jne 00007FE49C86306Ah
push 0000001Ch
call 00007FE49C863110h
pop ecx
call 00007FE49C863BC3h
test eax, eax
jne 00007FE49C86306Ah
push 00000010h
call 00007FE49C8630FFh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007FE49C864403h
call dword ptr [0040804Ch]
mov dword ptr [0040D658h], eax
call 00007FE49C8642C1h
mov dword ptr [0040CF54h], eax
call 00007FE49C86406Ah
call 00007FE49C863FACh
call 00007FE49C863D0Fh
mov eax, dword ptr [0040CF80h]
mov dword ptr [0040CF84h], eax
push eax
push dword ptr [0040CF78h]
push dword ptr [0040CF74h]
call 00007FE49C862B32h
add esp, 0Ch

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8af0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x3d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6bb7	0x7000	False	0.593296595982	data	6.44358253732	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1186	0x2000	False	0.270629882812	data	3.63030337834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x365c	0x3000	False	0.0801595052083	data	0.843436221473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1000	0x1000	False	0.111083984375	data	1.09363315293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe058	0x37c	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize
USER32.dll	wsprintfW
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket
OLEAUT32.dll	VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 1995-2018 VanDyke Software, Inc.
InternalName	License Helper
FileVersion	8.5.0.1740
CompanyName	VanDyke Software, Inc.
Comments	\$Revision: 122570 \$
ProductName	License Helper
ProductVersion	8.5.0.1740
FileDescription	License Helper
OriginalFilename	LicenseHelper.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-23:38:25.660129	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225
08/03/21-23:38:31.551839	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225
08/03/21-23:38:39.386795	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225
08/03/21-23:38:50.171576	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:38:06.097122908 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.114178896 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.114345074 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.119462967 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.136428118 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144661903 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144718885 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144751072 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144821882 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.150866985 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.167779922 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.167906046 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.215509892 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.232352018 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769733906 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769762993 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769779921 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769804001 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769818068 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769840956 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769855976 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769893885 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769905090 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769912004 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.769963026 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.769974947 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.769979954 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770143032 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770167112 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770183086 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770209074 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770230055 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770538092 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770561934 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770582914 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770606041 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770627975 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770677090 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.771333933 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.811240911 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.030968904 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.030998945 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031023026 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031038046 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031059027 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031078100 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031090021 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031184912 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031236887 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031243086 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031522989 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031546116 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031568050 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031590939 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031598091 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031620979 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.032304049 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.032377958 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041439056 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041465998 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041485071 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041501999 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041523933 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041548967 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041564941 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041615009 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041665077 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041671991 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041891098 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041918039 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041938066 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041956902 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041964054 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.042023897 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.042691946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042717934 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042741060 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042763948 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042768955 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.042800903 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.043505907 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.043582916 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.294538975 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294569016 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294590950 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294611931 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294626951 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294715881 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.294802904 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295092106 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295165062 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295166969 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295197010 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295249939 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295593023 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295634031 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295669079 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295691967 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295706987 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295763969 CEST	49708	443	192.168.2.3	172.67.146.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:37:56.634107113 CEST	60985	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:56.676135063 CEST	53	60985	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:57.231653929 CEST	50200	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:57.282186031 CEST	53	50200	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:57.536907911 CEST	51281	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:57.573438883 CEST	53	51281	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:58.592097998 CEST	49199	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:58.619740963 CEST	53	49199	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:59.474395037 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:59.509958982 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:59.696528912 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:59.729441881 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:01.026458025 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:01.076482058 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:01.869057894 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:01.896617889 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:03.027504921 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:03.059770107 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:04.618001938 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:04.643836975 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:05.781409025 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:05.806092978 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:06.049623966 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:06.085091114 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:06.987278938 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:07.021372080 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:07.800545931 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:07.825484991 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:08.934715986 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:08.960048914 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:09.537939072 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:09.570741892 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:10.155075073 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:10.190376043 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:11.050296068 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:11.085692883 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:12.071374893 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:12.098846912 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:13.260493994 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:13.296123028 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:13.925787926 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:13.951874971 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:14.363015890 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:14.364244938 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:14.388151884 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:14.399341106 CEST	53	58823	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 23:38:06.049623966 CEST	192.168.2.3	8.8.8.8	0x9251	Standard query (0)	a.goatgame.co	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:14.363015890 CEST	192.168.2.3	8.8.8.8	0xc59	Standard query (0)	google.vrthcobj.com	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:14.364244938 CEST	192.168.2.3	8.8.8.8	0x3308	Standard query (0)	google.vrthcobj.com	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 23:38:06.085091114 CEST	8.8.8.8	192.168.2.3	0x9251	No error (0)	a.goatgame.co	172.67.146.70	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:06.085091114 CEST	8.8.8.8	192.168.2.3	0x9251	No error (0)	a.goatgame.co	104.21.79.144	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:14.388151884 CEST	8.8.8.8	192.168.2.3	0xc59	No error (0)	google.vrthcobj.com	34.97.69.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 3, 2021 23:38:06.144718885 CEST	172.67.146.70	443	192.168.2.3	49708	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Aug 3, 2021 23:38:06.144718885 CEST	172.67.146.70	443	192.168.2.3	49708	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: TMB1fxNaqR.exe PID: 1740 Parent PID: 5572

General

Start time:	23:38:02
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\TMB1fxNaqR.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TMB1fxNaqR.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	A92922A71A9BF58CC2D95A6039C9A1B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 2332 Parent PID: 1740

General

Start time:	23:38:03
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: TMB1fxNaqR.exe PID: 4704 Parent PID: 1740

General

Start time:	23:38:03
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\TMB1fxNaqR.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	A92922A71A9BF58CC2D95A6039C9A1B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 5376 Parent PID: 4704

General

Start time:	23:38:04
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report TMB1fxNaqR

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: TMB1fxNaqR.exe PID: 1740 Parent PID: 5572