Play interactive tour
Edit tourWindows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.22789.613
Overview
General Information
| Sample Name: | SecuriteInfo.com.__vbaHresultCheckObj.22789.613 (renamed file extension from 613 to exe) |
| Analysis ID: | 483722 |
| MD5: | 308fb834ee02960ec122cf34712fa871 |
| SHA1: | 3162aff052c28b2ebf265eaaf5eadd0311e4299d |
| SHA256: | a08af8c30e5a30a847fc94e370082ff8b9c9c7d5317d4fed0c3b4bc5854a496f |
| Tags: | exe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: GuLoader |
|---|
{"Payload URL": "https://drive.google.com/uc?export=download&id=16hJeQVa7vEC"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Multi AV Scanner detection for domain / URL | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| C2 URLs / IPs found in malware configuration | Show sources | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary: | |
|---|
| Potential malicious icon found | Show sources | ||
| Source: | Icon embedded in PE file: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_02AD588F | |
| Source: | Code function: | 0_2_02AD0688 | |
| Source: | Code function: | 0_2_02AD0E9C | |
| Source: | Code function: | 0_2_02AD5491 | |
| Source: | Code function: | 0_2_02AD58DE | |
| Source: | Code function: | 0_2_02AD987C | |
| Source: | Code function: | 0_2_02AD5B66 | |
| Source: | Code function: | 0_2_02AD12AF | |
| Source: | Code function: | 0_2_02AD98AF | |
| Source: | Code function: | 0_2_02AD2EAE | |
| Source: | Code function: | 0_2_02AD0EA9 | |
| Source: | Code function: | 0_2_02AD84A7 | |
| Source: | Code function: | 0_2_02AD9AA1 | |
| Source: | Code function: | 0_2_02AD20BC | |
| Source: | Code function: | 0_2_02AD2AB1 | |
| Source: | Code function: | 0_2_02AD60B1 | |
| Source: | Code function: | 0_2_02AD3AB3 | |
| Source: | Code function: | 0_2_02AD8E8D | |
| Source: | Code function: | 0_2_02AD4689 | |
| Source: | Code function: | 0_2_02AD6081 | |
| Source: | Code function: | 0_2_02AD8E9D | |
| Source: | Code function: | 0_2_02AD0E99 | |
| Source: | Code function: | 0_2_02AD829A | |
| Source: | Code function: | 0_2_02AD8CE9 | |
| Source: | Code function: | 0_2_02AD36E8 | |
| Source: | Code function: | 0_2_02AD0AE4 | |
| Source: | Code function: | 0_2_02AD8AE1 | |
| Source: | Code function: | 0_2_02AD1CFE | |
| Source: | Code function: | 0_2_02AD2AF0 | |
| Source: | Code function: | 0_2_02AD30CC | |
| Source: | Code function: | 0_2_02AD08C4 | |
| Source: | Code function: | 0_2_02AD20C7 | |
| Source: | Code function: | 0_2_02AD0AC2 | |
| Source: | Code function: | 0_2_02AD8E2D | |
| Source: | Code function: | 0_2_02AD6035 | |
| Source: | Code function: | 0_2_02AD0A30 | |
| Source: | Code function: | 0_2_02AD4408 | |
| Source: | Code function: | 0_2_02AD1000 | |
| Source: | Code function: | 0_2_02AD0A17 | |
| Source: | Code function: | 0_2_02AD1417 | |
| Source: | Code function: | 0_2_02AD327C | |
| Source: | Code function: | 0_2_02AD1C74 | |
| Source: | Code function: | 0_2_02AD9277 | |
| Source: | Code function: | 0_2_02AD2672 | |
| Source: | Code function: | 0_2_02AD4A72 | |
| Source: | Code function: | 0_2_02AD3A45 | |
| Source: | Code function: | 0_2_02AD4DA9 | |
| Source: | Code function: | 0_2_02AD5FBB | |
| Source: | Code function: | 0_2_02AD09BA | |
| Source: | Code function: | 0_2_02AD39B1 | |
| Source: | Code function: | 0_2_02AD8BB3 | |
| Source: | Code function: | 0_2_02AD2384 | |
| Source: | Code function: | 0_2_02AD5582 | |
| Source: | Code function: | 0_2_02AD159D | |
| Source: | Code function: | 0_2_02AD8D9D | |
| Source: | Code function: | 0_2_02AD7B98 | |
| Source: | Code function: | 0_2_02AD3F96 | |
| Source: | Code function: | 0_2_02AD1F91 | |
| Source: | Code function: | 0_2_02AD07E7 | |
| Source: | Code function: | 0_2_02AD07E1 | |
| Source: | Code function: | 0_2_02AD89F6 | |
| Source: | Code function: | 0_2_02AD05F3 | |
| Source: | Code function: | 0_2_02AD07C3 | |
| Source: | Code function: | 0_2_02AD47D0 | |
| Source: | Code function: | 0_2_02AD4F3F | |
| Source: | Code function: | 0_2_02AD833A | |
| Source: | Code function: | 0_2_02AD4935 | |
| Source: | Code function: | 0_2_02AD2F08 | |
| Source: | Code function: | 0_2_02AD4102 | |
| Source: | Code function: | 0_2_02AD111F | |
| Source: | Code function: | 0_2_02AD8D7E | |
| Source: | Code function: | 0_2_02AD614D | |
| Source: | Code function: | 0_2_02AD7D4A | |
| Source: | Code function: | 0_2_02AD5F5B | |
| Source: | Code function: | 0_2_02AD9955 | |
| Source: | Code function: | 0_2_02AD1350 | |
| Source: | Code function: | 0_2_02AD0E9C | |
| Source: | Code function: | 0_2_02AD5491 | |
| Source: | Code function: | 0_2_02AD944B | |
| Source: | Code function: | 0_2_02AD5B66 | |
| Source: | Code function: | 0_2_02AD2EAE | |
| Source: | Code function: | 0_2_02AD50B2 | |
| Source: | Code function: | 0_2_02AD4689 | |
| Source: | Code function: | 0_2_02AD5C2A | |
| Source: | Code function: | 0_2_02AD940C | |
| Source: | Code function: | 0_2_02AD2672 | |
| Source: | Code function: | 0_2_02AD4A72 | |
| Source: | Code function: | 0_2_02AD4DA9 | |
| Source: | Code function: | 0_2_02AD7B98 | |
| Source: | Code function: | 0_2_02AD1F91 | |
| Source: | Code function: | 0_2_02AD05F3 | |
| Source: | Code function: | 0_2_02AD47D0 | |
| Source: | Code function: | 0_2_02AD4F3F | |
| Source: | Code function: | 0_2_02AD4935 | |
| Source: | Code function: | 0_2_02AD7D4A | |
| Source: | Code function: | 22_2_0056A07B | |
| Source: | Code function: | 22_2_00569F61 | |
| Source: | Code function: | 22_2_00569F54 | |
| Source: | Code function: | 22_2_00569F1A | |
| Source: | Code function: | 22_2_00569F18 | |
| Source: | Process Stats: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
Data Obfuscation: | |
|---|
| Yara detected GuLoader | Show sources | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00404CE8 | |
| Source: | Code function: | 0_2_00403392 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Tries to detect Any.run | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Tries to detect virtualization through RDTSC time measurements | Show sources | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_02AD8186 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Anti Debugging: | |
|---|
| Hides threads from debuggers | Show sources | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_02AD8186 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_02AD2EAE | |
| Source: | Code function: | 0_2_02AD39B1 | |
| Source: | Code function: | 0_2_02AD89F6 | |
| Source: | Code function: | 0_2_02AD7D38 | |
| Source: | Code function: | 0_2_02AD7714 | |
| Source: | Code function: | 0_2_02AD577E | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_02AD6813 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| GuLoader behavior detected | Show sources | ||
| Source: | Signature Results: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection11 | Masquerading1 | OS Credential Dumping2 | Security Software Discovery421 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel11 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion221 | Credentials in Registry1 | Virtualization/Sandbox Evasion221 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Ingress Tool Transfer3 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | Application Window Discovery1 | SMB/Windows Admin Shares | Data from Local System2 | Automated Exfiltration | Non-Application Layer Protocol4 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol115 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | System Information Discovery14 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 24% | Virustotal | Browse | ||
| 16% | ReversingLabs | Win32.Trojan.Mucc |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| No Antivirus matches |
|---|
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 7% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 172.217.168.78 | true | false | high | |
| googlehosted.l.googleusercontent.com | 172.217.168.65 | true | false | high | |
| doc-0c-5o-docs.googleusercontent.com | unknown | unknown | false | high |
Contacted URLs |
|---|
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.217.168.78 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 136.243.159.53 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 172.217.168.65 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false |
General Information |
|---|
| Joe Sandbox Version: | 33.0.0 White Diamond |
| Analysis ID: | 483722 |
| Start date: | 15.09.2021 |
| Start time: | 12:13:33 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 0s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | SecuriteInfo.com.__vbaHresultCheckObj.22789.613 (renamed file extension from 613 to exe) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 31 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.rans.troj.spyw.evad.winEXE@3/2@2/3 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 12:18:27 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 136.243.159.53 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Domains |
|---|
| No context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| HETZNER-ASDE | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:U:U |
| MD5: | C4CA4238A0B923820DCC509A6F75849B |
| SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
| SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
| SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 598 |
| Entropy (8bit): | 0.6390116820665388 |
| Encrypted: | false |
| SSDEEP: | 3:/lbOllbOllbOllbOllbOllbOllbON:+ |
| MD5: | E306B2B657314B7CA1B899F1A8B2A979 |
| SHA1: | DDF029D39D1A076A4218049CBD5143EE64A0D13B |
| SHA-256: | A3284A821DC0F8281285B68E3F1F2712F6D5B97E605233AC91235F780D55DCE4 |
| SHA-512: | EF935FBEDB6A39D819F650912E4E72355A6B395B01D15DE89CB30045A7330936CC1964C3CA771F8A9327043D734D5CD252DD91DE858A28E97283E310A988E41B |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.237444604576548 |
| TrID: |
|
| File name: | SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| File size: | 122880 |
| MD5: | 308fb834ee02960ec122cf34712fa871 |
| SHA1: | 3162aff052c28b2ebf265eaaf5eadd0311e4299d |
| SHA256: | a08af8c30e5a30a847fc94e370082ff8b9c9c7d5317d4fed0c3b4bc5854a496f |
| SHA512: | 23e725c55f51d22995d602023357e8ed971b0659c76ddd0a559ff381c72952576ebbc649733878dfd661bc05700f9cd85c38c44d98a8dc0a79aee9ece58d0ef4 |
| SSDEEP: | 1536:RrXWewJNHWF5O8MDyhgdrJl3sn8f9T8o7ahfIRorEjIvIP:RrXWZHG58Ghi3Pp8PrEcvIP |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......G.....................@....................@................ |
File Icon |
|---|
 | |
| Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x4017ac |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x47E1D28C [Thu Mar 20 02:57:16 2008 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 4d0b2c4c35fea49148bb1439759df35a |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push 0040C1B8h |
| call 00007F9C1CB7DC25h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| xor byte ptr [eax], al |
| add byte ptr [eax], al |
| inc eax |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [esi+7EB0FBD5h], cl |
| push edi |
| sbb eax, D749B647h |
| jle 00007F9C1CB7DBB6h |
| imul byte ptr [edi-53h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add dword ptr [eax], eax |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| call 00007F9C5EBACA81h |
| dec edi |
| dec edi |
| dec esi |
| inc esp |
| dec edi |
| inc ebx |
| dec ebx |
| dec ebp |
| dec ecx |
| add byte ptr [eax], al |
| and byte ptr [eax], cl |
| inc ecx |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add bh, bh |
| int3 |
| xor dword ptr [eax], eax |
| or al, C5h |
| in al, dx |
| adc esi, dword ptr [edi+edx] |
| aas |
| into |
| dec ebp |
| or byte ptr [edx-216D8693h], FFFFFFC5h |
| jmp 00007F9C7D91A899h |
| int3 |
| add byte ptr [edx+eax*2+7E5A12BAh], ch |
| pop es |
| sub dl, byte ptr [ebp+edi*4+33AD4F3Ah] |
| cdq |
| iretw |
| adc dword ptr [edi+00AA000Ch], esi |
| pushad |
| rcl dword ptr [ebx+00000000h], cl |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| inc ebx |
| test eax, 00510000h |
| add byte ptr [eax], al |
| add byte ptr [6C694D00h], cl |
| imul esp, dword ptr [ebp+75h], 6E616C70h |
| jc 00007F9C1CB7DC6Ah |
| add byte ptr [61000B01h], cl |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x19bb4 | 0x28 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1d000 | 0x16f6 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x14c | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x190f0 | 0x1a000 | False | 0.429715670072 | data | 6.66947979722 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .data | 0x1b000 | 0x119c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1d000 | 0x16f6 | 0x2000 | False | 0.242919921875 | data | 2.91839077236 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| CUSTOM | 0x1de38 | 0x8be | MS Windows icon resource - 1 icon, 32x32, 11 bits/pixel | English | United States |
| CUSTOM | 0x1db3a | 0x2fe | MS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixel | English | United States |
| CUSTOM | 0x1d9fc | 0x13e | MS Windows icon resource - 1 icon, 16x16, 16 colors | English | United States |
| RT_ICON | 0x1d8cc | 0x130 | data | ||
| RT_ICON | 0x1d5e4 | 0x2e8 | data | ||
| RT_ICON | 0x1d4bc | 0x128 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0x1d48c | 0x30 | data | ||
| RT_VERSION | 0x1d200 | 0x28c | PGP symmetric key encrypted data - Plaintext or unencrypted data | Norwegian | Norway |
Imports |
|---|
| DLL | Import |
|---|---|
| MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaInStrB, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr |
Version Infos |
|---|
| Description | Data |
|---|---|
| Translation | 0x0414 0x04b0 |
| InternalName | Firnificat |
| FileVersion | 1.00 |
| CompanyName | Asus |
| Comments | Thunderbird |
| ProductName | spicevpn.com |
| ProductVersion | 1.00 |
| FileDescription | Hp, Inc. |
| OriginalFilename | Firnificat.exe |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
| Norwegian | Norway |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 09/15/21-12:18:26.905443 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:26.905443 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:26.905443 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:26.905443 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:26.905443 | TCP | 2410 | WEB-PHP IGeneric Free Shopping Cart page.php access | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:27.518074 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:27.518074 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:27.518074 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:27.518074 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:27.518074 | TCP | 2410 | WEB-PHP IGeneric Free Shopping Cart page.php access | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.106281 | TCP | 2024313 | ET TROJAN LokiBot Request for C2 Commands Detected M1 | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.106281 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.106281 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.106281 | TCP | 2024318 | ET TROJAN LokiBot Request for C2 Commands Detected M2 | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.106281 | TCP | 2410 | WEB-PHP IGeneric Free Shopping Cart page.php access | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.705273 | TCP | 2024313 | ET TROJAN LokiBot Request for C2 Commands Detected M1 | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.705273 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.705273 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.705273 | TCP | 2024318 | ET TROJAN LokiBot Request for C2 Commands Detected M2 | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| 09/15/21-12:18:28.705273 | TCP | 2410 | WEB-PHP IGeneric Free Shopping Cart page.php access | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 15, 2021 12:18:23.862144947 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:23.862242937 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:23.862396002 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:23.893001080 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:23.893054008 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:23.973221064 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:23.973397970 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:23.973494053 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:23.973608017 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.278904915 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.278928995 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.279318094 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.282006979 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.282031059 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.327141047 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.817452908 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.817519903 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.817795992 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.817996025 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.818146944 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.818166018 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.820866108 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.868932962 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.869091988 CEST | 443 | 49790 | 172.217.168.78 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.869235039 CEST | 49790 | 443 | 192.168.2.3 | 172.217.168.78 |
| Sep 15, 2021 12:18:24.969089031 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:24.969140053 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.969307899 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:24.970480919 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:24.970504999 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.053934097 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.054341078 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.054418087 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.054497004 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.071626902 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.071662903 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.072176933 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.072839022 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.073530912 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.115166903 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.311964989 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.312194109 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.315018892 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.315217972 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.316611052 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.316740990 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.320597887 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.320648909 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.320714951 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.320733070 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.320772886 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.320800066 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.322614908 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.322720051 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.323153973 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.323239088 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.339771986 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.340018988 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.340035915 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.340145111 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.340548038 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.341589928 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.341608047 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.341686964 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.342571020 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.342719078 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.342734098 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.342822075 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.344410896 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.344582081 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.344595909 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.344790936 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.347266912 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.347413063 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.347428083 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.347599983 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.348817110 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.348948956 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.348963022 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.349050045 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.350661993 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.350809097 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.350825071 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.350944042 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.352303982 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.352435112 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.352451086 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.352804899 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.354222059 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.354332924 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.354346991 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.354430914 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.356110096 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.357040882 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.357057095 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.357130051 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.357938051 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.358089924 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.358102083 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.358171940 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.360002041 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.360214949 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.360224009 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.360404968 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.361470938 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.361645937 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.361653090 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.362073898 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.363271952 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.363404989 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.363410950 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.363533020 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.364991903 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.365115881 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.365122080 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.365186930 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.366915941 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.367074966 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.367083073 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.367163897 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.369525909 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.369618893 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.369628906 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.369682074 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.370147943 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.370230913 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.370245934 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.370255947 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.370301008 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.370363951 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.371658087 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.371995926 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.372005939 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.372072935 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.373009920 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.373121023 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.373130083 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.373203039 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.374341965 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.374433041 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.374439001 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.374496937 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.375657082 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.375762939 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.375771999 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.375825882 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.376863003 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.376966953 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.376976013 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.377054930 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.378129959 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.378240108 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.378248930 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.378387928 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.379410028 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.379501104 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.379513025 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.379650116 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.380616903 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.380722046 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.380732059 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.380871058 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.381814957 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.381918907 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.381930113 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.382062912 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.383022070 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.383115053 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.383122921 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.383194923 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.384206057 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.384303093 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.384313107 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.384469986 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.385371923 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.385462046 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.385471106 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.385617018 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.386549950 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.386646986 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.386662006 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.386693001 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.386768103 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.387778044 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.388098955 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.388111115 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.388470888 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.389013052 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.389174938 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.389214993 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.389486074 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.390187979 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.390317917 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.390341997 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.390619993 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.391278028 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.391385078 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.391405106 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.391427994 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.391531944 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.391556025 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.391645908 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.391890049 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:25.396286011 CEST | 443 | 49791 | 172.217.168.65 | 192.168.2.3 |
| Sep 15, 2021 12:18:25.396472931 CEST | 49791 | 443 | 192.168.2.3 | 172.217.168.65 |
| Sep 15, 2021 12:18:26.877856016 CEST | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:26.901468992 CEST | 80 | 49792 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:26.901623964 CEST | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:26.905442953 CEST | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:26.928972006 CEST | 80 | 49792 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:26.929147005 CEST | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:26.955193996 CEST | 80 | 49792 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.261260033 CEST | 80 | 49792 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.261486053 CEST | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.271939039 CEST | 80 | 49792 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.272020102 CEST | 49792 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.286678076 CEST | 80 | 49792 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.476850986 CEST | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.500335932 CEST | 80 | 49793 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.500463963 CEST | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.518074036 CEST | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.544553995 CEST | 80 | 49793 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.544676065 CEST | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.570575953 CEST | 80 | 49793 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.893892050 CEST | 80 | 49793 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.901452065 CEST | 80 | 49793 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:27.901578903 CEST | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.914086103 CEST | 49793 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:27.937553883 CEST | 80 | 49793 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.061419964 CEST | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.086733103 CEST | 80 | 49794 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.087266922 CEST | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.106281042 CEST | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.130412102 CEST | 80 | 49794 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.130778074 CEST | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.155255079 CEST | 80 | 49794 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.481360912 CEST | 80 | 49794 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.481400967 CEST | 80 | 49794 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.481703997 CEST | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.485388994 CEST | 49794 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.509084940 CEST | 80 | 49794 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.675857067 CEST | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.699362040 CEST | 80 | 49795 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.699476004 CEST | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.705272913 CEST | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.728961945 CEST | 80 | 49795 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:28.729404926 CEST | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:28.752935886 CEST | 80 | 49795 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:29.071197033 CEST | 80 | 49795 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:29.073679924 CEST | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:29.079993963 CEST | 80 | 49795 | 136.243.159.53 | 192.168.2.3 |
| Sep 15, 2021 12:18:29.080120087 CEST | 49795 | 80 | 192.168.2.3 | 136.243.159.53 |
| Sep 15, 2021 12:18:29.097352982 CEST | 80 | 49795 | 136.243.159.53 | 192.168.2.3 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 15, 2021 12:14:25.165371895 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:14:25.207999945 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:14:53.516752005 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:14:53.548181057 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:14:58.580920935 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:14:58.627831936 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:15:31.613208055 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:15:31.655380011 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:15:48.526885986 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:15:48.556358099 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:16:16.030837059 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:16:16.066560984 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:16:18.268497944 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:16:18.305751085 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:20.360146046 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:20.395695925 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:21.584640980 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:21.613279104 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:22.267870903 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:22.295929909 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:22.643908024 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:22.671076059 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:23.257720947 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:23.315049887 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:23.799321890 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:23.834458113 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:24.560609102 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:24.589884996 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:25.495563984 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:25.525199890 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:26.590100050 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:26.619921923 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:17:27.244864941 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:17:27.271841049 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:18:23.777498960 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:18:23.824287891 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
| Sep 15, 2021 12:18:24.921278954 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
| Sep 15, 2021 12:18:24.956243992 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Sep 15, 2021 12:18:23.777498960 CEST | 192.168.2.3 | 8.8.8.8 | 0x48 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Sep 15, 2021 12:18:24.921278954 CEST | 192.168.2.3 | 8.8.8.8 | 0xbc87 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Sep 15, 2021 12:18:23.824287891 CEST | 8.8.8.8 | 192.168.2.3 | 0x48 | No error (0) | 172.217.168.78 | A (IP address) | IN (0x0001) | ||
| Sep 15, 2021 12:18:24.956243992 CEST | 8.8.8.8 | 192.168.2.3 | 0xbc87 | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | ||
| Sep 15, 2021 12:18:24.956243992 CEST | 8.8.8.8 | 192.168.2.3 | 0xbc87 | No error (0) | 172.217.168.65 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
|---|
|
HTTP Packets |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49790 | 172.217.168.78 | 443 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49791 | 172.217.168.65 | 443 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 2 | 192.168.2.3 | 49792 | 136.243.159.53 | 80 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Sep 15, 2021 12:18:26.905442953 CEST | 5985 | OUT | |
| Sep 15, 2021 12:18:26.929147005 CEST | 5985 | OUT | |
| Sep 15, 2021 12:18:27.261260033 CEST | 5985 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 3 | 192.168.2.3 | 49793 | 136.243.159.53 | 80 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Sep 15, 2021 12:18:27.518074036 CEST | 5986 | OUT | |
| Sep 15, 2021 12:18:27.544676065 CEST | 5986 | OUT | |
| Sep 15, 2021 12:18:27.893892050 CEST | 5987 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 4 | 192.168.2.3 | 49794 | 136.243.159.53 | 80 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Sep 15, 2021 12:18:28.106281042 CEST | 5988 | OUT | |
| Sep 15, 2021 12:18:28.130778074 CEST | 5988 | OUT | |
| Sep 15, 2021 12:18:28.481360912 CEST | 5989 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 5 | 192.168.2.3 | 49795 | 136.243.159.53 | 80 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Sep 15, 2021 12:18:28.705272913 CEST | 5989 | OUT | |
| Sep 15, 2021 12:18:28.729404926 CEST | 5990 | OUT | |
| Sep 15, 2021 12:18:29.071197033 CEST | 5990 | IN |
HTTPS Proxied Packets |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49790 | 172.217.168.78 | 443 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2021-09-15 10:18:24 UTC | 0 | OUT | |
| 2021-09-15 10:18:24 UTC | 0 | IN | |
| 2021-09-15 10:18:24 UTC | 1 | IN | |
| 2021-09-15 10:18:24 UTC | 1 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49791 | 172.217.168.65 | 443 | C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2021-09-15 10:18:25 UTC | 1 | OUT | |
| 2021-09-15 10:18:25 UTC | 2 | IN |