Play interactive tourEdit tour
Windows Analysis Report 466XoziOLD.exe
Overview
General Information
Detection
GuLoader Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected Remcos RAT
Yara detected GuLoader
Hides threads from debuggers
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses dynamic DNS services
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Remcos |
---|
{"Host:Port:Password": "solex-wave.duckdns.org:2404:0solex-wave.duckdns.org:2222:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-Y0PK9D", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Threatname: GuLoader |
---|
{"Payload URL": "http://sopage.duckdns.org/Remcos_sgJ"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Mutant created: |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread sleep count: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Virtualization/Sandbox Evasion21 | Input Capture1 | Security Software Discovery31 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Virtualization/Sandbox Evasion21 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing1 | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | System Information Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol212 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
30% | Virustotal | Browse | ||
18% | ReversingLabs | |||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
sopage.duckdns.org | 23.146.242.85 | true | true | unknown | |
solex-wave.duckdns.org | 23.146.242.71 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
false |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
23.146.242.71 | solex-wave.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true | |
23.146.242.85 | sopage.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 491189 |
Start date: | 27.09.2021 |
Start time: | 10:54:54 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 52s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 466XoziOLD.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.rans.troj.evad.winEXE@3/0@2/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
23.146.242.71 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
23.146.242.85 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.210722948101354 |
TrID: |
|
File name: | 466XoziOLD.exe |
File size: | 196608 |
MD5: | 84ade48e59ed36c620d254d325f355d7 |
SHA1: | 6e17eb18c64e00ca9831e940769da9c744a5d5e3 |
SHA256: | 8060a88a8253eafc4c38d56d58d8470b98765308aeafc1e873b95011cbb8cadf |
SHA512: | 8d4b4ae4c49d9f7f9bf8456d727a78cbd0cc0c2fc969b094bc653ec6d85d2d583337f0acb5b7f5c2fea97f6769f2981b28230d821818c9767cfacf810713ad6b |
SSDEEP: | 3072:RE8XO9B0GS31gah3MwJvwouDIQVcc+84+Z8j7G9YgVodURItu5:FO9B0GS317h3Mw2ouMWcc+86jq9Rodu |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L......S.....................0....................@................ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4013f0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x538C1A17 [Mon Jun 2 06:30:47 2014 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | bd85017eeb8dd3332d04b1838f2b93b1 |
Entrypoint Preview |
---|
Instruction |
---|
push 004016A4h |
call 00007F96F8F76CB3h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], ch |
cmp al, 4Dh |
into |
cmc |
pushfd |
push esp |
dec edi |
movsb |
mov cl, EEh |
call far 0000h : 45CE1C92h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
push ebp |
dec esi |
push esp |
dec ecx |
dec ebp |
inc ebp |
dec esp |
dec ecx |
dec esi |
inc ebp |
push ebx |
push ebx |
add byte ptr [edi], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
or al, ACh |
jc 00007F96F8F76CC3h |
sub esp, dword ptr [edx-4Ah] |
push ds |
inc edx |
mov ebx, 4511F505h |
das |
cmp dl, byte ptr [ebx-13h] |
popfd |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2d0b4 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x30000 | 0xbfa | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x138 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2c568 | 0x2d000 | False | 0.621511501736 | data | 7.42071533983 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x2e000 | 0x190c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x30000 | 0xbfa | 0x1000 | False | 0.253173828125 | data | 3.1781767801 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
CUSTOM | 0x309a0 | 0x25a | ASCII text, with CRLF line terminators | English | United States |
RT_ICON | 0x30870 | 0x130 | data | ||
RT_ICON | 0x30588 | 0x2e8 | data | ||
RT_ICON | 0x30460 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x30430 | 0x30 | data | ||
RT_VERSION | 0x301a0 | 0x290 | MS Windows COFF PA-RISC object file | English | United States |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0409 0x04b0 |
InternalName | skraalinjers |
FileVersion | 1.04 |
CompanyName | Qualtrics |
Comments | Qualtrics |
ProductName | Qualtrics |
ProductVersion | 1.04 |
FileDescription | Qualtrics |
OriginalFilename | skraalinjers.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
09/27/21-10:59:46.401028 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
09/27/21-10:59:47.542847 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
09/27/21-10:59:47.658245 | TCP | 2032776 | ET TROJAN Remocs 3.x Unencrypted Checkin | 49829 | 2404 | 192.168.2.4 | 23.146.242.71 |
09/27/21-10:59:47.957165 | TCP | 2032777 | ET TROJAN Remocs 3.x Unencrypted Server Response | 2404 | 49829 | 23.146.242.71 | 192.168.2.4 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 10:59:46.415395975 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.528383017 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.528517008 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.529064894 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.644090891 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.644130945 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.644157887 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.644182920 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.644210100 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.644212961 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.644251108 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756012917 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756086111 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756130934 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756149054 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756181955 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756194115 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756213903 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756273031 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756279945 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756337881 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756341934 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756398916 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756402969 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756458044 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.756465912 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756521940 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.756561995 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.868513107 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.868560076 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.868592024 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.868626118 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.868654013 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.868680954 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.868727922 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.868850946 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.868881941 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.868906021 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.868916035 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.868936062 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869277954 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869307995 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869333029 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869359016 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869386911 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869388103 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869420052 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869421005 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869452000 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869466066 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869482994 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869496107 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869514942 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869532108 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869556904 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869621992 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.869669914 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.869820118 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980645895 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980704069 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980753899 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980760098 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980784893 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980792999 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980804920 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980833054 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980840921 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980868101 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980871916 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980911970 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980912924 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980946064 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.980948925 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980982065 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.980983973 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981017113 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981018066 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981046915 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981070995 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981079102 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981111050 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981125116 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981134892 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981146097 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981223106 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981270075 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981298923 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981331110 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981340885 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981359959 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981370926 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981388092 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981401920 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981417894 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981425047 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981446981 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981453896 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981482983 CEST | 49828 | 80 | 192.168.2.4 | 23.146.242.85 |
Sep 27, 2021 10:59:46.981522083 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
Sep 27, 2021 10:59:46.981551886 CEST | 80 | 49828 | 23.146.242.85 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 10:55:43.547386885 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:55:43.568686008 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:56:16.208640099 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:56:16.238595009 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:56:52.018357038 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:56:52.036250114 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:56:53.979378939 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:56:53.999665022 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:56:56.096577883 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:56:56.170964003 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:56:56.789237022 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:56:56.805994034 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:56:57.569608927 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:56:57.628201008 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:56:59.870285034 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:56:59.884049892 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:00.406658888 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:00.471741915 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:01.776452065 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:01.884234905 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:03.995960951 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:04.020252943 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:05.849982023 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:05.863204956 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:06.645034075 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:06.659590006 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:07.133625031 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:07.147277117 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:46.642829895 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:46.655601978 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:57:49.210418940 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:57:49.248955965 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:59:46.285010099 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:59:46.401027918 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Sep 27, 2021 10:59:47.428427935 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 27, 2021 10:59:47.542846918 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 27, 2021 10:59:46.285010099 CEST | 192.168.2.4 | 8.8.8.8 | 0xfa1f | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 27, 2021 10:59:47.428427935 CEST | 192.168.2.4 | 8.8.8.8 | 0x266d | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 27, 2021 10:59:46.401027918 CEST | 8.8.8.8 | 192.168.2.4 | 0xfa1f | No error (0) | 23.146.242.85 | A (IP address) | IN (0x0001) | ||
Sep 27, 2021 10:59:47.542846918 CEST | 8.8.8.8 | 192.168.2.4 | 0x266d | No error (0) | 23.146.242.71 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49828 | 23.146.242.85 | 80 | C:\Users\user\Desktop\466XoziOLD.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2021 10:59:46.529064894 CEST | 9718 | OUT | |
Sep 27, 2021 10:59:46.644090891 CEST | 9720 | IN |