Play interactive tourEdit tour
Windows Analysis Report DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Source: | Static PE information: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Mutant created: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread sleep count: | ||
Source: | Thread sleep time: |
Source: | Thread sleep count: |
Source: | Code function: |
Source: | Window / User API: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Writes to foreign memory regions | Show sources |
Source: | Memory written: |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts1 | Windows Management Instrumentation | Valid Accounts1 | Valid Accounts1 | Valid Accounts1 | OS Credential Dumping | Security Software Discovery321 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Registry Run Keys / Startup Folder1 | Access Token Manipulation1 | Access Token Manipulation1 | LSASS Memory | Virtualization/Sandbox Evasion23 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | DLL Side-Loading1 | Process Injection112 | Virtualization/Sandbox Evasion23 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Registry Run Keys / Startup Folder1 | Process Injection112 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | DLL Side-Loading1 | Obfuscated Files or Information1 | LSA Secrets | System Information Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol112 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | DLL Side-Loading1 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | Virustotal | Browse | ||
18% | ReversingLabs | Win32.Trojan.Mucc | ||
100% | Avira | HEUR/AGEN.1141869 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1141869 | Download File | ||
100% | Avira | HEUR/AGEN.1141869 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
septnet.duckdns.org | 193.104.197.28 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
193.104.197.28 | septnet.duckdns.org | unknown | 1299 | TELIANETTeliaCarrierEU | true | |
178.32.63.50 | unknown | France | 16276 | OVHFR | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 1360 |
Start date: | 27.09.2021 |
Start time: | 12:51:29 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 5s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Suspected Instruction Hammering |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.rans.troj.evad.winEXE@3/1@1/2 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:54:11 | Autostart | |
12:54:19 | Autostart |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
178.32.63.50 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
TELIANETTeliaCarrierEU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 98305 |
Entropy (8bit): | 5.8045067757228095 |
Encrypted: | false |
SSDEEP: | 768:I7nneTCCOKskAtEcDpHR0QWNTsO85zCoLi/0Fqt1fgg9ZPxt/ZbwKbdU5p0y:MnWAT4sO87LFIl3Ph2cy |
MD5: | DA500D43204B3E3DFEA43798760ED75D |
SHA1: | 206EE6A976EC8582810DB1EF8C6ED81599F24355 |
SHA-256: | 7B5C4219B3D03A3F8FF154FBAE97DA72A5E640AE13E7A414B2746804DBF2B8F8 |
SHA-512: | 2AA6347B81287C525262059C1B36CD1892603EC4BEF1A1CB1F112BEB83B67029C0EC4EEC61E22B834B591EF866480384164279FC3BDA8532D5828A040DB6AFB5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.804544485598051 |
TrID: |
|
File name: | DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
File size: | 98304 |
MD5: | 8e2b177d2ab29c95f067559a029cf5e8 |
SHA1: | f347fa229d51836344ab5bf89fa531e19aa5e324 |
SHA256: | b9fdde7d748e27a130c509a589a2c8b92aad279604d3e4ee7ac28187fc5660be |
SHA512: | 29493bc83ab2348c5f3f707079e968302e03256acd3801d9c5e47c13a87cb9ec70145208bb25a4127e30cbe2cd7edca1a6cd82a23ca7a5e5a8a0bb0a19e1aa00 |
SSDEEP: | 768:37nneTCCOKskAtEcDpHR0QWNTsO85zCoLi/0Fqt1fgg9ZPxt/ZbwKbdU5p0:TnWAT4sO87LFIl3Ph2c |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM..SM..SM...Q..RM...o..uM..ek..RM..RichSM..................PE..L......I.................P...@...............`....@........ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4012f0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x49E892D2 [Fri Apr 17 14:31:46 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 508f324e8f3f3b33e0170cdca30d1edb |
Entrypoint Preview |
---|
Instruction |
---|
push 00401E1Ch |
call 00007F98A8D959C5h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
dec eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [edi], dh |
fistp word ptr [eax+7B83299Ch] |
dec ebx |
mov ah, 62h |
or bh, ch |
movsd |
xor al, cl |
inc edx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add al, 00h |
add byte ptr [eax], al |
inc edx |
jnc 00007F98A8D95A3Eh |
jns 00007F98A8D95A46h |
je 00007F98A8D95A37h |
insb |
jnc 00007F98A8D95A37h |
jnc 00007F98A8D95A41h |
bound ebp, dword ptr [edx+65h] |
imul esi, dword ptr [ebp+72h], 73h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add bh, bh |
int3 |
xor dword ptr [eax], eax |
add eax, CFE82B41h |
inc esi |
inc ebx |
sub byte ptr [ebp-44h], al |
in al, dx |
push ecx |
hlt |
imul ecx, eax, 24h |
cld |
and dh, FFFFFF8Eh |
jmp 00007F98A8D95A36h |
fcmovnb st(0), st(1) |
inc ebx |
mov byte ptr [edx+56BAFCB5h], al |
aam 89h |
cmp cl, byte ptr [edi-53h] |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add dword ptr [eax], eax |
add byte ptr [eax+eax+00h], dl |
add byte ptr [eax], al |
adc al, 00h |
push ebx |
insb |
popad |
je 00007F98A8D95A38h |
imul esi, dword ptr [esi+67h], 73h |
insd |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14d54 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19000 | 0x8e4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x230 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x104 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x141f0 | 0x15000 | False | 0.50043015253 | data | 6.21499607809 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x16000 | 0x205c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x19000 | 0x8e4 | 0x1000 | False | 0.169921875 | data | 1.92865182643 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x197b4 | 0x130 | data | ||
RT_ICON | 0x194cc | 0x2e8 | data | ||
RT_ICON | 0x193a4 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x19374 | 0x30 | data | ||
RT_VERSION | 0x19150 | 0x224 | data | Chinese | Taiwan |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
InternalName | VOLDFRELSERS |
FileVersion | 1.00 |
CompanyName | Seismic |
ProductName | Barkerne8 |
ProductVersion | 1.00 |
OriginalFilename | VOLDFRELSERS.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
09/27/21-12:54:11.229766 | TCP | 2018752 | ET TROJAN Generic .bin download from Dotted Quad | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
09/27/21-12:54:15.667402 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 54150 | 1.1.1.1 | 192.168.11.20 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 12:54:11.211550951 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.229293108 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.229574919 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.229765892 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.300846100 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.300967932 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.301052094 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.301079035 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.301104069 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.301424026 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.318528891 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318638086 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318690062 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318840027 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318875074 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.318901062 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.318952084 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.319000006 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.319046021 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.319233894 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.336420059 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336574078 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336679935 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.336698055 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336751938 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336813927 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336863995 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336921930 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.336942911 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.336976051 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337025881 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337073088 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337160110 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337172985 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337207079 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.337296009 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.337423086 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.354671955 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.354825974 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.354952097 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.354952097 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355000019 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355063915 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355142117 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355148077 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355211973 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355259895 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355303049 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355307102 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355343103 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355377913 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355453968 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355460882 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355531931 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355583906 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355616093 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355624914 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355648041 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355700016 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355741978 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355778933 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355851889 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355895996 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355902910 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355937004 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.355951071 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.355998993 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356004000 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356045008 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356086969 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356091976 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356138945 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356184959 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.356185913 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356240034 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356321096 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.356401920 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.373742104 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.373841047 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374006987 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374023914 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374058008 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374072075 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374104977 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374150991 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374193907 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374233007 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374345064 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374365091 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374392986 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374439955 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374485970 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374531984 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374531984 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374578953 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374624968 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374670029 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374680042 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
Sep 27, 2021 12:54:11.374716043 CEST | 80 | 49806 | 178.32.63.50 | 192.168.11.20 |
Sep 27, 2021 12:54:11.374718904 CEST | 49806 | 80 | 192.168.11.20 | 178.32.63.50 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 12:53:18.719424009 CEST | 58185 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:53:18.728887081 CEST | 53 | 58185 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:53:18.894464016 CEST | 62287 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:53:18.903879881 CEST | 53 | 62287 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:07.946261883 CEST | 62957 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:07.954547882 CEST | 53 | 62957 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:09.241504908 CEST | 49676 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:09.249978065 CEST | 53 | 49676 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:15.565355062 CEST | 54150 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:15.667402029 CEST | 53 | 54150 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:19.062755108 CEST | 62465 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:19.071634054 CEST | 53 | 62465 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:42.318491936 CEST | 64086 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:42.328056097 CEST | 53 | 64086 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 12:54:42.489351034 CEST | 59044 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 12:54:42.498477936 CEST | 53 | 59044 | 1.1.1.1 | 192.168.11.20 |
Sep 27, 2021 13:00:19.081100941 CEST | 65106 | 53 | 192.168.11.20 | 1.1.1.1 |
Sep 27, 2021 13:00:19.089767933 CEST | 53 | 65106 | 1.1.1.1 | 192.168.11.20 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 27, 2021 12:54:15.565355062 CEST | 192.168.11.20 | 1.1.1.1 | 0x387d | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 27, 2021 12:54:15.667402029 CEST | 1.1.1.1 | 192.168.11.20 | 0x387d | No error (0) | 193.104.197.28 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49806 | 178.32.63.50 | 80 | C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2021 12:54:11.229765892 CEST | 127 | OUT | |
Sep 27, 2021 12:54:11.300846100 CEST | 128 | IN |