Play interactive tourEdit tour
Windows Analysis Report 8TEZmAEx3U.exe
Overview
General Information
Detection
GuLoader Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected Remcos RAT
Yara detected GuLoader
Hides threads from debuggers
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses dynamic DNS services
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Remcos |
---|
{"Host:Port:Password": "solex-wave.duckdns.org:2404:0solex-wave.duckdns.org:2222:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-Y0PK9D", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Threatname: GuLoader |
---|
{"Payload URL": "http://sopage.duckdns.org/Remcos_s_bChlcwVW46.bin"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: |
Source: | Static PE information: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
E-Banking Fraud: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Mutant created: |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Window / User API: |
Source: | Thread sleep count: |
Source: | Last function: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Virtualization/Sandbox Evasion21 | OS Credential Dumping | Security Software Discovery31 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Virtualization/Sandbox Evasion21 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing1 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol212 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
sopage.duckdns.org | 23.146.242.85 | true | true | unknown | |
solex-wave.duckdns.org | 23.146.242.71 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
23.146.242.71 | solex-wave.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true | |
23.146.242.85 | sopage.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 491398 |
Start date: | 27.09.2021 |
Start time: | 14:52:37 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 8TEZmAEx3U.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.rans.troj.evad.winEXE@3/0@2/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
23.146.242.71 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
23.146.242.85 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
solex-wave.duckdns.org | Get hash | malicious | Browse |
| |
sopage.duckdns.org | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.699622688151151 |
TrID: |
|
File name: | 8TEZmAEx3U.exe |
File size: | 184320 |
MD5: | 28c8b2207bb3e6884e1e29575fb19bec |
SHA1: | 5af638a980ba849bc6244dffb0caff4fb88c88d7 |
SHA256: | 7b3c49295c67d0de6a1739eca11609fc551805075fd66facfec8e2a2b6ca016c |
SHA512: | 03064bc3b8dc9dd43d9d5dc2f32d48a5da92e34640e316b82bf01bea591a81827f3177b7a211de6b612a38c728236c6719b8510538169328382bc3faf90e073f |
SSDEEP: | 3072:hTp6q3h21cWcznuYnl8AFZ6qnQaanfrMjVJK5T:hT7t6YlLZ66w/ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....m.R.....................0......`.............@................ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401460 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x52BD6D88 [Fri Dec 27 12:07:36 2013 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 831c9926df4754b736e1ca092f4fb7e7 |
Entrypoint Preview |
---|
Instruction |
---|
push 00401608h |
call 00007FD1589ADC33h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [7341F08Eh+esi], dh |
iretd |
inc edx |
adc byte ptr [edx-57h], FFFFFFF3h |
cmpsd |
mov dl, 57h |
mov eax, dword ptr [00000000h] |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
pushad |
insd |
and al, byte ptr [ebx] |
insd |
jne 00007FD1589ADCB4h |
jc 00007FD1589ADCB3h |
jne 00007FD1589ADCB5h |
add byte ptr [ecx+00h], al |
and byte ptr [eax], cl |
inc ecx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add bh, bh |
int3 |
xor dword ptr [eax], eax |
add esp, dword ptr [ecx+edi*8+56852A7Dh] |
out dx, eax |
dec esp |
mov al, byte ptr [ebx] |
bound eax, dword ptr [ebp] |
and dword ptr [eax+63409490h], edi |
lea ebx, dword ptr [ebp+39h] |
int AEh |
inc edx |
mov bh, 4Fh |
pushfd |
sbb al, A7h |
insd |
push ecx |
call 00007FD18C482B7Fh |
cdq |
iretw |
adc dword ptr [edi+00AA000Ch], esi |
pushad |
rcl dword ptr [ebx+00000000h], cl |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
cmpsb |
add byte ptr [eax], al |
add byte ptr [edi+00h], al |
add byte ptr [eax], al |
add byte ptr [ebx], cl |
add byte ptr [eax+72h], dl |
outsd |
jnc 0000DCB7h |
imul ebp, dword ptr [edi+6Eh], 010D0037h |
pop es |
add byte ptr [eax+65h], cl |
popad |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2a204 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2d000 | 0xc02 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x198 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x29854 | 0x2a000 | False | 0.509759812128 | data | 6.93605268847 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x2b000 | 0x11e8 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x2d000 | 0xc02 | 0x1000 | False | 0.254638671875 | data | 3.22755332063 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
CUSTOM | 0x2d9a8 | 0x25a | ASCII text, with CRLF line terminators | English | United States |
RT_ICON | 0x2d878 | 0x130 | data | ||
RT_ICON | 0x2d590 | 0x2e8 | data | ||
RT_ICON | 0x2d468 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x2d438 | 0x30 | data | ||
RT_VERSION | 0x2d1a0 | 0x298 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaI2I4, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0409 0x04b0 |
InternalName | Profylaktiskes |
FileVersion | 1.04 |
CompanyName | Qualtrics |
Comments | Qualtrics |
ProductName | Qualtrics |
ProductVersion | 1.04 |
FileDescription | Qualtrics |
OriginalFilename | Profylaktiskes.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
09/27/21-14:57:21.980451 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
09/27/21-14:57:23.162775 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
09/27/21-14:57:23.278830 | TCP | 2032776 | ET TROJAN Remocs 3.x Unencrypted Checkin | 49753 | 2404 | 192.168.2.5 | 23.146.242.71 |
09/27/21-14:57:23.563331 | TCP | 2032777 | ET TROJAN Remocs 3.x Unencrypted Server Response | 2404 | 49753 | 23.146.242.71 | 192.168.2.5 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 14:57:22.035547018 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.147857904 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.148011923 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.149102926 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.262342930 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.262448072 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.262506962 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.262557030 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.262597084 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.262604952 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.262681007 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376322985 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376432896 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376482964 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376502037 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376530886 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376543999 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376545906 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376599073 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376615047 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376648903 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376666069 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376697063 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376745939 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376753092 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376779079 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.376785040 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.376842976 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.489320040 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489356041 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489379883 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489418983 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489445925 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489567041 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.489589930 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489614964 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489635944 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489648104 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.489654064 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489670992 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489700079 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489721060 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489734888 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.489734888 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.489835024 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.491549969 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.491578102 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.491594076 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.491614103 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.491626978 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.491794109 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602108955 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602171898 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602189064 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602288008 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602313995 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602380991 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602407932 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602417946 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602422953 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602515936 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602535009 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602546930 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602560997 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602572918 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602621078 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602705956 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602726936 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602746010 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602761984 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602801085 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602880001 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.602957010 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602976084 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.602992058 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603053093 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.603125095 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.603166103 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603210926 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603235006 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603256941 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603265047 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.603275061 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603297949 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603313923 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.603341103 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.603425026 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.604068041 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604100943 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604123116 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604156971 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604171038 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.604235888 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.604310989 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604329109 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604352951 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604371071 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604384899 CEST | 80 | 49752 | 23.146.242.85 | 192.168.2.5 |
Sep 27, 2021 14:57:22.604399920 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
Sep 27, 2021 14:57:22.604463100 CEST | 49752 | 80 | 192.168.2.5 | 23.146.242.85 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 14:53:28.619101048 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 27, 2021 14:53:28.638602972 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Sep 27, 2021 14:53:45.436956882 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 27, 2021 14:53:45.457828999 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
Sep 27, 2021 14:53:59.604959011 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 27, 2021 14:53:59.617611885 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
Sep 27, 2021 14:57:21.865385056 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 27, 2021 14:57:21.980451107 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
Sep 27, 2021 14:57:23.049576998 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 27, 2021 14:57:23.162775040 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 27, 2021 14:57:21.865385056 CEST | 192.168.2.5 | 8.8.8.8 | 0xa34d | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 27, 2021 14:57:23.049576998 CEST | 192.168.2.5 | 8.8.8.8 | 0x6577 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 27, 2021 14:57:21.980451107 CEST | 8.8.8.8 | 192.168.2.5 | 0xa34d | No error (0) | 23.146.242.85 | A (IP address) | IN (0x0001) | ||
Sep 27, 2021 14:57:23.162775040 CEST | 8.8.8.8 | 192.168.2.5 | 0x6577 | No error (0) | 23.146.242.71 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.5 | 49752 | 23.146.242.85 | 80 | C:\Users\user\Desktop\8TEZmAEx3U.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2021 14:57:22.149102926 CEST | 1112 | OUT | |
Sep 27, 2021 14:57:22.262342930 CEST | 1113 | IN |