Play interactive tour
Edit tourWindows Analysis Report a3.exe
Overview
General Information
| Sample Name: | a3.exe |
| Analysis ID: | 498881 |
| MD5: | 0cc6d274cd84b593210168f51fcd38cd |
| SHA1: | 666fc3963609f4aff528b9a32f7516feebaa6ddf |
| SHA256: | a3bdb9880bf419f2023e4015545c6c72835dbc5c68cd14fd81d35220bf9449fa |
| Tags: | exe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Ursnif |
|---|
{"lang_id": "RU, CN", "RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 6 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Compliance: | |
|---|
| Detected unpacking (overwrites its own PE header) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | ||
| Source: | Code function: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary: | |
|---|
| Writes or reads registry keys via WMI | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Writes registry values via WMI | Show sources | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | ||
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | File opened: | ||
Data Obfuscation: | |
|---|
| Detected unpacking (changes PE section rights) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Detected unpacking (overwrites its own PE header) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Last function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | ||
| Source: | Key value queried: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation2 | Path Interception | Process Injection3 | Masquerading1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection3 | LSASS Memory | Process Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Account Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing23 | NTDS | System Owner/User Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | File and Directory Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery33 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 79% | Virustotal | Browse | ||
| 89% | ReversingLabs | Win32.Trojan.MintDreidel | ||
| 100% | Avira | TR/Crypt.Agent.dffnu | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.ZPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1108168 | Download File | ||
| 100% | Avira | TR/Crypt.Agent.dffnu | Download File | ||
| 100% | Avira | TR/Patched.Ren.Gen | Download File | ||
| 100% | Avira | TR/Patched.Ren.Gen | Download File |
Domains |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| api5.feen007.at | 87.106.18.141 | true | true |
| unknown |
| windowsupdate.s.llnwi.net | 178.79.242.0 | true | false |
| unknown |
Contacted URLs |
|---|
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 87.106.18.141 | api5.feen007.at | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true |
General Information |
|---|
| Joe Sandbox Version: | 33.0.0 White Diamond |
| Analysis ID: | 498881 |
| Start date: | 07.10.2021 |
| Start time: | 16:18:07 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 8s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Sample file name: | a3.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 23 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@4/14@1/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| No simulations |
|---|
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 87.106.18.141 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| windowsupdate.s.llnwi.net | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| ONEANDONE-ASBrauerstrasse48DE | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29272 |
| Entropy (8bit): | 1.7701344643347803 |
| Encrypted: | false |
| SSDEEP: | 96:r/ZJZR12RW2qWRW2131tRW213yUfRW213ygIFMRW213kGgwbRW2A3kGg4B:r/ZJZX241W4Yt46f4tFM4Kb4ZB |
| MD5: | FE7E0B15BF69E7D5E77D3E4CBC8FD844 |
| SHA1: | 88CF8FE6080E43CAF86E3289743F3F0F6F0264A9 |
| SHA-256: | 2260FAEE56EC919ED892395000AEA687299096CB658CD36CFD8709A16EA9EA54 |
| SHA-512: | B0EB02579A0154EE33E4FE04D273D1492F90C495AE6678AE32805E0B2354838B2B5D5AB4BACDC1B15E48489918D74EEC91ACF158F72E16DC57C3848192AAB800 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28124 |
| Entropy (8bit): | 1.9146205589171772 |
| Encrypted: | false |
| SSDEEP: | 48:IwMGcpr1Gwpa5G4pQNGrapbSGGQpBuGHHpc7TGUp8HGzYpmmGGop7k8qiPDqz3dH:rQZfQb6tBS+j92VWlMN9TC1dlTlCTA |
| MD5: | 5E3115DE41A4E4B1B521C97AC18813C5 |
| SHA1: | 891FA9D6745C7F0C1810B79B0915968E9F4C2930 |
| SHA-256: | 5F7C6F8FD48463FF43A349F5101C4A0DA17ADFB15C2B00903B64A78101A559D7 |
| SHA-512: | C88D3CBD0ABDF060A8AC7E0549C6425650D1647E8D803702AB616AED2F36126F2879EB76B57C529D916C065D97611E19B9406D125C0320294FF7C2A3FB50D0D7 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 656 |
| Entropy (8bit): | 5.088938170870811 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxOE01OnWimI002EtM3MHdNMNxOE01OnWimI00ObVbkEtMb:2d6NxON1OSZHKd6NxON1OSZ76b |
| MD5: | CFAA0C1E504623245FDEFC9528A298E2 |
| SHA1: | 34F63675582E23949D70A2D4D1A4E1CC8C0B790A |
| SHA-256: | 365DBA991887E73B5B2DB0DF9A477F6455760ED25A77A251C3BE2AEEDF692C7E |
| SHA-512: | BF29CFCA96818EECC3E2AFCB328E3BB4481820AFF1DC8612314F72179290E75E325BF2D9F497147047CD6C3993183936023B4D6728D2D642495E9D31500169E6 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 653 |
| Entropy (8bit): | 5.065104180080743 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxe2krnWimI002EtM3MHdNMNxe2krnWimI00Obkak6EtMb:2d6NxrGSZHKd6NxrGSZ7Aa7b |
| MD5: | A176224E43E9EDDBFE494818028EE7AB |
| SHA1: | 3BB8B696F63C85AF1C0E94960D84ED6E6D6A0635 |
| SHA-256: | 9FA1C7C516CC55D0872EA1334262A8C10BD054A2EEF71B43E1186719383F09B5 |
| SHA-512: | 5E33C03EA206206B1ADDEDBCB34B6CD3DBC7F7FE44D6541494825CC69CA5CBAE9B76319754D66E96625540B77CFE52A12776FBB92466EDA12F5584959FA4036F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 662 |
| Entropy (8bit): | 5.10663851901763 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxvL01OnWimI002EtM3MHdNMNxvL01OnWimI00ObmZEtMb:2d6Nxvg1OSZHKd6Nxvg1OSZ7mb |
| MD5: | 4CF1FB8C2B6628E509091716B3DDD46B |
| SHA1: | 05911E9D90643C2EAD2FF98E816149F44A679638 |
| SHA-256: | 5DF8D0CD00CCB850F5E85088F93E3FE2970A554B55A05B0C505BDD97C52F1B39 |
| SHA-512: | 911D2B3A5889CA10CB012813E622A754009F7160F417B22B1534B46550B1E32DFF636D21BE76AC9C81E9A096BFA7D34A889AFD89AAB4FCD91F8E67762A4AD5C2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 647 |
| Entropy (8bit): | 5.055361901508745 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxiJKInWimI002EtM3MHdNMNxiJKInWimI00Obd5EtMb:2d6NxuKISZHKd6NxuKISZ7Jjb |
| MD5: | 074BD65CAD3A43806997D815CCD310BB |
| SHA1: | 1D281442E0BA47A74363EC75B47D2E88B53CBF4A |
| SHA-256: | 1104831873D15DBE0D741CF5E1E484E7177573C254D4AEE37C05C5A7AEE69AB5 |
| SHA-512: | E53EDDE4294E9924EA58D744EB8039A130FED6C07C9A6688BFD674B46450ACD1029E01897BDAC1FE3933A52221B7B1703C2984BFA2D39BF123742A707C9E3FFD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 656 |
| Entropy (8bit): | 5.1159885561659975 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxhGw01OnWimI002EtM3MHdNMNxhGw01OnWimI00Ob8K075EtMb:2d6NxQR1OSZHKd6NxQR1OSZ7YKajb |
| MD5: | 82E6B249A578988E85BC7C6ED57C0168 |
| SHA1: | 6AECCC4307830A7F3A27FA2951F7FD67F187FC3E |
| SHA-256: | DAF909323DD36C6BE68B420AF15E76EDD67D773F0299C89D1E6D67F8994531C0 |
| SHA-512: | 8D4DA2B26EDD870619340AAF8BF4E28D9EF830D68461873A693FAD618694811955299A19E2409FD7C302BB63BDF8E90686F5E366DF47F29A91567E31970939A7 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 653 |
| Entropy (8bit): | 5.037015661281331 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNx0nJKInWimI002EtM3MHdNMNx0nJKInWimI00ObxEtMb:2d6Nx0JKISZHKd6Nx0JKISZ7nb |
| MD5: | 3CFC651E6983F1197503C958A59FF72E |
| SHA1: | 4B3F879C0E9841AB266A2A323B2CFB4B3E5C98D7 |
| SHA-256: | E5870E5F72EAEFC0405F0C9047F081A280F5B27A073E19E003B6B86ECB04724D |
| SHA-512: | C3A360FEC4BEECF1DC433411E44241E42C1ABBB723EA66E331890E94FF983884D02C21B2C740FB357C716B0F3BF035394610484C186CF8A30234716B309AC6BD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 656 |
| Entropy (8bit): | 5.080777529981643 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxxJKInWimI002EtM3MHdNMNxxJKInWimI00Ob6Kq5EtMb:2d6NxzKISZHKd6NxzKISZ7ob |
| MD5: | 3870B225A953FACDECF806D3F27F01DA |
| SHA1: | 03D41945033C8FBABEFA7AA1F843B8A5E7C965FD |
| SHA-256: | AF22888DDE910384C19551EB62DBCE6248C221DC754B5D92A6F6403A97D4640E |
| SHA-512: | BB547ECB7646A86BE073328A1F0613FA4BBF71A80890E4D6F5315FE83741D3F0E636DE846EE34A643F4F81DD87AEC7E7E7607B36A1ABB05918EB90F9D1F625C9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 659 |
| Entropy (8bit): | 5.0563074196705715 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxcrnWimI002EtM3MHdNMNxcrnWimI00ObVEtMb:2d6NxOSZHKd6NxOSZ7Db |
| MD5: | 5BDD08733FEABBBE890D0028FAAF5E1F |
| SHA1: | 98092E7531A9AC8B40BBD01FE6D28C16965B8310 |
| SHA-256: | 68C63C7F3078AB225D4916AB8C767C6D002DC05C3949E4634942BEE8F94D13E6 |
| SHA-512: | 31548A010931122325CFBAE97AF82E69E0F02C4E46DA9A44162A8C0EF4500DCDA5571844EC990858000683B9335EB6DECCF8DCE44F5B5294227C6628867D35A7 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 653 |
| Entropy (8bit): | 5.044181719856586 |
| Encrypted: | false |
| SSDEEP: | 12:TMHdNMNxfnrnWimI002EtM3MHdNMNxfnrnWimI00Obe5EtMb:2d6NxzSZHKd6NxzSZ7ijb |
| MD5: | CF8F543F877CB266D950DF963AD9406D |
| SHA1: | 2E90F1248ABF3DB1845E63828242689BDBD51B4E |
| SHA-256: | 88626A4E7C44B0CF6131273949CD910FE4630AADD0DAB67202C378E5C04F3A68 |
| SHA-512: | D375CBDF23EA8D4DFA03C8BA3BAFBFF2099C7F6761D67CAA0575F4D57DABDE743E9B786E8FE9A79CC06D3C011D5A7562518D45E70420778BBA01ECF56665810B |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 89 |
| Entropy (8bit): | 4.422630656681361 |
| Encrypted: | false |
| SSDEEP: | 3:oVXUYzYTM7W8JOGXnEYzYTMZun:o9UYzYTVqEYzYTV |
| MD5: | F03B712BE3FF150E4E2EE180114CF20A |
| SHA1: | 9988A53E02D5F481CF62E78FB21BF0AC679802F7 |
| SHA-256: | B1E47CABBB3103F18B9086625A9F71696259DA30AFC2E93495A635F4D3144BC4 |
| SHA-512: | 92F036490D547FD9A9A7B9002606F43B8E9FE24A9207C58D2DA8F37F436CDC7947E0174DF723C9E49FE79FE237C276BB4C0C5816117EC85866D3E7B37F0B6C5D |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 40121 |
| Entropy (8bit): | 0.667681657124394 |
| Encrypted: | false |
| SSDEEP: | 48:kBqoxKAuvScS+XZbSmImRk8ILiPDqz3dYnk8ILiPDqz3dYok8ILiPDqz3dYF:kBqoxKAuvScS+XZbS54i2CMi2Cni2C4 |
| MD5: | C941466D3B30985EA0EADE7426D7C846 |
| SHA1: | 0039736FA9FE41B250A33377E7DBDA2FE4DDC78A |
| SHA-256: | 07B1ACFB47135B97D5B07089B000260C617FECD4F0B264FF1534E238D5B54CA2 |
| SHA-512: | 5DDA6E800F0DF705AE01D515076007313BBDC54FC5ADB6A7EF4E3FFB46CACDE1C500B7F5084F67801DC95FCD115D2CC273070A75F135063237C6E7884F1822F3 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\internet explorer\iexplore.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12933 |
| Entropy (8bit): | 0.40915964020179696 |
| Encrypted: | false |
| SSDEEP: | 24:c9lLh9lLh9lIn9lIn9loRYF9loRg9lWRW2V3ygV3kGx:kBqoIRrRNRW2V3ygV3kGx |
| MD5: | E2C3A9A25DE0C27EE85FE33712B018AF |
| SHA1: | AA9D7BFBC164748490A7D2C2BE569342C9AA5533 |
| SHA-256: | F7D913F2D4C405BA40C9B13A585F17EE2C356742D445C79C6FF718EC460472DA |
| SHA-512: | 11161E5C98C4C12E82DE923268277DE352FEFE35F49F6E8D9EA9069E6C83E3AEFCA13220EE59333E2171A16F1ABDD6212D198A9D6B15D278071BD4C79D692DE7 |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.835334743621618 |
| TrID: |
|
| File name: | a3.exe |
| File size: | 179712 |
| MD5: | 0cc6d274cd84b593210168f51fcd38cd |
| SHA1: | 666fc3963609f4aff528b9a32f7516feebaa6ddf |
| SHA256: | a3bdb9880bf419f2023e4015545c6c72835dbc5c68cd14fd81d35220bf9449fa |
| SHA512: | 7983ed74b0fc4d75f384433aa9d07354275c9565988cc0d7b3e5c5cfac3bb2fac2bf690dfb8dd2cbc1e25132c72b52bfea05cdf605b61c18c24f10e85fd62fb9 |
| SSDEEP: | 3072:fgUV+UgG7cL89xoF+bhyExjSaftm34X/ifmA0XHDI5C4:YG+Y7cL89x/bUExPf437ul8I4 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T...T...T....V..T....G..T....@..T.......T...T..)T....I..T....Q..T....W..T....R..T..Rich.T..........................PE..L.. |
File Icon |
|---|
 | |
| Icon Hash: | a8b0f8d84868687c |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x404423 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
| DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
| Time Stamp: | 0x5D7CADF0 [Sat Sep 14 09:08:00 2019 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 08b3bdf9cc3930ac93565a943e8ad0e4 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| call 00007FB26C9B1B79h |
| jmp 00007FB26C9AC82Eh |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| xor ecx, ecx |
| cmp eax, dword ptr [00426128h+ecx*8] |
| je 00007FB26C9AC9C5h |
| inc ecx |
| cmp ecx, 2Dh |
| jc 00007FB26C9AC9A3h |
| lea ecx, dword ptr [eax-13h] |
| cmp ecx, 11h |
| jnbe 00007FB26C9AC9C0h |
| push 0000000Dh |
| pop eax |
| pop ebp |
| ret |
| mov eax, dword ptr [0042612Ch+ecx*8] |
| pop ebp |
| ret |
| add eax, FFFFFF44h |
| push 0000000Eh |
| pop ecx |
| cmp ecx, eax |
| sbb eax, eax |
| and eax, ecx |
| add eax, 08h |
| pop ebp |
| ret |
| call 00007FB26C9B09B9h |
| test eax, eax |
| jne 00007FB26C9AC9B8h |
| mov eax, 00426290h |
| ret |
| add eax, 08h |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 4Ch |
| mov eax, dword ptr [004262A8h] |
| xor eax, ebp |
| mov dword ptr [ebp-04h], eax |
| push ebx |
| xor ebx, ebx |
| push esi |
| mov esi, dword ptr [ebp+08h] |
| push edi |
| mov dword ptr [ebp-2Ch], ebx |
| mov dword ptr [ebp-1Ch], ebx |
| mov dword ptr [ebp-20h], ebx |
| mov dword ptr [ebp-28h], ebx |
| mov dword ptr [ebp-24h], ebx |
| mov dword ptr [ebp-4Ch], esi |
| mov dword ptr [ebp-48h], ebx |
| cmp dword ptr [esi+14h], ebx |
| je 00007FB26C9ACCCCh |
| lea eax, dword ptr [esi+04h] |
| cmp dword ptr [eax], ebx |
| jne 00007FB26C9AC9D2h |
| push eax |
| movzx eax, word ptr [esi+30h] |
| push 00001004h |
| push eax |
| lea eax, dword ptr [ebp-4Ch] |
| push ebx |
| push eax |
| call 00007FB26C9B1D5Dh |
| add esp, 14h |
| test eax, eax |
| jne 00007FB26C9ACC7Dh |
| push 00000004h |
| call 00007FB26C9AE99Eh |
| push 00000002h |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x25f50 | 0x58 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25424 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2dd8000 | 0x5c30 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x20000 | 0x1e8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1e014 | 0x1e200 | False | 0.726424727697 | data | 7.38003707514 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x20000 | 0x5fa8 | 0x6000 | False | 0.459879557292 | data | 5.59572231923 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x26000 | 0x2db17d8 | 0x1a00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x2dd8000 | 0x5c30 | 0x5e00 | False | 0.376329787234 | data | 4.1399689351 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x2dd9f20 | 0x2 | data | ||
| AFX_DIALOG_LAYOUT | 0x2dd9f18 | 0x2 | data | ||
| AFX_DIALOG_LAYOUT | 0x2dd9f28 | 0x2 | data | ||
| RT_CURSOR | 0x2dd9f30 | 0x130 | data | ||
| RT_CURSOR | 0x2dda060 | 0xf0 | data | ||
| RT_CURSOR | 0x2dda150 | 0x10a8 | data | ||
| RT_CURSOR | 0x2ddb228 | 0xea8 | dBase III DBT, version number 0, next free block index 40, 1st item "\251\317" | ||
| RT_CURSOR | 0x2ddc0d0 | 0x8a8 | dBase III DBT, version number 0, next free block index 40, 1st item "\251\317" | ||
| RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Iran |
| RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Afganistan |
| RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Tajikistan |
| RT_ICON | 0x2dd8550 | 0x8a8 | data | Farsi | Uzbekistan |
| RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Iran |
| RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Afganistan |
| RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Tajikistan |
| RT_ICON | 0x2dd8df8 | 0x10a8 | data | Farsi | Uzbekistan |
| RT_STRING | 0x2ddcaa8 | 0x46e | data | ||
| RT_STRING | 0x2ddcf18 | 0x4b6 | data | ||
| RT_STRING | 0x2ddd3d0 | 0x5b4 | data | ||
| RT_STRING | 0x2ddd988 | 0x2a4 | data | ||
| RT_GROUP_CURSOR | 0x2ddb1f8 | 0x30 | data | ||
| RT_GROUP_CURSOR | 0x2ddc978 | 0x22 | data | ||
| RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Iran |
| RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Afganistan |
| RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Tajikistan |
| RT_GROUP_ICON | 0x2dd9ea0 | 0x22 | data | Farsi | Uzbekistan |
| RT_VERSION | 0x2ddc9a0 | 0x104 | data | ||
| None | 0x2dd9ed8 | 0xa | data | ||
| None | 0x2dd9ee8 | 0xa | data | ||
| None | 0x2dd9ec8 | 0xa | data | ||
| None | 0x2dd9ef8 | 0xa | data | ||
| None | 0x2dd9f08 | 0xa | data |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | SetVolumeLabelA, SetDefaultCommConfigA, CreateMutexW, lstrlenA, WritePrivateProfileStructA, CopyFileExW, TlsGetValue, MoveFileExA, _llseek, GetNumberOfConsoleInputEvents, FindResourceExW, CallNamedPipeA, DeleteVolumeMountPointA, WriteTapemark, InterlockedIncrement, ReadConsoleA, CompareFileTime, WaitForSingleObject, InterlockedCompareExchange, _lclose, SetTapeParameters, GetModuleHandleW, VirtualFree, WriteFile, GlobalAlloc, Sleep, LeaveCriticalSection, GetFileAttributesW, WriteConsoleW, GetOverlappedResult, GetACP, DeactivateActCtx, GetPrivateProfileSectionNamesW, IsDBCSLeadByteEx, GetProcAddress, GetTapeStatus, BeginUpdateResourceW, CreateNamedPipeA, LocalLock, IsValidCodePage, SearchPathA, SetFileApisToOEM, GetLocalTime, LoadLibraryA, SetCalendarInfoW, IsSystemResumeAutomatic, GetProfileStringA, WriteProfileSectionW, SetNamedPipeHandleState, EnumDateFormatsA, GetThreadPriority, WaitCommEvent, LoadLibraryExA, ContinueDebugEvent, VirtualProtect, PurgeComm, ScrollConsoleScreenBufferA, OpenSemaphoreW, GetVersionExA, DeleteFileW, DebugBreak, FindActCtxSectionStringW, GetSystemTime, lstrcpyW, GetLastError, GetSystemDefaultLangID, WideCharToMultiByte, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, GetCPInfo, RtlUnwind, RaiseException, LCMapStringW, LCMapStringA, GetStringTypeW, HeapAlloc, HeapCreate, VirtualAlloc, HeapReAlloc, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, ExitProcess, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, HeapSize, GetOEMCP, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, GetModuleHandleA |
| GDI32.dll | GetBoundsRect |
Exports |
|---|
| Name | Ordinal | Address |
|---|---|---|
| _geek@8 | 1 | 0x41a2d0 |
| _gekkko@8 | 2 | 0x41a2c0 |
Version Infos |
|---|
| Description | Data |
|---|---|
| FileV | 1.0.2.26 |
| Translations | 0x0218 0x07a1 |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Farsi | Iran |  |
| Farsi | Afganistan |  |
| Farsi | Tajikistan |  |
| Farsi | Uzbekistan |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 10/07/21-16:19:35.183837 | TCP | 2033204 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| 10/07/21-16:19:35.183837 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 7, 2021 16:19:35.160347939 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:35.161183119 CEST | 49750 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:35.180584908 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
| Oct 7, 2021 16:19:35.180737972 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:35.181255102 CEST | 80 | 49750 | 87.106.18.141 | 192.168.2.3 |
| Oct 7, 2021 16:19:35.181380033 CEST | 49750 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:35.183836937 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:35.204199076 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
| Oct 7, 2021 16:19:35.229631901 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
| Oct 7, 2021 16:19:35.229722023 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:35.598839998 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:35.644711971 CEST | 80 | 49751 | 87.106.18.141 | 192.168.2.3 |
| Oct 7, 2021 16:19:35.645252943 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:36.514163017 CEST | 49751 | 80 | 192.168.2.3 | 87.106.18.141 |
| Oct 7, 2021 16:19:36.514230967 CEST | 49750 | 80 | 192.168.2.3 | 87.106.18.141 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 7, 2021 16:19:35.113707066 CEST | 64021 | 53 | 192.168.2.3 | 8.8.8.8 |
| Oct 7, 2021 16:19:35.146023989 CEST | 53 | 64021 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Oct 7, 2021 16:19:35.113707066 CEST | 192.168.2.3 | 8.8.8.8 | 0xbd3b | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Oct 7, 2021 16:19:35.146023989 CEST | 8.8.8.8 | 192.168.2.3 | 0xbd3b | No error (0) | 87.106.18.141 | A (IP address) | IN (0x0001) | ||
| Oct 7, 2021 16:19:51.258573055 CEST | 8.8.8.8 | 192.168.2.3 | 0xd3f6 | No error (0) | 178.79.242.0 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
|---|
|
HTTP Packets |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49751 | 87.106.18.141 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Oct 7, 2021 16:19:35.183836937 CEST | 1286 | OUT | |
| Oct 7, 2021 16:19:35.229631901 CEST | 1286 | IN | |
| Oct 7, 2021 16:19:35.598839998 CEST | 1286 | OUT | |
| Oct 7, 2021 16:19:35.644711971 CEST | 1286 | IN |
Code Manipulations |
|---|
Statistics |
|---|
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 16:19:10 |
| Start date: | 07/10/2021 |
| Path: | C:\Users\user\Desktop\a3.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 179712 bytes |
| MD5 hash: | 0CC6D274CD84B593210168F51FCD38CD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 16:19:31 |
| Start date: | 07/10/2021 |
| Path: | C:\Program Files\internet explorer\iexplore.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7e4150000 |
| File size: | 823560 bytes |
| MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 16:19:32 |
| Start date: | 07/10/2021 |
| Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1140000 |
| File size: | 822536 bytes |
| MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
Disassembly |
|---|
Code Analysis |
|---|