Windows Analysis Report duLT5gkRjy.exe
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Socelars |
---|
{"C2 url": "http://ngdatas.pw/"}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Socelars | Yara detected Socelars | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Socelars | Yara detected Socelars | Joe Security | ||
JoeSecurity_Socelars | Yara detected Socelars | Joe Security | ||
JoeSecurity_Socelars | Yara detected Socelars | Joe Security | ||
JoeSecurity_Socelars | Yara detected Socelars | Joe Security | ||
JoeSecurity_Socelars | Yara detected Socelars | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Socelars | Yara detected Socelars | Joe Security | ||
JoeSecurity_Socelars | Yara detected Socelars | Joe Security | ||
JoeSecurity_Socelars | Yara detected Socelars | Joe Security | ||
JoeSecurity_Socelars | Yara detected Socelars | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Networking: |
---|
May check the online IP address of the machine | Show sources |
Source: | DNS query: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | 1_2_0144095E | |
Source: | Code function: | 1_2_013665C0 | |
Source: | Code function: | 1_2_0135A460 | |
Source: | Code function: | 1_2_014428C0 | |
Source: | Code function: | 1_2_013650B0 | |
Source: | Code function: | 1_2_0135CB60 | |
Source: | Code function: | 1_2_01361B40 | |
Source: | Code function: | 1_2_013623A0 | |
Source: | Code function: | 1_2_01352380 | |
Source: | Code function: | 1_2_0135B3F0 | |
Source: | Code function: | 1_2_01357A30 | |
Source: | Code function: | 1_2_01358E60 |
Source: | Code function: |
Source: | Static PE information: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_0143B8A6 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 1_2_014524F8 | |
Source: | Code function: | 1_2_014483D7 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 1_2_0143B8A6 | |
Source: | Code function: | 1_2_01434F72 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_01436304 |
Source: | Code function: | 1_2_014529E0 |
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
Yara detected Socelars | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | LSASS Driver1 | Process Injection2 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | System Time Discovery2 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel11 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | LSASS Driver1 | Process Injection2 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Security Software Discovery31 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Virtualization/Sandbox Evasion1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol113 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Process Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Network Configuration Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery2 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
62% | Virustotal | Browse | ||
59% | ReversingLabs | Win32.Adware.ExtInstaller |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
10% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
iplogger.org | 5.9.162.45 | true | false | high | |
www.listincode.com | 149.28.253.196 | true | true |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
true |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
149.28.253.196 | www.listincode.com | United States | 20473 | AS-CHOOPAUS | true | |
5.9.162.45 | iplogger.org | Germany | 24940 | HETZNER-ASDE | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 528744 |
Start date: | 25.11.2021 |
Start time: | 18:22:22 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | duLT5gkRjy.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal80.troj.winEXE@2/6@2/2 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:23:31 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
149.28.253.196 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
5.9.162.45 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
iplogger.org | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
www.listincode.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
AS-CHOOPAUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
HETZNER-ASDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0267413680848108 |
Encrypted: | false |
SSDEEP: | 192:c/IiK8oB+HBUZMXAjmH6v8/u7sZS274Itp1:cgiUB2BUZMXAj18/u7sZX4Itp |
MD5: | 9791D257D822DD8019C1C1BEFBFE0783 |
SHA1: | 583B3EE02BC9562DC54A72DD591E673E24A8B66A |
SHA-256: | 37F9FE2C1EFBFD972E7CED4ACAFB817ED25F9BA27190691205311A3973372C9B |
SHA-512: | EDEB1E8982642E2DF92E8A8B9E93939012569DD76140009D53480B979840FD67F798CBE9B93D468A64013AD6C5E2A3B26FADB91C65AA9808B7D9F2599FA73A8F |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 131814 |
Entropy (8bit): | 1.9804120841231585 |
Encrypted: | false |
SSDEEP: | 384:WiL1p0Q6GlRScvwmIEGVQMW/wraE7twJuQeToI1UJTqeDKOKF:L6GWcvw9EGVQUraEGssIdyKOC |
MD5: | CD7BD168A73892B70C6E43607A74B806 |
SHA1: | 9FD336BDCAAE2D099311BA3E1180A6F3CFC27BC1 |
SHA-256: | D3D80F7D4301E3CB2BA187FA536EFE2AC1AE85F0CA2108F4FEA24B4C1F51E771 |
SHA-512: | 11636149461575803FB1620EC75E2DBFFA976A528F5CC75217A386B9B78CA67AE2348274846CC191A19823E3CD5FBEBB35ACB901E3377E4581C6AD9A85A001D1 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8296 |
Entropy (8bit): | 3.7008050316408068 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiDd6GKC6YgDSUdoJgmffSVCprB89b/Asf+1m:RrlsNi56G/6YUSUdoJgmffSD/Tft |
MD5: | DE019634757A2E498589659AABE2FA25 |
SHA1: | C9FEF1E6A406C902924989176DE108134D3BC0F9 |
SHA-256: | 8DBAD734D69208DDC814C03F34B460BA87FAE5456C55A61FE221B38E2F9AE649 |
SHA-512: | 2813EB0BB2DE93A09654AA10DE0A7BAD1147E14E3CEAF7CDAE5CCDA59B1AF572425E721A3779F5775E4F41B946E33A6FE116E8E22EC45DE96A9CD48F70E40B47 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4563 |
Entropy (8bit): | 4.475311563035437 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsUJgtWI9+AWSC8B08fm8M4JnCfBifsFy7+q8OxuDOl+mtdF0q03d:uITfSt5SNnJnC8NXQjmtdF0q03d |
MD5: | 1AB2EC2741530EB35DE688CF7BB89B06 |
SHA1: | 067F6C95C9B2F97CFCC061D40B70DDE4D4C24564 |
SHA-256: | FD2F2AA348EDA2BC9759C175309B360CA294EFA0E1787D0F589846CB53214793 |
SHA-512: | FF0F60EB939DE7A449388D90BFDA99ADC36EB6ACC1B16B233880009016FF53962C47B3EE10CB63C0C58CECBB6AC417140FE0467040D4F27C6719CF3828BBB8B7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.277985648101297 |
Encrypted: | false |
SSDEEP: | 12288:d5ujz4qQswYDf9MTryEn6zDoTd00Fg6cYKuvrlRIw4oYqFvKEf:Pmz4qQswYDf9MTTWC0o |
MD5: | 6E2BD6B0FBF1D4BA46D0FC6C25511830 |
SHA1: | 4194EA0B60BD71B986E5DA6D7CEF76CA3093B0C9 |
SHA-256: | 5DF90C277F31BB2E17449C2803535D49FB975B0272839C8FE771623FA04A3644 |
SHA-512: | B71C200247774063831205B55999CF2A3066D09D6B5DC5869E91B011F4715B21B838FDDB64223EDF36168CFB5ED4BB11F0BA5C00AD06948B2F10407B93E44078 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 4.07512415013091 |
Encrypted: | false |
SSDEEP: | 384:JVSKQpIFg53EDxxkeRu3xxvYdnq9SaPDSpafYzI+yD+hBzpfIVjQOU6XadYV7i+t:JEKe3Gxkau3xdYduSaPupafYzTyDefIX |
MD5: | A3C48A0B657AB5E9A93804801E47146B |
SHA1: | 8BCE5C32FEB8733974C2027DF0FAEB88A05E15A9 |
SHA-256: | 1FB6140D42DB3FE71530F5DFEB7E5B429F56293008EA1AC5158235207267C568 |
SHA-512: | 2B76B6C020F6605A913D566E7B4CDCDAE55CC443778D01CB7F1AB17431E8FD3DE55AF3599E17BFCBFAB4D12A9BC7A491466B4A85409E1BB4874585932151077E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.685246086092563 |
TrID: |
|
File name: | duLT5gkRjy.exe |
File size: | 1552896 |
MD5: | d42456f7afc812628a9ff67d8c9340eb |
SHA1: | 30f49d0f3d46cc9ccf8733247a0709555ad2099f |
SHA256: | a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac |
SHA512: | 02de7cd71c5155ac5d08f7e432f5f3a138a6800d74479c4696cf877bbcf8fc99bbbf972a50991ca978b5416b89d76b6ab652a9d7315bc61b1baf23aacfdbd755 |
SSDEEP: | 24576:+CjpXA4U35ozW03XRp/hESVE5uU2xbVN6pZVnoYLRZgUQs8n:rpTJxPNlcPVnoYLRZvz8n |
File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........@...............-.......+.w.....+.......*.......-.......&.......*.......(......./......./.7.....*.......+.................... |
File Icon |
---|
Icon Hash: | c8d8d8b6f0f83c58 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4e5eb3 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x619F64CF [Thu Nov 25 10:26:23 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | d69e4c13e25f0ad622344ac56118c0df |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F0638C4FC0Eh |
jmp 00007F0638C4F5E9h |
and dword ptr [ecx+04h], 00000000h |
mov eax, ecx |
and dword ptr [ecx+08h], 00000000h |
mov dword ptr [ecx+04h], 00528BCCh |
mov dword ptr [ecx], 0051A510h |
ret |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007F0638C4F74Fh |
push 00543C5Ch |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007F0638C515F3h |
int3 |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007F0638BFF695h |
push 0053FF54h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007F0638C515D6h |
int3 |
int3 |
push 004E9EA0h |
push dword ptr fs:[00000000h] |
mov eax, dword ptr [esp+10h] |
mov dword ptr [esp+10h], ebp |
lea ebp, dword ptr [esp+10h] |
sub esp, eax |
push ebx |
push esi |
push edi |
mov eax, dword ptr [00546944h] |
xor dword ptr [ebp-04h], eax |
xor eax, ebp |
push eax |
mov dword ptr [ebp-18h], esp |
push dword ptr [ebp-08h] |
mov eax, dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFEh |
mov dword ptr [ebp-08h], eax |
lea eax, dword ptr [ebp-10h] |
mov dword ptr fs:[00000000h], eax |
ret |
push ebp |
mov ebp, esp |
and dword ptr [0054C488h], 00000000h |
sub esp, 24h |
or dword ptr [00546960h], 01h |
push 0000000Ah |
call dword ptr [0051A1D4h] |
test eax, eax |
je 00007F0638C4F91Fh |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1445f4 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x14f000 | 0x2c550 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x17c000 | 0x8098 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x13d910 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x13da40 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x13d948 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x11a000 | 0x30c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1122a1 | 0x112400 | False | 0.505059964676 | data | 6.55728577412 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.ogtrfyj | 0x114000 | 0x580a | 0x5a00 | False | 0.466579861111 | data | 5.981573238 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x11a000 | 0x2b7b2 | 0x2b800 | False | 0.447607983118 | data | 5.81232244285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x146000 | 0x77a4 | 0x2e00 | False | 0.252802309783 | data | 3.89020136245 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ogtrfyj | 0x14e000 | 0x50 | 0x200 | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x14f000 | 0x2c550 | 0x2c600 | False | 0.68740096831 | data | 6.50827273455 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x17c000 | 0x8098 | 0x8200 | False | 0.705498798077 | data | 6.64096530369 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
ZIP | 0x16f100 | 0xc2ce | Zip archive data, at least v1.0 to extract | Chinese | China |
RT_ICON | 0x14f360 | 0x668 | data | Chinese | China |
RT_ICON | 0x14f9c8 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2541320505, next used block 1153431 | Chinese | China |
RT_ICON | 0x14fcb0 | 0x128 | GLS_BINARY_LSB_FIRST | Chinese | China |
RT_ICON | 0x14fdd8 | 0xea8 | data | Chinese | China |
RT_ICON | 0x150c80 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15757402, next used block 15166820 | Chinese | China |
RT_ICON | 0x151528 | 0x568 | GLS_BINARY_LSB_FIRST | Chinese | China |
RT_ICON | 0x151a90 | 0x9160 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | Chinese | China |
RT_ICON | 0x15abf0 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | Chinese | China |
RT_ICON | 0x16b418 | 0x25a8 | data | Chinese | China |
RT_ICON | 0x16d9c0 | 0x10a8 | data | Chinese | China |
RT_ICON | 0x16ea68 | 0x468 | GLS_BINARY_LSB_FIRST | Chinese | China |
RT_GROUP_ICON | 0x16eed0 | 0xa0 | data | Chinese | China |
RT_VERSION | 0x16ef70 | 0x18c | PGP symmetric key encrypted data - Plaintext or unencrypted data | Chinese | China |
RT_MANIFEST | 0x17b3d0 | 0x17d | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetComputerNameW, GetModuleFileNameA, GetCurrentProcessId, OpenProcess, GetModuleFileNameW, SetLastError, WaitForSingleObject, CreateEventW, FreeLibrary, WinExec, GetPrivateProfileStringW, CopyFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, LocalFree, LocalAlloc, LoadResource, FindResourceW, SizeofResource, LockResource, GetTickCount, GetCurrentThread, Sleep, GetProcessHeap, HeapAlloc, GetLastError, GetTempPathA, SetCurrentDirectoryW, GetShortPathNameA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, MultiByteToWideChar, SystemTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcess, DuplicateHandle, CloseHandle, WriteFile, SetFileTime, SetFilePointer, ReadFile, GetFileType, CreateFileW, CreateDirectoryW, TerminateProcess, GetCurrentDirectoryW, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFileSizeEx, GetConsoleOutputCP, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, RaiseException, GetStringTypeW, WriteConsoleW, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FlushFileBuffers, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA |
ADVAPI32.dll | LookupPrivilegeValueW, AdjustTokenPrivileges, LookupAccountNameW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, DuplicateToken, AllocateAndInitializeSid, AddAccessAllowedAce, AccessCheck, OpenThreadToken, OpenProcessToken |
SHELL32.dll | ShellExecuteExA |
ole32.dll | CoInitializeEx, CoGetObject, CoUninitialize |
WININET.dll | InternetGetCookieExA |
NETAPI32.dll | Netbios |
ntdll.dll | RtlInitUnicodeString, NtFreeVirtualMemory, LdrEnumerateLoadedModules, RtlEqualUnicodeString, RtlAcquirePebLock, NtAllocateVirtualMemory, RtlReleasePebLock, RtlNtStatusToDosError, RtlCreateHeap, RtlDestroyHeap, RtlAllocateHeap, RtlFreeHeap, NtClose, NtOpenKey, NtEnumerateValueKey, NtQueryValueKey |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright (C) 2019 |
FileVersion | 1.0.0.1 |
ProductVersion | 1.0.0.1 |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China | |
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 25, 2021 18:23:23.236825943 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:23.236877918 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:23.236985922 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:23.254667044 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:23.254709005 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:23.678935051 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:23.679128885 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:24.118453979 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:24.118484974 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:24.119082928 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:24.119179010 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:24.123270035 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:24.164880037 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:24.261063099 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:24.261141062 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:24.261146069 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:24.261193991 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:24.261558056 CET | 49736 | 443 | 192.168.2.7 | 149.28.253.196 |
Nov 25, 2021 18:23:24.261589050 CET | 443 | 49736 | 149.28.253.196 | 192.168.2.7 |
Nov 25, 2021 18:23:24.391877890 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.391947985 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
Nov 25, 2021 18:23:24.392024994 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.393194914 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.393209934 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
Nov 25, 2021 18:23:24.478566885 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
Nov 25, 2021 18:23:24.478698015 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.486087084 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.486105919 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
Nov 25, 2021 18:23:24.486495018 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
Nov 25, 2021 18:23:24.486587048 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.514153957 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.546324968 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
Nov 25, 2021 18:23:24.546471119 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.546494961 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
Nov 25, 2021 18:23:24.546592951 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.564376116 CET | 49737 | 443 | 192.168.2.7 | 5.9.162.45 |
Nov 25, 2021 18:23:24.564426899 CET | 443 | 49737 | 5.9.162.45 | 192.168.2.7 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 25, 2021 18:23:23.197443008 CET | 55411 | 53 | 192.168.2.7 | 8.8.8.8 |
Nov 25, 2021 18:23:23.218777895 CET | 53 | 55411 | 8.8.8.8 | 192.168.2.7 |
Nov 25, 2021 18:23:24.350204945 CET | 63668 | 53 | 192.168.2.7 | 8.8.8.8 |
Nov 25, 2021 18:23:24.388041973 CET | 53 | 63668 | 8.8.8.8 | 192.168.2.7 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 25, 2021 18:23:23.197443008 CET | 192.168.2.7 | 8.8.8.8 | 0x1b0c | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 25, 2021 18:23:24.350204945 CET | 192.168.2.7 | 8.8.8.8 | 0x2312 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 25, 2021 18:23:23.218777895 CET | 8.8.8.8 | 192.168.2.7 | 0x1b0c | No error (0) | 149.28.253.196 | A (IP address) | IN (0x0001) | ||
Nov 25, 2021 18:23:24.388041973 CET | 8.8.8.8 | 192.168.2.7 | 0x2312 | No error (0) | 5.9.162.45 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTPS Proxied Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.7 | 49736 | 149.28.253.196 | 443 | C:\Users\user\Desktop\duLT5gkRjy.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-25 17:23:24 UTC | 0 | OUT | |
2021-11-25 17:23:24 UTC | 0 | IN | |
2021-11-25 17:23:24 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.7 | 49737 | 5.9.162.45 | 443 | C:\Users\user\Desktop\duLT5gkRjy.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2021-11-25 17:23:24 UTC | 0 | OUT | |
2021-11-25 17:23:24 UTC | 0 | IN | |
2021-11-25 17:23:24 UTC | 1 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:23:21 |
Start date: | 25/11/2021 |
Path: | C:\Users\user\Desktop\duLT5gkRjy.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1350000 |
File size: | 1552896 bytes |
MD5 hash: | D42456F7AFC812628A9FF67D8C9340EB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 18:23:26 |
Start date: | 25/11/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xad0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 013E9440, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01437D6F, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0144D77C, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0144D4AD, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014166B0, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0143BBB8, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 01361B40, Relevance: 8.0, Strings: 6, Instructions: 491COMMON
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014529E0, Relevance: 7.8, APIs: 5, Instructions: 330timeCOMMON
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0143B8A6, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014483D7, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014428C0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 013665C0, Relevance: 2.0, APIs: 1, Instructions: 512COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0135A460, Relevance: 1.5, Strings: 1, Instructions: 247COMMON
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01357A30, Relevance: .4, Instructions: 432COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01352380, Relevance: .3, Instructions: 323COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 013650B0, Relevance: .3, Instructions: 265COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0135B3F0, Relevance: .2, Instructions: 176COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0135CB60, Relevance: .2, Instructions: 167COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0144095E, Relevance: .2, Instructions: 159COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01358E60, Relevance: .1, Instructions: 85COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014524F8, Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01454F12, Relevance: 19.6, APIs: 13, Instructions: 88COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01455D69, Relevance: 18.1, APIs: 12, Instructions: 113COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014558F1, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01447D08, Relevance: 9.3, APIs: 6, Instructions: 270COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0140FB90, Relevance: 9.2, APIs: 6, Instructions: 244COMMON
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01448419, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014553C6, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 013593B0, Relevance: 6.1, APIs: 4, Instructions: 117COMMON
APIs |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0144D201, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0144D358, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0143582B, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |