Edit tour
Windows
Analysis Report
pago del 20.01.2022.PDF______________________________________.exe
Overview
General Information
Detection
AgentTesla GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- pago del 20.01.2022.PDF______________________________________.exe (PID: 7000 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: 4A3D98A8485779447C637CAF1CCAD892) - CasPol.exe (PID: 760 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - CasPol.exe (PID: 4000 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - CasPol.exe (PID: 6884 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - CasPol.exe (PID: 6852 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - CasPol.exe (PID: 6872 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - CasPol.exe (PID: 6840 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - CasPol.exe (PID: 6828 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - conhost.exe (PID: 6968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
{"Payload URL": "https://drive.google.com/uc?export=downl"}
{"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | Florian Roth |
| |
LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | Florian Roth |
| |
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 2 entries |
⊘No Sigma rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | URLs: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Section loaded: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Source: | WMI Queries: |
Source: | Thread sleep time: |
Source: | Last function: |
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | WMI Queries: |
Source: | Process information queried: |
Source: | Thread delayed: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Key value queried: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 211 Windows Management Instrumentation | Path Interception | 112 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 411 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 331 Virtualization/Sandbox Evasion | LSASS Memory | 2 Process Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 112 Process Injection | Security Account Manager | 331 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 113 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 File Deletion | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 114 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | Virustotal | Browse | ||
24% | Metadefender | Browse | ||
64% | ReversingLabs | Win32.Trojan.AgentTesla |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
drive.google.com | 216.58.205.78 | true | false | high | |
googlehosted.l.googleusercontent.com | 216.58.198.33 | true | false | high | |
doc-00-6k-docs.googleusercontent.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
216.58.198.33 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false | |
216.58.205.78 | drive.google.com | United States | 15169 | GOOGLEUS | false |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 558278 |
Start date: | 23.01.2022 |
Start time: | 09:58:17 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 17s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | pago del 20.01.2022.PDF______________________________________.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 30 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@16/1@2/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 23.211.4.86
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
10:00:05 | API Interceptor |
Process: | C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 49152 |
Entropy (8bit): | 5.035543586378022 |
Encrypted: | false |
SSDEEP: | 768:F5mdjxOWaG/KFWSBiGVzG8e83MRJUg/3ZRIIIIIIIIIIIIII:FEtxOtDtBb9+Jp/3ZRIIIIIIIIIIIIII |
MD5: | 84512088E95A81B41D2FF68D0AE6DDE4 |
SHA1: | 5F6EAABC8823AF8FFF10F5C27D17EA599FE5B6CE |
SHA-256: | 942B25782584C3F0C2FB08B4F3461248EAC7A7709673609B2083A86DD561D8E7 |
SHA-512: | ED06A5CC161B7D8F9502AB3B74842B104126532F7829B10076301DC54D5D8E6E82B32D4E452B6140B1CCA7AA4256E888BE6D630EADC9F5273EE5A4D552D48777 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.820365390015966 |
TrID: |
|
File name: | pago del 20.01.2022.PDF______________________________________.exe |
File size: | 218216 |
MD5: | 4a3d98a8485779447c637caf1ccad892 |
SHA1: | 972e617044f41500d54c0a9bc9304094fac5f1b4 |
SHA256: | ab9d325dda36e6f2f7f74aa65c067a67d24b6247271b27d997520593b7105d7d |
SHA512: | 40de4659a252626352a0fe42ce4bf25b3914bc660a4e5c38ba821665721a00f8a222512914a86e39a24621b568b1fbd340d1f0b63f731889daf22a875602aa20 |
SSDEEP: | 3072:RIg+JpfZRIIIIIIIIIIIIIIFypPUZoSP4uj3dZRIIIIIIIIIIIIIIy+JpfIl:ugMhJCSP4iT0MQl |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M...#...#...#.&.-...#...*...#.......#.Rich..#.........PE..L......a.................`...................p....@................ |
Icon Hash: | 001000b2b230d0f0 |
Entrypoint: | 0x401510 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x61EB05A4 [Fri Jan 21 19:12:36 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 076daaa528b1117cda2045bea4524014 |
Signature Valid: | false |
Signature Issuer: | E=BATTERER@unhoping.PAA, CN=Weenong7, OU=misplays, O=Informationsmedarbejder5, L=BAL, S=VIRKNINGSLSE, C=SJ |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 1467D1C1E6DD4034DFDBE58A23B8FC35 |
Thumbprint SHA-1: | 1AC6D9779E9942A75B1E60A4BD5D45A71DBDED15 |
Thumbprint SHA-256: | 3FD5B59E60075347EA5F82B01C8C65BE10162134A329C5C71EDB89DC602A7D9C |
Serial: | 00 |
Instruction |
---|
push 0040CEB8h |
call 00007F4F48A215A3h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add ch, bl |
std |
inc ecx |
add al, FFFFFFE9h |
call 00007F4F815CCF00h |
sbb bh, ah |
push ss |
call far 0000h : 000000D7h |
add byte ptr [ecx], al |
add byte ptr [eax], al |
add byte ptr [edx+00h], al |
push es |
push eax |
add dword ptr [ecx], 50h |
jc 00007F4F48A21617h |
insb |
jne 00007F4F48A21620h |
arpl word ptr [eax+36h], bp |
add byte ptr [eax], al |
add byte ptr [ebx+ebp+000002FCh], bl |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
sbb al, DBh |
push edx |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25cb4 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x29000 | 0xb638 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x34000 | 0x1468 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x198 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x252d4 | 0x26000 | False | 0.491217362253 | data | 6.04657240247 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x27000 | 0x178c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x29000 | 0xb638 | 0xc000 | False | 0.451110839844 | data | 5.04272884383 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x33351 | 0x12e7 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x32ce9 | 0x668 | data | ||
RT_ICON | 0x32a01 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x328d9 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x30c25 | 0x1cb4 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x2fd7d | 0xea8 | data | ||
RT_ICON | 0x2f4d5 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x2ef6d | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x2d0ce | 0x1e9f | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x2ab26 | 0x25a8 | data | ||
RT_ICON | 0x29a7e | 0x10a8 | data | ||
RT_ICON | 0x29616 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x29568 | 0xae | data | ||
RT_VERSION | 0x29300 | 0x268 | MS Windows COFF Motorola 68000 object file | Chinese | Taiwan |
DLL | Import |
---|---|
MSVBVM60.DLL | __vbaVarTstGt, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaStrI4, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, __vbaStrErrVarCopy, _adj_fprem1, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaStrR8, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr |
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
LegalCopyright | Catapult Fas |
InternalName | DYPPEDES |
FileVersion | 1.00 |
CompanyName | Catapult Fas |
ProductName | Catapult Fas |
ProductVersion | 1.00 |
OriginalFilename | DYPPEDES.exe |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 23, 2022 09:59:53.824846983 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:53.824908018 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:53.824995041 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:53.857383966 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:53.857436895 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:53.927762985 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:53.927876949 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:53.929217100 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:53.929311037 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.294559956 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.294617891 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:54.295152903 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:54.295238018 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.297903061 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.341873884 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:54.723521948 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:54.723632097 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.723675966 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:54.723715067 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:54.723761082 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.723784924 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.732975960 CET | 49746 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 23, 2022 09:59:54.733021021 CET | 443 | 49746 | 216.58.205.78 | 192.168.2.3 |
Jan 23, 2022 09:59:54.793998003 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:54.794054985 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:54.794147968 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:54.794636965 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:54.794666052 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:54.868819952 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:54.868921041 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:54.869729042 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:54.869818926 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:54.965996027 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:54.966034889 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:54.966553926 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:54.966857910 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:54.967690945 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.009879112 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.338079929 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.338176966 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.340176105 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.340253115 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.341516972 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.341629982 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.344453096 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.344521999 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.344540119 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.344707012 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.348711014 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.348788977 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.355279922 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.355530024 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.360398054 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.360697985 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.360714912 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.360773087 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.360898018 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.360951900 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.360965967 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.361035109 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.362353086 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.362462044 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.362474918 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.362591028 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.363816977 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.363945007 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.363957882 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.364097118 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.365291119 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.365358114 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.365371943 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.365427017 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.366784096 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.366841078 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.366852999 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.367032051 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.368228912 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.368449926 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.368463993 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.368763924 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.369733095 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.370676041 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.370687962 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.370783091 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.371222019 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.371284962 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.371296883 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.372416019 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.372648001 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.372715950 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.372728109 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.372879028 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.374130964 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.374193907 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.374207973 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.374293089 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.375741959 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.376666069 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 23, 2022 09:59:55.376677990 CET | 443 | 49748 | 216.58.198.33 | 192.168.2.3 |
Jan 23, 2022 09:59:55.376733065 CET | 49748 | 443 | 192.168.2.3 | 216.58.198.33 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 23, 2022 09:59:53.782345057 CET | 54154 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 23, 2022 09:59:53.807755947 CET | 53 | 54154 | 8.8.8.8 | 192.168.2.3 |
Jan 23, 2022 09:59:54.764600039 CET | 53910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 23, 2022 09:59:54.791976929 CET | 53 | 53910 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 23, 2022 09:59:53.782345057 CET | 192.168.2.3 | 8.8.8.8 | 0xd97e | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 23, 2022 09:59:54.764600039 CET | 192.168.2.3 | 8.8.8.8 | 0xc6c3 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 23, 2022 09:59:53.807755947 CET | 8.8.8.8 | 192.168.2.3 | 0xd97e | No error (0) | 216.58.205.78 | A (IP address) | IN (0x0001) | ||
Jan 23, 2022 09:59:54.791976929 CET | 8.8.8.8 | 192.168.2.3 | 0xc6c3 | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | ||
Jan 23, 2022 09:59:54.791976929 CET | 8.8.8.8 | 192.168.2.3 | 0xc6c3 | No error (0) | 216.58.198.33 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49746 | 216.58.205.78 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-01-23 08:59:54 UTC | 0 | OUT | |
2022-01-23 08:59:54 UTC | 0 | IN | |
2022-01-23 08:59:54 UTC | 1 | IN | |
2022-01-23 08:59:54 UTC | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49748 | 216.58.198.33 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-01-23 08:59:54 UTC | 2 | OUT | |
2022-01-23 08:59:55 UTC | 2 | IN |