Edit tour
Windows
Analysis Report
ePAY-Advice_Rf[UC7749879100].exe
Overview
General Information
| Sample Name: | ePAY-Advice_Rf[UC7749879100].exe |
| Analysis ID: | 828721 |
| MD5: | 06bf8620598b674fc3506a2844d42d65 |
| SHA1: | 00e28bd96e338f7bfff9c41d985de05f010d8ea7 |
| SHA256: | 98883d7d2678fd8cbdad8b8c1ca7cf13a797b1074f081dee24aba14dcc346ffe |
| Infos: |  |
 | |
Detection
GuLoader, Lokibot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Classification
- System is w10x64native
ePAY-Advice_Rf[UC7749879100].exe (PID: 7800 cmdline: C:\Users\u ser\Deskto p\ePAY-Adv ice_Rf[UC7 749879100] .exe MD5: 06BF8620598B674FC3506A2844D42D65) - ePAY-Advice_Rf[UC7749879100].exe (PID: 4428 cmdline:
C:\Users\u ser\Deskto p\ePAY-Adv ice_Rf[UC7 749879100] .exe MD5: 06BF8620598B674FC3506A2844D42D65) 
WerFault.exe (PID: 7980 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 428 -s 200 0 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Loki Password Stealer (PWS), LokiBot | "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.11.20171.22.30.14749853802025381 03/17/23-14:12:55.965496 |
| SID: | 2025381 |
| Source Port: | 49853 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20171.22.30.14749853802024317 03/17/23-14:12:55.965496 |
| SID: | 2024317 |
| Source Port: | 49853 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20171.22.30.14749853802024312 03/17/23-14:12:55.965496 |
| SID: | 2024312 |
| Source Port: | 49853 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20171.22.30.14749853802021641 03/17/23-14:12:55.965496 |
| SID: | 2021641 |
| Source Port: | 49853 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20171.22.30.14749853802825766 03/17/23-14:12:55.965496 |
| SID: | 2825766 |
| Source Port: | 49853 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Static PE information: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | Code function: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | ||
| Source: | Mutant created: | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Key opened: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
Malware Analysis System Evasion | |
|---|
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep time: | ||
| Source: | Last function: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | API call chain: | ||
| Source: | API call chain: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | ||
| Source: | Process token adjusted: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | Code function: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 2 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 11 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 2 Data from Local System | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 5 System Information Discovery | Distributed Component Object Model | 1 Clipboard Data | Scheduled Transfer | 14 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 46% | Virustotal | Browse | ||
| 28% | ReversingLabs | Win32.Trojan.GuLoader |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1223491 | Download File | ||
| 100% | Avira | HEUR/AGEN.1223491 | Download File | ||
| 100% | Avira | HEUR/AGEN.1223491 | Download File |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 7% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| zed-unusual-activity-com.veldaeffertz.ml | 188.114.96.3 | true | false |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 171.22.30.147 | unknown | Germany | 33657 | CMCSUS | true | |
| 188.114.96.3 | zed-unusual-activity-com.veldaeffertz.ml | European Union | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 828721 |
| Start date and time: | 2023-03-17 14:08:19 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 39s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | ePAY-Advice_Rf[UC7749879100].exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/19@23/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 40.126.32.139, 40.126.32.132, 40.126.32.137, 20.190.160.15, 40.126.32.67, 40.126.32.73, 20.190.160.12, 20.190.160.23
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, prda.aadg.msidentity.com, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, wdcp.microsoft.com, login.msa.msidentity.com
- Execution Graph export aborted for target ePAY-Advice_Rf[UC7749879100].exe, PID 4428 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54 |
| Entropy (8bit): | 4.838039816898156 |
| Encrypted: | false |
| SSDEEP: | 3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I |
| MD5: | FB5EE2C0CAC332EC8390F50016EF0769 |
| SHA1: | 11D9FB52FE5289140B9D52A38B56F99512B3A3A7 |
| SHA-256: | C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631 |
| SHA-512: | 87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.832316471889005 |
| Encrypted: | false |
| SSDEEP: | 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC |
| MD5: | B0C77267F13B2F87C084FD86EF51CCFC |
| SHA1: | F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3 |
| SHA-256: | A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 |
| SHA-512: | F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:U:U |
| MD5: | C4CA4238A0B923820DCC509A6F75849B |
| SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
| SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
| SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 47 |
| Entropy (8bit): | 1.1262763721961973 |
| Encrypted: | false |
| SSDEEP: | 3:/lSllIEXln:AWE1 |
| MD5: | D69FB7CE74DAC48982B69816C3772E4E |
| SHA1: | B1C04CDB2567DC2B50D903B0E1D0D3211191E065 |
| SHA-256: | 8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396 |
| SHA-512: | 7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll 
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 34016 |
| Entropy (8bit): | 6.1021284380541925 |
| Encrypted: | false |
| SSDEEP: | 384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3 |
| MD5: | 4FC7FC174E80C178225C2509027DF961 |
| SHA1: | 9FF62413EC0DD462F5F016EBC804F1D736D24796 |
| SHA-256: | 866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C |
| SHA-512: | 29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 295288 |
| Entropy (8bit): | 6.745618664148764 |
| Encrypted: | false |
| SSDEEP: | 3072:x+/xc6g1BpoF5SmRfY+uynGbbqwHzp8d7fMUMQpnf+Dk64qR/2sE4GjEZQ2CfDU4:MkpGQqruyGqIzgsG5Nq/uC4fQzbEI2 |
| MD5: | 4D698E219A6C687613078B94085D51FE |
| SHA1: | 52A9BD9EF707F72A14006D4FDA0989F11A5616B9 |
| SHA-256: | 5E0F6244C6A33528CFCEC4C23F45F6238EA57818484B602086D26562F498EF49 |
| SHA-512: | 02E934B3374EE1CF9195FC7C329D0F4AC4A8DFBB081CDD04F4D76CF5EA92353507B34EAC099A5161CCD36BF11048FA3588A4D7F029FE585979A1D3E3C93E150B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 35747 |
| Entropy (8bit): | 4.582392134953922 |
| Encrypted: | false |
| SSDEEP: | 384:x0ApQpUO7nJ9BGe8Gd+zZcrpqHCuY4TIm+io9fUe4KgZzZxrj2V+QRf4TGf:FypbJrGernrspY4s9fUKgpZxrahgTGf |
| MD5: | 69FFEE981CA33B2B99A58323AE19A198 |
| SHA1: | C9B1C33C92AE9BAE354B11A9F8F09639B7A8D493 |
| SHA-256: | 6623E3157B8615EBC31FE362C9058FFA9682A033822ED7A5E965A086D5F069A3 |
| SHA-512: | ED48BD96F3D65CA8F3BDBDBEFDF2F40A29468326436D28E4F9B58FF3A7EFB06197525D55777277719270864AA7D5301F3E3478C86E944D3AD054542DA94084A4 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\avatar-default-symbolic.svg
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 266 |
| Entropy (8bit): | 4.986245244009802 |
| Encrypted: | false |
| SSDEEP: | 6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj |
| MD5: | 8B727826F9D8C0C7C954EDE912CB0DEB |
| SHA1: | 1518AA80747326B5353C22D32E57A33D61285119 |
| SHA-256: | 0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334 |
| SHA-512: | 0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\be.txt
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12193 |
| Entropy (8bit): | 4.4720152705808935 |
| Encrypted: | false |
| SSDEEP: | 192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87 |
| MD5: | 3C21135144AC7452E7DB66F0214F9D68 |
| SHA1: | B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D |
| SHA-256: | D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E |
| SHA-512: | 0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\changes-allow-symbolic.svg
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 998 |
| Entropy (8bit): | 5.186938379246791 |
| Encrypted: | false |
| SSDEEP: | 24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH |
| MD5: | CB1EEE7BDB582B756D0F68EF02D6D96D |
| SHA1: | 9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9 |
| SHA-256: | 20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4 |
| SHA-512: | E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\dotnet.api
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1245 |
| Entropy (8bit): | 5.462849750105637 |
| Encrypted: | false |
| SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
| MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
| SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
| SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
| SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\ebook-reader.png
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 555 |
| Entropy (8bit): | 7.499536740374189 |
| Encrypted: | false |
| SSDEEP: | 12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ |
| MD5: | BFF011148B773FA44B9A9BB029E8CC52 |
| SHA1: | F2B838927E320D12649CEFDEA3AFE383C6650D7C |
| SHA-256: | B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653 |
| SHA-512: | A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\emblem-photos-symbolic.svg
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 680 |
| Entropy (8bit): | 5.109191824773878 |
| Encrypted: | false |
| SSDEEP: | 12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p |
| MD5: | 379690952AAA576521D51249D404CBCD |
| SHA1: | 61A8A95B0454422AA47379CF983B99FFDD839439 |
| SHA-256: | EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8 |
| SHA-512: | 35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\font-select-symbolic.symbolic.png
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 220 |
| Entropy (8bit): | 6.546211943247282 |
| Encrypted: | false |
| SSDEEP: | 6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW |
| MD5: | C84EE7522C124892455BB09DEBCF9340 |
| SHA1: | AF87A2A5688346A3902762DD250328B7EF224620 |
| SHA-256: | E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8 |
| SHA-512: | 3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\network-wired-symbolic.symbolic.png
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 144 |
| Entropy (8bit): | 5.708279548998072 |
| Encrypted: | false |
| SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp |
| MD5: | 1ED278AD206D6EA33FF787DD326E0FC5 |
| SHA1: | 8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46 |
| SHA-256: | CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417 |
| SHA-512: | 7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pan-start-symbolic.symbolic.png
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 140 |
| Entropy (8bit): | 5.529383944212929 |
| Encrypted: | false |
| SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp |
| MD5: | 4308BBBAB1DB146494AE5ABB07B8E6DB |
| SHA1: | 58121574EEB070E26DDD75A964F3548E176E58A4 |
| SHA-256: | EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828 |
| SHA-512: | 41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\printer-symbolic.symbolic.png
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 147 |
| Entropy (8bit): | 5.834297280344084 |
| Encrypted: | false |
| SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip |
| MD5: | 38D787F55E22FB591135F9250CD259D4 |
| SHA1: | 0E135B0E1CA49A6E43DB4CB7596FAEA022E23924 |
| SHA-256: | 1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002 |
| SHA-512: | 4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pt-br.txt
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 9515 |
| Entropy (8bit): | 5.04214621707661 |
| Encrypted: | false |
| SSDEEP: | 192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ |
| MD5: | 7B02E1AE16E2E709D7C97DE560B4DBE9 |
| SHA1: | 191A54644417F7D36F5CB4182DCDB3737D74BE51 |
| SHA-256: | DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB |
| SHA-512: | 4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\omfartsvejene\Reberbanernes\Muhamedaneres\Sminknings\LogoCanary.png
Download File
| Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 16669 |
| Entropy (8bit): | 7.836876926418697 |
| Encrypted: | false |
| SSDEEP: | 384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy |
| MD5: | F80867A421C85C6E2865CF85FF7C4B02 |
| SHA1: | C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48 |
| SHA-256: | BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3 |
| SHA-512: | 06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.556713515266732 |
| TrID: |
|
| File name: | ePAY-Advice_Rf[UC7749879100].exe |
| File size: | 329072 |
| MD5: | 06bf8620598b674fc3506a2844d42d65 |
| SHA1: | 00e28bd96e338f7bfff9c41d985de05f010d8ea7 |
| SHA256: | 98883d7d2678fd8cbdad8b8c1ca7cf13a797b1074f081dee24aba14dcc346ffe |
| SHA512: | d1e49bf22a28b2521f5ddfe4e0da6a40ebd599a3284f9d25b791e0ded05918e615ed4d65fe5d49c588fcc61e05cd2a80374ebfe94ceed972e5490d255f28dae7 |
| SSDEEP: | 6144:iDk/kgv+gAz2TU8tpVy+cofgwCNW8J++jMJnq2UroIbvt:ztD42TU8DdcjNFJgJnqbrh1 |
| TLSH: | 4C64F14176A1C823FD6A4630CD91E5F3E1BAFE04C828D10773A13FAFB9352858555EBA |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`......... |
 | |
| Icon Hash: | 08c2b0d8cc64b046 |
| Entrypoint: | 0x4031d6 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 3abe302b6d9a1256e6a915429af4ffd2 |
| Signature Valid: | false |
| Signature Issuer: | E=spinulation@Johnsen.fo, OU="Releaser Regionplanlov Ellwood ", O=Blodkrftens, L=Fleuriel, S=Auvergne-Rh\xf4ne-Alpes, C=FR |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | E72625F2F2E4D81D13EEADD636799AE5 |
| Thumbprint SHA-1: | 96AB23C902D117D7E57A617EE5CD324FD5CFB328 |
| Thumbprint SHA-256: | 4DD00D1164E5A3B45C21C6B0ACA7CDE02DF5C70EBD4F95F3736AD2784DC2D5E4 |
| Serial: | 16E55C1D2183D78DF9C4B28EDF378EDD20F08352 |
| Instruction |
|---|
| sub esp, 00000184h |
| push ebx |
| push esi |
| push edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 00409198h |
| mov dword ptr [esp+20h], ebx |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [004070A0h] |
| call dword ptr [0040709Ch] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [0042370Ch], eax |
| je 00007F70B040A013h |
| push ebx |
| call 00007F70B040D0EAh |
| cmp eax, ebx |
| je 00007F70B040A009h |
| push 00000C00h |
| call eax |
| mov esi, 00407298h |
| push esi |
| call 00007F70B040D066h |
| push esi |
| call dword ptr [00407098h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], bl |
| jne 00007F70B0409FEDh |
| push 0000000Ah |
| call 00007F70B040D0BEh |
| push 00000008h |
| call 00007F70B040D0B7h |
| push 00000006h |
| mov dword ptr [00423704h], eax |
| call 00007F70B040D0ABh |
| cmp eax, ebx |
| je 00007F70B040A011h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007F70B040A009h |
| or byte ptr [0042370Fh], 00000040h |
| push ebp |
| call dword ptr [00407044h] |
| push ebx |
| call dword ptr [00407288h] |
| mov dword ptr [004237D8h], eax |
| push ebx |
| lea eax, dword ptr [esp+38h] |
| push 00000160h |
| push eax |
| push ebx |
| push 0041ECC8h |
| call dword ptr [00407178h] |
| push 00409188h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x36000 | 0xa3c0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4fb50 | 0xa20 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5f0d | 0x6000 | False | 0.6649169921875 | data | 6.450520423955375 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x1248 | 0x1400 | False | 0.4275390625 | data | 5.007650149182371 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x1a818 | 0x400 | False | 0.6376953125 | data | 5.129587811765307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x24000 | 0x12000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x36000 | 0xa3c0 | 0xa400 | False | 0.0760766006097561 | data | 1.8822021165260459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_BITMAP | 0x36268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
| RT_ICON | 0x365d0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States |
| RT_DIALOG | 0x3fa78 | 0x144 | data | English | United States |
| RT_DIALOG | 0x3fbc0 | 0x13c | data | English | United States |
| RT_DIALOG | 0x3fd00 | 0x120 | data | English | United States |
| RT_DIALOG | 0x3fe20 | 0x11c | data | English | United States |
| RT_DIALOG | 0x3ff40 | 0xc4 | data | English | United States |
| RT_DIALOG | 0x40008 | 0x60 | data | English | United States |
| RT_GROUP_ICON | 0x40068 | 0x14 | data | English | United States |
| RT_MANIFEST | 0x40080 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
| USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
| ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.11.20171.22.30.14749853802025381 03/17/23-14:12:55.965496 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
| 192.168.11.20171.22.30.14749853802024317 03/17/23-14:12:55.965496 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
| 192.168.11.20171.22.30.14749853802024312 03/17/23-14:12:55.965496 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
| 192.168.11.20171.22.30.14749853802021641 03/17/23-14:12:55.965496 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
| 192.168.11.20171.22.30.14749853802825766 03/17/23-14:12:55.965496 | TCP | 2825766 | ETPRO TROJAN LokiBot Checkin M2 | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 17, 2023 14:12:54.334647894 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.334741116 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.335037947 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.364645958 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.364736080 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.403652906 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.403784037 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.403872967 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.463743925 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.464905024 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.465080976 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.469958067 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.512496948 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.722651005 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.722851992 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.722944975 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.723097086 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.723146915 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.723378897 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.723397017 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.723440886 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.723583937 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.723620892 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.723774910 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.723835945 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.723886967 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.723969936 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.724070072 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.724108934 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.724132061 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.724242926 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.724431038 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.724466085 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.724800110 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.835608006 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.835864067 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.835886955 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.835967064 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.836069107 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.836235046 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.836235046 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.836317062 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.836342096 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.836584091 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.838026047 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.838287115 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.838385105 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.838531017 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.838639975 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.838671923 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.838726997 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.838767052 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.838920116 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.838956118 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.839015961 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.839242935 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.839242935 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.839294910 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.839598894 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.843415022 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.843616962 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.843703985 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.843882084 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.843987942 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.844014883 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.844042063 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.844238997 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.844238997 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.844259977 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.844345093 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.844582081 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.844583035 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.844613075 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.844640970 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.844780922 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.844782114 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.844886065 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.845119953 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.951216936 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.951428890 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.951525927 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.951684952 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.951800108 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.951807022 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.951862097 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.951894045 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.952091932 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.952095985 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.952095985 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.952202082 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.952281952 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.952439070 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.952471018 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.952512026 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.952641010 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.952686071 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.952850103 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Mar 17, 2023 14:12:54.953066111 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.953066111 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
| Mar 17, 2023 14:12:54.953099966 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 17, 2023 14:11:08.672599077 CET | 52162 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:08.676314116 CET | 53 | 52162 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:13.753829956 CET | 52244 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:13.766824961 CET | 53 | 52244 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:18.846615076 CET | 57743 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:18.850532055 CET | 53 | 57743 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:23.924415112 CET | 61834 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:23.927993059 CET | 53 | 61834 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:27.984611988 CET | 56644 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:27.989150047 CET | 53 | 56644 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:33.063162088 CET | 58617 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:33.070621014 CET | 53 | 58617 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:38.139564991 CET | 60070 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:38.143363953 CET | 53 | 60070 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:43.215730906 CET | 57664 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:43.218975067 CET | 53 | 57664 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:48.295723915 CET | 51405 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:48.302275896 CET | 53 | 51405 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:53.369611025 CET | 56021 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:53.373475075 CET | 53 | 56021 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:11:58.447398901 CET | 54853 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:11:58.451924086 CET | 53 | 54853 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:03.524935007 CET | 64830 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:03.528922081 CET | 53 | 64830 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:08.600559950 CET | 52043 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:08.611625910 CET | 53 | 52043 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:13.681356907 CET | 65408 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:13.685094118 CET | 53 | 65408 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:18.755645990 CET | 59466 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:18.761109114 CET | 53 | 59466 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:23.831711054 CET | 62775 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:23.835189104 CET | 53 | 62775 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:28.908698082 CET | 54256 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:28.912781954 CET | 53 | 54256 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:32.970323086 CET | 59211 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:32.974494934 CET | 53 | 59211 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:38.047481060 CET | 58214 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:38.051160097 CET | 53 | 58214 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:43.125505924 CET | 63309 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:43.129215956 CET | 53 | 63309 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:48.201524019 CET | 52190 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:48.206408024 CET | 53 | 52190 | 9.9.9.9 | 192.168.11.20 |
| Mar 17, 2023 14:12:53.279522896 CET | 50355 | 53 | 192.168.11.20 | 9.9.9.9 |
| Mar 17, 2023 14:12:54.292489052 CET | 50355 | 53 | 192.168.11.20 | 1.1.1.1 |
| Mar 17, 2023 14:12:54.327683926 CET | 53 | 50355 | 1.1.1.1 | 192.168.11.20 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 17, 2023 14:11:08.672599077 CET | 192.168.11.20 | 9.9.9.9 | 0x610a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:13.753829956 CET | 192.168.11.20 | 9.9.9.9 | 0x6577 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:18.846615076 CET | 192.168.11.20 | 9.9.9.9 | 0x83ac | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:23.924415112 CET | 192.168.11.20 | 9.9.9.9 | 0x7c96 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:27.984611988 CET | 192.168.11.20 | 9.9.9.9 | 0x4c5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:33.063162088 CET | 192.168.11.20 | 9.9.9.9 | 0xf35d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:38.139564991 CET | 192.168.11.20 | 9.9.9.9 | 0xc2dd | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:43.215730906 CET | 192.168.11.20 | 9.9.9.9 | 0x7d97 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:48.295723915 CET | 192.168.11.20 | 9.9.9.9 | 0x58de | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:53.369611025 CET | 192.168.11.20 | 9.9.9.9 | 0x844 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:58.447398901 CET | 192.168.11.20 | 9.9.9.9 | 0x6828 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:03.524935007 CET | 192.168.11.20 | 9.9.9.9 | 0x4ba8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:08.600559950 CET | 192.168.11.20 | 9.9.9.9 | 0xa129 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:13.681356907 CET | 192.168.11.20 | 9.9.9.9 | 0xd431 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:18.755645990 CET | 192.168.11.20 | 9.9.9.9 | 0xe51c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:23.831711054 CET | 192.168.11.20 | 9.9.9.9 | 0xd17a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:28.908698082 CET | 192.168.11.20 | 9.9.9.9 | 0x3bf9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:32.970323086 CET | 192.168.11.20 | 9.9.9.9 | 0x4a1f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:38.047481060 CET | 192.168.11.20 | 9.9.9.9 | 0x511e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:43.125505924 CET | 192.168.11.20 | 9.9.9.9 | 0xa387 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:48.201524019 CET | 192.168.11.20 | 9.9.9.9 | 0x7aa | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:53.279522896 CET | 192.168.11.20 | 9.9.9.9 | 0x379e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:54.292489052 CET | 192.168.11.20 | 1.1.1.1 | 0x379e | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 17, 2023 14:11:08.676314116 CET | 9.9.9.9 | 192.168.11.20 | 0x610a | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:13.766824961 CET | 9.9.9.9 | 192.168.11.20 | 0x6577 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:18.850532055 CET | 9.9.9.9 | 192.168.11.20 | 0x83ac | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:23.927993059 CET | 9.9.9.9 | 192.168.11.20 | 0x7c96 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:27.989150047 CET | 9.9.9.9 | 192.168.11.20 | 0x4c5 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:33.070621014 CET | 9.9.9.9 | 192.168.11.20 | 0xf35d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:38.143363953 CET | 9.9.9.9 | 192.168.11.20 | 0xc2dd | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:43.218975067 CET | 9.9.9.9 | 192.168.11.20 | 0x7d97 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:48.302275896 CET | 9.9.9.9 | 192.168.11.20 | 0x58de | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:53.373475075 CET | 9.9.9.9 | 192.168.11.20 | 0x844 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:11:58.451924086 CET | 9.9.9.9 | 192.168.11.20 | 0x6828 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:03.528922081 CET | 9.9.9.9 | 192.168.11.20 | 0x4ba8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:08.611625910 CET | 9.9.9.9 | 192.168.11.20 | 0xa129 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:13.685094118 CET | 9.9.9.9 | 192.168.11.20 | 0xd431 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:18.761109114 CET | 9.9.9.9 | 192.168.11.20 | 0xe51c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:23.835189104 CET | 9.9.9.9 | 192.168.11.20 | 0xd17a | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:28.912781954 CET | 9.9.9.9 | 192.168.11.20 | 0x3bf9 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:32.974494934 CET | 9.9.9.9 | 192.168.11.20 | 0x4a1f | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:38.051160097 CET | 9.9.9.9 | 192.168.11.20 | 0x511e | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:43.129215956 CET | 9.9.9.9 | 192.168.11.20 | 0xa387 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:48.206408024 CET | 9.9.9.9 | 192.168.11.20 | 0x7aa | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2023 14:12:54.327683926 CET | 1.1.1.1 | 192.168.11.20 | 0x379e | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2023 14:12:54.327683926 CET | 1.1.1.1 | 192.168.11.20 | 0x379e | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
| Target ID: | 1 |
| Start time: | 14:10:12 |
| Start date: | 17/03/2023 |
| Path: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 329072 bytes |
| MD5 hash: | 06BF8620598B674FC3506A2844D42D65 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Target ID: | 5 |
| Start time: | 14:10:56 |
| Start date: | 17/03/2023 |
| Path: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 329072 bytes |
| MD5 hash: | 06BF8620598B674FC3506A2844D42D65 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 8 |
| Start time: | 14:12:57 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4e0000 |
| File size: | 482640 bytes |
| MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
⊘No disassembly