Windows
Analysis Report
hot.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
hot.exe (PID: 768 cmdline:
"C:\Users\ user\Deskt op\hot.exe " MD5: DE9FFCF77572E26F4BAA2095DFA7FB87)
- cleanup
{"Type": "Metasploit Connect", "IP": "185.228.139.123", "Port": 4444}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_004048F3 | |
Source: | Code function: | 0_2_004055CB |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_006A0095 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00403883 | |
Source: | Code function: | 0_2_0040748F | |
Source: | Code function: | 0_2_004096F1 | |
Source: | Code function: | 0_2_004096F1 | |
Source: | Code function: | 0_2_00406775 | |
Source: | Code function: | 0_2_004075E6 |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 2 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
87% | ReversingLabs | Win32.Trojan.Swrort | ||
86% | Virustotal | Browse | ||
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.228.139.123 | unknown | Germany | 197540 | NETCUP-ASnetcupGmbHDE | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447001 |
Start date and time: | 2024-05-24 08:08:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | hot.exe |
Detection: | MAL |
Classification: | mal100.troj.winEXE@1/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.228.139.123 | Get hash | malicious | Metasploit, Meterpreter | Browse | ||
Get hash | malicious | Metasploit | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
NETCUP-ASnetcupGmbHDE | Get hash | malicious | Metasploit, Meterpreter | Browse |
| |
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | CMSBrute | Browse |
| ||
Get hash | malicious | Gurcu Stealer, WhiteSnake Stealer | Browse |
| ||
Get hash | malicious | CMSBrute | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | SystemBC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 6.326903804700931 |
TrID: |
|
File name: | hot.exe |
File size: | 73'802 bytes |
MD5: | de9ffcf77572e26f4baa2095dfa7fb87 |
SHA1: | 210ae1175ab66311068ee5f8bcfd498ad2d04d18 |
SHA256: | 194e405f98dadc88a7041b0724e31db7a92537f200c380b0e89674177ae0a963 |
SHA512: | 1e7f29dd2c52f593ef2b23b3d19c70366bbe87126e3565fedf802c516908b4121daf3e91465f18e114dcdaa3b5bf72d52f737e9c3be952931a9f066edf9b2662 |
SSDEEP: | 1536:I1cCF7Zrxh8HXfrs04gVjdhBrMb+KR0Nc8QsJq39:EF7d8vzJhdhle0Nc8QsC9 |
TLSH: | A473A042E9C41475D196117E637136B6E970F4FD2702C1DA7A8CCDFAEBC18A0927A3CA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...~3.J........... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40132b |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4AB0337E [Wed Sep 16 00:38:22 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 481f47bbb2c9c21e108d65f52b04c448 |
Instruction |
---|
lahf |
dec ebx |
std |
aas |
clc |
aaa |
dec ebx |
xchg eax, ebx |
xchg eax, ebx |
inc ecx |
dec ecx |
cmc |
daa |
inc eax |
salc |
das |
clc |
clc |
cld |
wait |
lahf |
clc |
inc eax |
cmc |
dec eax |
cwde |
inc ebx |
dec edx |
salc |
dec eax |
dec edx |
aas |
inc eax |
inc edx |
dec eax |
xchg eax, ecx |
das |
dec edx |
xchg eax, ecx |
cwde |
nop |
xchg eax, ebx |
cdq |
inc edx |
xchg eax, edx |
cwde |
dec ecx |
std |
salc |
nop |
cwde |
inc eax |
dec ecx |
xchg eax, ecx |
std |
inc eax |
dec eax |
cwde |
wait |
aaa |
clc |
inc ecx |
inc edx |
lahf |
lahf |
dec eax |
std |
das |
daa |
lahf |
xchg eax, ecx |
dec eax |
inc edx |
inc ecx |
xchg eax, edx |
dec ecx |
dec edx |
dec ecx |
salc |
dec ebx |
clc |
stc |
inc ebx |
dec edx |
dec eax |
salc |
dec eax |
cmc |
std |
inc ebx |
std |
cwde |
xchg eax, ecx |
das |
xchg eax, edx |
das |
inc ebx |
daa |
dec eax |
das |
dec ecx |
dec ebx |
xchg eax, edx |
daa |
cwde |
salc |
lahf |
wait |
xchg eax, ecx |
wait |
wait |
salc |
inc edx |
dec ecx |
std |
inc ecx |
dec ecx |
clc |
aas |
std |
inc edx |
aas |
dec eax |
stc |
dec ecx |
cwde |
stc |
cmc |
std |
inc eax |
dec edx |
dec ecx |
inc ebx |
daa |
cld |
nop |
daa |
xchg eax, ecx |
inc ebx |
cld |
wait |
das |
aas |
wait |
dec edx |
wait |
dec ebx |
std |
inc eax |
inc ebx |
inc ecx |
stc |
cmc |
inc eax |
daa |
std |
aas |
inc edx |
daa |
aaa |
cwde |
dec ecx |
dec ebx |
das |
dec ecx |
cdq |
dec ebx |
dec ecx |
lahf |
salc |
xchg eax, ecx |
xchg eax, edx |
cld |
inc ecx |
inc eax |
xchg eax, ebx |
wait |
aas |
std |
xchg eax, ecx |
cdq |
inc ecx |
stc |
xchg eax, edx |
lahf |
das |
salc |
inc ecx |
xchg eax, ebx |
daa |
nop |
inc eax |
std |
inc ebx |
inc ebx |
nop |
dec edx |
aaa |
xchg eax, ebx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc76c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15000 | 0x7c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xc1e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa966 | 0xb000 | 1f89a98da7f97af425bf189ac89a4565 | False | 0.8161399147727273 | data | 7.018049873082076 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xfe6 | 0x1000 | 25d7ceee3aa85bb3e8c5174736f6f830 | False | 0.46142578125 | DOS executable (COM, 0x8C-variant) | 5.318390353744998 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x705c | 0x4000 | 283b5f792323d57b9db4d2bcc46580f8 | False | 0.25634765625 | Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0 | 4.407841023203495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x15000 | 0x7c8 | 0x1000 | c13a9413aea7291b6fc85d75bfcde381 | False | 0.197998046875 | data | 1.958296025171192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x15060 | 0x768 | data | English | United States | 0.40189873417721517 |
DLL | Import |
---|---|
MSVCRT.dll | _iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp |
KERNEL32.dll | PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree |
ADVAPI32.dll | FreeSid, AllocateAndInitializeSid |
WSOCK32.dll | getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError |
WS2_32.dll | WSARecv, WSASend |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 24, 2024 08:08:52.687985897 CEST | 49704 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:52.693135977 CEST | 4444 | 49704 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:52.693404913 CEST | 49704 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:54.321208000 CEST | 4444 | 49704 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:54.321433067 CEST | 49704 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:54.339118958 CEST | 49704 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:54.344189882 CEST | 4444 | 49704 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:54.345601082 CEST | 49705 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:54.350632906 CEST | 4444 | 49705 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:54.350857973 CEST | 49705 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:55.977478981 CEST | 4444 | 49705 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:55.977679014 CEST | 49705 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:55.978159904 CEST | 49705 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:55.978903055 CEST | 49706 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:55.988204002 CEST | 4444 | 49705 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:56.035355091 CEST | 4444 | 49706 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:56.035615921 CEST | 49706 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:57.686635017 CEST | 4444 | 49706 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:57.686984062 CEST | 49706 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:57.687218904 CEST | 49706 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:57.688033104 CEST | 49707 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:57.697010994 CEST | 4444 | 49706 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:57.747438908 CEST | 4444 | 49707 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:57.747828960 CEST | 49707 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:59.387412071 CEST | 4444 | 49707 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:59.387655020 CEST | 49707 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:59.387916088 CEST | 49707 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:59.388694048 CEST | 49708 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:08:59.397516012 CEST | 4444 | 49707 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:59.447325945 CEST | 4444 | 49708 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:08:59.447582960 CEST | 49708 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:01.098376989 CEST | 4444 | 49708 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:01.098715067 CEST | 49708 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:01.099091053 CEST | 49708 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:01.100259066 CEST | 49709 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:01.108510971 CEST | 4444 | 49708 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:01.155294895 CEST | 4444 | 49709 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:01.155400991 CEST | 49709 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:02.809432983 CEST | 4444 | 49709 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:02.809509993 CEST | 49709 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:02.809917927 CEST | 49709 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:02.810687065 CEST | 49710 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:02.819360018 CEST | 4444 | 49709 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:02.867394924 CEST | 4444 | 49710 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:02.867594957 CEST | 49710 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:04.531936884 CEST | 4444 | 49710 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:04.532150984 CEST | 49710 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:04.532602072 CEST | 49710 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:04.533309937 CEST | 49711 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:04.542104006 CEST | 4444 | 49710 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:04.591320038 CEST | 4444 | 49711 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:04.591527939 CEST | 49711 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:06.250333071 CEST | 4444 | 49711 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:06.250418901 CEST | 49711 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:06.250844002 CEST | 49711 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:06.251750946 CEST | 49712 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:06.263322115 CEST | 4444 | 49711 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:06.315428972 CEST | 4444 | 49712 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:06.315656900 CEST | 49712 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:07.984026909 CEST | 4444 | 49712 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:07.984281063 CEST | 49712 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:08.556834936 CEST | 49712 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:08.557610035 CEST | 49713 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:08.561845064 CEST | 4444 | 49712 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:08.607424974 CEST | 4444 | 49713 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:08.607628107 CEST | 49713 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:10.247121096 CEST | 4444 | 49713 | 185.228.139.123 | 192.168.2.5 |
May 24, 2024 08:09:10.247333050 CEST | 49713 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:10.247683048 CEST | 49713 | 4444 | 192.168.2.5 | 185.228.139.123 |
May 24, 2024 08:09:10.257178068 CEST | 4444 | 49713 | 185.228.139.123 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 24, 2024 08:09:14.324721098 CEST | 53 | 50815 | 1.1.1.1 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 02:08:51 |
Start date: | 24/05/2024 |
Path: | C:\Users\user\Desktop\hot.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73'802 bytes |
MD5 hash: | DE9FFCF77572E26F4BAA2095DFA7FB87 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.7% |
Dynamic/Decrypted Code Coverage: | 17% |
Signature Coverage: | 15.1% |
Total number of Nodes: | 53 |
Total number of Limit Nodes: | 3 |
Graph
Function 006A0095 Relevance: 6.1, APIs: 4, Instructions: 81networkCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401DA7 Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D50 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D66 Relevance: 1.3, APIs: 1, Instructions: 28memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D58 Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D90 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D89 Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004055CB Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004048F3 Relevance: .0, Instructions: 16COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|