Windows
Analysis Report
venom.exe
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- venom.exe (PID: 572 cmdline:
"C:\Users\ user\Deskt op\venom.e xe" MD5: 195032DEBCDCFBD4E56986070144A475)
- cleanup
{"Type": "Metasploit Connect", "IP": "47.120.44.103", "Port": 8899}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 1 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_004B0095 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00401253 | |
Source: | Code function: | 0_2_00405AC4 | |
Source: | Code function: | 0_2_00401751 | |
Source: | Code function: | 0_2_00401894 | |
Source: | Code function: | 0_2_00407925 | |
Source: | Code function: | 0_2_004043FB |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00406A00 |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 2 Software Packing | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
89% | ReversingLabs | Win32.Trojan.Swrort | ||
86% | Virustotal | Browse | ||
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
47.120.44.103 | unknown | China | 37963 | CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447007 |
Start date and time: | 2024-05-24 08:23:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 46s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | venom.exe |
Detection: | MAL |
Classification: | mal96.troj.winEXE@1/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
File type: | |
Entropy (8bit): | 6.320499021831116 |
TrID: |
|
File name: | venom.exe |
File size: | 73'802 bytes |
MD5: | 195032debcdcfbd4e56986070144a475 |
SHA1: | ae0dc7a77bbbbb868f58d7fadf744201c62a580c |
SHA256: | 18efb574f87cff4df096736e24266656d17108ce4c0f183d97c5c6629f8da1e7 |
SHA512: | bad30342d35192cb44483ce0a5f03a90f50b896db9b350531d157c3ec4867e60b7c3f6cdf2f347a2e4d0fbc865c9caf433c5cd91170037c72ea434f44b50c4c1 |
SSDEEP: | 1536:ImxqrezYqPXYZzkEJB1SXWH1qOvFMb+KR0Nc8QsJq39:xM4EzzJnSXWHUQe0Nc8QsC9 |
TLSH: | 3F73B042D9C01466C265123D57763AF5AA71F4F63312D28A3A8CC9E5EFD0CF063663C6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L......I........... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x403d4e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x49C1B2C9 [Thu Mar 19 02:49:45 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 481f47bbb2c9c21e108d65f52b04c448 |
Instruction |
---|
inc ecx |
xchg eax, ebx |
dec eax |
nop |
inc ecx |
stc |
lahf |
lahf |
cld |
lahf |
cld |
dec edx |
clc |
cdq |
dec eax |
dec eax |
xchg eax, ebx |
das |
inc ebx |
wait |
xchg eax, ecx |
inc ebx |
das |
xchg eax, ecx |
inc ebx |
cld |
cdq |
cmc |
xchg eax, ecx |
xchg eax, ebx |
cmc |
inc eax |
xchg eax, ecx |
lahf |
wait |
clc |
cdq |
lahf |
salc |
nop |
aas |
dec edx |
stc |
cmc |
dec ecx |
inc eax |
das |
aaa |
cmc |
salc |
daa |
salc |
dec ebx |
xchg eax, ecx |
nop |
das |
nop |
nop |
inc ebx |
nop |
wait |
nop |
aaa |
inc ecx |
dec ebx |
cmc |
daa |
inc edx |
daa |
cmc |
dec ecx |
daa |
dec ecx |
salc |
xchg eax, ebx |
salc |
cld |
inc ecx |
dec eax |
lahf |
dec edx |
cmc |
das |
dec eax |
cwde |
inc eax |
xchg eax, edx |
cld |
dec edx |
aaa |
xchg eax, ebx |
stc |
std |
dec edx |
aaa |
daa |
aas |
salc |
salc |
inc eax |
xchg eax, ecx |
cdq |
xchg eax, edx |
jmp 00007FE771248759h |
or byte ptr [eax], al |
add byte ptr [ecx+63084C93h], cl |
add byte ptr [ebx-1D74F3ADh], cl |
sub bh, cl |
add byte ptr [ebx-1Fh], dl |
sar dword ptr [ebx], 1 |
loopne 00007FE77124A83Bh |
push ebx |
or al, 0Fh |
test eax, eax |
add al, byte ptr [eax] |
add byte ptr [ebx+360820B3h], cl |
add byte ptr [eax+353F07FFh], bh |
sub esp, dword ptr [04F045C7h] |
add byte ptr [eax], al |
add byte ptr [ebx], bh |
ror dword ptr [ecx+0372FC8Dh], 63h |
dec ebp |
hlt |
mov ecx, dword ptr [eax] |
or byte ptr [eax], al |
add byte ptr [ebx+1816BE1Ah], cl |
in eax, 00h |
scasb |
xor byte ptr [ebx], dl |
and byte ptr [ebx+02E9C198h], cl |
sbb eax, 558BCA8Bh |
hlt |
and ecx, 00000000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc76c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15000 | 0x7c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xc1e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa966 | 0xb000 | 458edf2700c7e8a3c43f6de5fbd694df | False | 0.8162952769886364 | data | 7.011882615215062 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xfe6 | 0x1000 | 25d7ceee3aa85bb3e8c5174736f6f830 | False | 0.46142578125 | DOS executable (COM, 0x8C-variant) | 5.318390353744998 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x705c | 0x4000 | 283b5f792323d57b9db4d2bcc46580f8 | False | 0.25634765625 | Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0 | 4.407841023203495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x15000 | 0x7c8 | 0x1000 | c13a9413aea7291b6fc85d75bfcde381 | False | 0.197998046875 | data | 1.958296025171192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x15060 | 0x768 | data | English | United States | 0.40189873417721517 |
DLL | Import |
---|---|
MSVCRT.dll | _iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp |
KERNEL32.dll | PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree |
ADVAPI32.dll | FreeSid, AllocateAndInitializeSid |
WSOCK32.dll | getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError |
WS2_32.dll | WSARecv, WSASend |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 24, 2024 08:23:54.136584044 CEST | 49704 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:54.141987085 CEST | 8899 | 49704 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:23:54.142103910 CEST | 49704 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:56.448055029 CEST | 8899 | 49704 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:23:56.448421955 CEST | 49704 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:56.448625088 CEST | 49704 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:56.450134039 CEST | 49705 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:56.458547115 CEST | 8899 | 49704 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:23:56.504487991 CEST | 8899 | 49705 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:23:56.504627943 CEST | 49705 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:58.716638088 CEST | 8899 | 49705 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:23:58.716841936 CEST | 49705 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:58.717247009 CEST | 49705 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:58.718005896 CEST | 49706 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:23:58.726767063 CEST | 8899 | 49705 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:23:58.775598049 CEST | 8899 | 49706 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:23:58.775830030 CEST | 49706 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:12.694739103 CEST | 8899 | 49706 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:12.694874048 CEST | 49706 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:12.695208073 CEST | 49706 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:12.696053028 CEST | 49708 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:12.748482943 CEST | 8899 | 49706 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:12.803575039 CEST | 8899 | 49708 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:12.803785086 CEST | 49708 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:20.303848028 CEST | 8899 | 49708 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:20.304188967 CEST | 49708 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:20.304518938 CEST | 49708 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:20.305342913 CEST | 49713 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:20.314065933 CEST | 8899 | 49708 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:20.363573074 CEST | 8899 | 49713 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:20.364025116 CEST | 49713 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:36.511450052 CEST | 8899 | 49713 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:36.511699915 CEST | 49713 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:36.512007952 CEST | 49713 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:36.512857914 CEST | 49714 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:36.564270020 CEST | 8899 | 49713 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:36.615423918 CEST | 8899 | 49714 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:36.615740061 CEST | 49714 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:41.175522089 CEST | 8899 | 49714 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:41.175743103 CEST | 49714 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:41.176039934 CEST | 49714 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:41.176810026 CEST | 49715 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:41.232569933 CEST | 8899 | 49714 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:41.281723022 CEST | 8899 | 49715 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:41.281939983 CEST | 49715 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:43.632529020 CEST | 8899 | 49715 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:43.632848978 CEST | 49715 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:43.643055916 CEST | 49715 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:43.643861055 CEST | 49716 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:43.691144943 CEST | 8899 | 49715 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:43.744631052 CEST | 8899 | 49716 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:43.744858980 CEST | 49716 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:48.301815987 CEST | 8899 | 49716 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:48.302174091 CEST | 49716 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:48.302476883 CEST | 49716 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:48.303329945 CEST | 49717 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:48.360560894 CEST | 8899 | 49716 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:48.407505989 CEST | 8899 | 49717 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:48.407788038 CEST | 49717 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:52.982243061 CEST | 8899 | 49717 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:52.982501984 CEST | 49717 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:52.982883930 CEST | 49717 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:52.983561039 CEST | 49718 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:24:53.036540985 CEST | 8899 | 49717 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:53.058612108 CEST | 8899 | 49718 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:24:53.058845997 CEST | 49718 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:25:00.543817997 CEST | 8899 | 49718 | 47.120.44.103 | 192.168.2.5 |
May 24, 2024 08:25:00.544014931 CEST | 49718 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:25:00.544390917 CEST | 49718 | 8899 | 192.168.2.5 | 47.120.44.103 |
May 24, 2024 08:25:00.559535027 CEST | 8899 | 49718 | 47.120.44.103 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 02:23:53 |
Start date: | 24/05/2024 |
Path: | C:\Users\user\Desktop\venom.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73'802 bytes |
MD5 hash: | 195032DEBCDCFBD4E56986070144A475 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 1.6% |
Dynamic/Decrypted Code Coverage: | 16.7% |
Signature Coverage: | 18.5% |
Total number of Nodes: | 54 |
Total number of Limit Nodes: | 3 |
Graph
Function 004B0095 Relevance: 6.1, APIs: 4, Instructions: 81networkCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401FD6 Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401FE2 Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402002 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401FF4 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040202D Relevance: 1.3, APIs: 1, Instructions: 45memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|