Windows
Analysis Report
XX(1).exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
XX(1).exe (PID: 7432 cmdline:
"C:\Users\ user\Deskt op\XX(1).e xe" MD5: CEEE05227B74E5A1E6D89F3B1CDFD24B) RegSvcs.exe (PID: 7448 cmdline:
"C:\Users\ user\Deskt op\XX(1).e xe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.magnatextile.com", "Username": "owais@magnatextile.com", "Password": "ow%{&}mti{&}$is"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 18 entries |
System Summary |
---|
Source: | Author: frack113: |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | String found in binary or memory: | memstr_b1f7f9aa-d | |
Source: | String found in binary or memory: | memstr_39e19b78-c | |
Source: | String found in binary or memory: | memstr_7bd59caf-6 | |
Source: | String found in binary or memory: | memstr_e925b12e-d |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | API/Special instruction interceptor: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Section loaded: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 212 Process Injection | 1 Disable or Modify Tools | 2 OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 121 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 1 Process Discovery | Remote Desktop Protocol | 2 Data from Local System | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 212 Process Injection | Security Account Manager | 121 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Network Configuration Discovery | SSH | Keylogging | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 124 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
54% | ReversingLabs | Win32.Trojan.Strab | ||
29% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
api.ipify.org | 172.67.74.152 | true | false |
| unknown |
magnatextile.com | 164.68.127.9 | true | true |
| unknown |
mail.magnatextile.com | unknown | unknown | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
164.68.127.9 | magnatextile.com | Germany | 51167 | CONTABODE | true | |
172.67.74.152 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1467927 |
Start date and time: | 2024-07-05 03:37:42 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 3s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | XX(1).exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/4@2/2 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
21:38:31 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
164.68.127.9 | Get hash | malicious | AgentTesla, PureLog Stealer | Browse | ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
172.67.74.152 | Get hash | malicious | Ficker Stealer, Rusty Stealer | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Stealit | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Stealit | Browse |
| ||
Get hash | malicious | Stealit | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
api.ipify.org | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | Quasar | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, RedLine, StormKitty, XWorm | Browse |
| ||
Get hash | malicious | Quasar | Browse |
| ||
Get hash | malicious | Quasar | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CONTABODE | Get hash | malicious | WhiteSnake Stealer | Browse |
| |
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | Fake Captcha, HTMLPhisher | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\XX(1).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29780 |
Entropy (8bit): | 3.5533246585729676 |
Encrypted: | false |
SSDEEP: | 768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbn+Ig6Qm4vfF3if6gyX/:miTZ+2QoioGRk6ZklputwjpjBkCiw2R6 |
MD5: | C69C6D214EC49C4C68377B0019AC496C |
SHA1: | 4A15CC347E6C1D934D2FE7F99DFF58E6F905DAA7 |
SHA-256: | 0F9682BD5BE8238C6A09608304309409C24BA3F663A2D72625FDEE0A173C6AE6 |
SHA-512: | 5F8D4E0CD08B184A99CEEBA7A6C22EDB42708DC12EBF8B37B6F9D1861B2093EA3E35BE08A153724C96FE824F8B98FBC72124A6D592C27E0811769F19CAD8569B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\XX(1).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 268288 |
Entropy (8bit): | 7.906714483935363 |
Encrypted: | false |
SSDEEP: | 6144:DR95YCHlkpYPvkUvBxZnICQxQ3ha7S/6yV9y:jH8VQnxQx6JV9y |
MD5: | 0627D8EA9C9A86C685642A0CADA49435 |
SHA1: | 14B98255BFDB171DD4C4493DBF37A9599750AA06 |
SHA-256: | E79B150EC9F056E0DEBFAA6377C5B496E17A2AFB00418BC417F9AD3706FF1787 |
SHA-512: | 26EF50CCFAAE562F0F0833BF06B5E2BE09082CE78E4900D47DC9552DE4F897FD02E4510550FEA1B8BAB819BDA15DEBC63619CA341D1F9CA7386E3C5D1640934C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\XX(1).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9940 |
Entropy (8bit): | 7.596040375820741 |
Encrypted: | false |
SSDEEP: | 192:u5jwEiq/w5nw1R9G7k3mkX6xL2suKfvkQ5+If15RTPhikwekbwxsiREx:U6q/w5nwdG7wnCznk9If15RLh8BIsiRy |
MD5: | 94CF1A211CC50D7AE7F5E7ED9095C7C8 |
SHA1: | 1A955286D1D122EAE43910CE297E1CFEF51C0ABD |
SHA-256: | 027A34A56BD82FA347A68D8A5207E941093191CE98F22D58DD26F904D0652F31 |
SHA-512: | B30ADDA6C73383731FD2C6CB3303F0A2B01F6D937F68846DB9EE4AE10608847E988E502BCA46CD0F44BC00E7D275EE59CC4044153316257CC0C3E33703888E9B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\XX(1).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 268288 |
Entropy (8bit): | 7.906714483935363 |
Encrypted: | false |
SSDEEP: | 6144:DR95YCHlkpYPvkUvBxZnICQxQ3ha7S/6yV9y:jH8VQnxQx6JV9y |
MD5: | 0627D8EA9C9A86C685642A0CADA49435 |
SHA1: | 14B98255BFDB171DD4C4493DBF37A9599750AA06 |
SHA-256: | E79B150EC9F056E0DEBFAA6377C5B496E17A2AFB00418BC417F9AD3706FF1787 |
SHA-512: | 26EF50CCFAAE562F0F0833BF06B5E2BE09082CE78E4900D47DC9552DE4F897FD02E4510550FEA1B8BAB819BDA15DEBC63619CA341D1F9CA7386E3C5D1640934C |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.121105411516716 |
TrID: |
|
File name: | XX(1).exe |
File size: | 1'171'456 bytes |
MD5: | ceee05227b74e5a1e6d89f3b1cdfd24b |
SHA1: | 7c7038b477f3d68226abf7eb1f8b4e9b9cfae331 |
SHA256: | 0f30bd5220de4c7fb2d426a392b5fcdbf1062b33a65761cb2af0d4732a2b2c2e |
SHA512: | 931eed40bcb985de50c631f1b2565edf4bcdc78d56d9e2b31c608a634367c227325152dc4644d498924bcc09d5a11f3ace19193b9d1ea4aa897747f2b073a4c9 |
SSDEEP: | 24576:WAHnh+eWsN3skA4RV1Hom2KXMmHabDXVNuE25:xh+ZkldoPK8YabD3A |
TLSH: | E145BD0273D5C036FFAB92739B6AF24196BC79254133852F13981DB9BD701B2263E663 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR.. |
Icon Hash: | aaf3e3e3938382a0 |
Entrypoint: | 0x42800a |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6685DB23 [Wed Jul 3 23:13:39 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
Instruction |
---|
call 00007FD4EC80C56Dh |
jmp 00007FD4EC7FF324h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push edi |
push esi |
mov esi, dword ptr [esp+10h] |
mov ecx, dword ptr [esp+14h] |
mov edi, dword ptr [esp+0Ch] |
mov eax, ecx |
mov edx, ecx |
add eax, esi |
cmp edi, esi |
jbe 00007FD4EC7FF4AAh |
cmp edi, eax |
jc 00007FD4EC7FF80Eh |
bt dword ptr [004C41FCh], 01h |
jnc 00007FD4EC7FF4A9h |
rep movsb |
jmp 00007FD4EC7FF7BCh |
cmp ecx, 00000080h |
jc 00007FD4EC7FF674h |
mov eax, edi |
xor eax, esi |
test eax, 0000000Fh |
jne 00007FD4EC7FF4B0h |
bt dword ptr [004BF324h], 01h |
jc 00007FD4EC7FF980h |
bt dword ptr [004C41FCh], 00000000h |
jnc 00007FD4EC7FF64Dh |
test edi, 00000003h |
jne 00007FD4EC7FF65Eh |
test esi, 00000003h |
jne 00007FD4EC7FF63Dh |
bt edi, 02h |
jnc 00007FD4EC7FF4AFh |
mov eax, dword ptr [esi] |
sub ecx, 04h |
lea esi, dword ptr [esi+04h] |
mov dword ptr [edi], eax |
lea edi, dword ptr [edi+04h] |
bt edi, 03h |
jnc 00007FD4EC7FF4B3h |
movq xmm1, qword ptr [esi] |
sub ecx, 08h |
lea esi, dword ptr [esi+08h] |
movq qword ptr [edi], xmm1 |
lea edi, dword ptr [edi+08h] |
test esi, 00000007h |
je 00007FD4EC7FF505h |
bt esi, 03h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xbc0cc | 0x17c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc8000 | 0x53868 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x11c000 | 0x7134 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4b50 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x8dfdd | 0x8e000 | 310e36668512d53489c005622bb1b4a9 | False | 0.5735602580325704 | data | 6.675248351711057 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8f000 | 0x2fd8e | 0x2fe00 | 748cf1ab2605ce1fd72d53d912abb68f | False | 0.32828818537859006 | data | 5.763244005758284 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xbf000 | 0x8f74 | 0x5200 | aae9601d920f07080bdfadf43dfeff12 | False | 0.1017530487804878 | data | 1.1963819235530628 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xc8000 | 0x53868 | 0x53a00 | 28ba6f6d00f5061ea0a9d96924e34585 | False | 0.9205232856875935 | data | 7.8798016417732315 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x11c000 | 0x7134 | 0x7200 | f04128ad0f87f42830e4a6cdbc38c719 | False | 0.7617530153508771 | data | 6.783955557128661 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xc85a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
RT_ICON | 0xc86d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
RT_ICON | 0xc87f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
RT_ICON | 0xc8920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
RT_ICON | 0xc8c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
RT_ICON | 0xc8d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
RT_ICON | 0xc9bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
RT_ICON | 0xca480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
RT_ICON | 0xca9e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
RT_ICON | 0xccf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
RT_ICON | 0xce038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
RT_MENU | 0xce4a0 | 0x50 | data | English | Great Britain | 0.9 |
RT_STRING | 0xce4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
RT_STRING | 0xcea84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
RT_STRING | 0xcf110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
RT_STRING | 0xcf5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
RT_STRING | 0xcfb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
RT_STRING | 0xd01f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
RT_STRING | 0xd0660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
RT_RCDATA | 0xd07b8 | 0x4ab30 | data | 1.000330099879726 | ||
RT_GROUP_ICON | 0x11b2e8 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
RT_GROUP_ICON | 0x11b360 | 0x14 | data | English | Great Britain | 1.25 |
RT_GROUP_ICON | 0x11b374 | 0x14 | data | English | Great Britain | 1.15 |
RT_GROUP_ICON | 0x11b388 | 0x14 | data | English | Great Britain | 1.25 |
RT_VERSION | 0x11b39c | 0xdc | data | English | Great Britain | 0.6181818181818182 |
RT_MANIFEST | 0x11b478 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
DLL | Import |
---|---|
WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
PSAPI.DLL | GetProcessMemoryInfo |
IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
UxTheme.dll | IsThemeActive |
KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Great Britain |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 5, 2024 03:38:30.828917027 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:30.828968048 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:30.829020023 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:30.838798046 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:30.838805914 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:31.356930017 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:31.356996059 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:31.360694885 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:31.360702038 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:31.361121893 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:31.411658049 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:31.413618088 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:31.456516027 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:31.520653963 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:31.520741940 CEST | 443 | 49730 | 172.67.74.152 | 192.168.2.4 |
Jul 5, 2024 03:38:31.520790100 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:31.527592897 CEST | 49730 | 443 | 192.168.2.4 | 172.67.74.152 |
Jul 5, 2024 03:38:32.066219091 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:32.072803974 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:32.072879076 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:32.981127977 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:32.981314898 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:32.987627983 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.184051037 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.184236050 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:33.190459013 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.386641979 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.387202024 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:33.392168999 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.598413944 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.598433971 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.598445892 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.598453045 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.598524094 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:33.693921089 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.728215933 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:33.733094931 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.939450026 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:33.942773104 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:33.947587013 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.143902063 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.145231962 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:34.150065899 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.346570015 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.346963882 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:34.351820946 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.569233894 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.569524050 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:34.574423075 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.776788950 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:34.777061939 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:34.781868935 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.027184963 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.027388096 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:35.032247066 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.228354931 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.228934050 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:35.228974104 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:35.228995085 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:35.229013920 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:38:35.233859062 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.233870983 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.234103918 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.234114885 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.533879042 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:38:35.583571911 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:40:12.053180933 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Jul 5, 2024 03:40:12.058012009 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:40:12.255248070 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 |
Jul 5, 2024 03:40:12.255935907 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 5, 2024 03:38:30.778460026 CEST | 50685 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 5, 2024 03:38:30.785177946 CEST | 53 | 50685 | 1.1.1.1 | 192.168.2.4 |
Jul 5, 2024 03:38:32.037345886 CEST | 50279 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 5, 2024 03:38:32.065198898 CEST | 53 | 50279 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jul 5, 2024 03:38:30.778460026 CEST | 192.168.2.4 | 1.1.1.1 | 0x7e82 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 5, 2024 03:38:32.037345886 CEST | 192.168.2.4 | 1.1.1.1 | 0xa351 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jul 5, 2024 03:38:30.785177946 CEST | 1.1.1.1 | 192.168.2.4 | 0x7e82 | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
Jul 5, 2024 03:38:30.785177946 CEST | 1.1.1.1 | 192.168.2.4 | 0x7e82 | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
Jul 5, 2024 03:38:30.785177946 CEST | 1.1.1.1 | 192.168.2.4 | 0x7e82 | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
Jul 5, 2024 03:38:32.065198898 CEST | 1.1.1.1 | 192.168.2.4 | 0xa351 | No error (0) | magnatextile.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Jul 5, 2024 03:38:32.065198898 CEST | 1.1.1.1 | 192.168.2.4 | 0xa351 | No error (0) | 164.68.127.9 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 172.67.74.152 | 443 | 7448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-07-05 01:38:31 UTC | 155 | OUT | |
2024-07-05 01:38:31 UTC | 211 | IN | |
2024-07-05 01:38:31 UTC | 11 | IN |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jul 5, 2024 03:38:32.981127977 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 | 220-hosting.magna-group.com ESMTP Exim 4.96.2 #2 Fri, 05 Jul 2024 06:38:32 +0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jul 5, 2024 03:38:32.981314898 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 | EHLO 138727 |
Jul 5, 2024 03:38:33.184051037 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 | 250-hosting.magna-group.com Hello 138727 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
Jul 5, 2024 03:38:33.184236050 CEST | 49731 | 587 | 192.168.2.4 | 164.68.127.9 | STARTTLS |
Jul 5, 2024 03:38:33.386641979 CEST | 587 | 49731 | 164.68.127.9 | 192.168.2.4 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 21:38:28 |
Start date: | 04/07/2024 |
Path: | C:\Users\user\Desktop\XX(1).exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9f0000 |
File size: | 1'171'456 bytes |
MD5 hash: | CEEE05227B74E5A1E6D89F3B1CDFD24B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 21:38:29 |
Start date: | 04/07/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xfb0000 |
File size: | 45'984 bytes |
MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |