Windows
Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe (PID: 5044 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Win32.Troj anX-gen.10 530.8108.e xe" MD5: 8AAE495569F2EBA4371A7666C6066C2E) - InstallUtil.exe (PID: 2976 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57) - InstallUtil.exe (PID: 3136 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DarkTortilla | DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["nnx.linkworldlogiticservices.online"], "Port": "9196", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
Click to see the 8 entries |
System Summary |
---|
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Timestamp: | 07/17/24-16:42:27.466949 |
SID: | 2853193 |
Source Port: | 49723 |
Destination Port: | 9196 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/17/24-16:40:56.953871 |
SID: | 2855924 |
Source Port: | 49723 |
Destination Port: | 9196 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/17/24-16:44:05.044084 |
SID: | 2852923 |
Source Port: | 49723 |
Destination Port: | 9196 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/17/24-16:44:05.188143 |
SID: | 2852870 |
Source Port: | 9196 |
Destination Port: | 49723 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/17/24-16:44:05.188143 |
SID: | 2852874 |
Source Port: | 9196 |
Destination Port: | 49723 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-07-17T16:44:05.044084+0200 |
SID: | 2852923 |
Source Port: | 49723 |
Destination Port: | 9196 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-07-17T16:42:27.466949+0200 |
SID: | 2853193 |
Source Port: | 49723 |
Destination Port: | 9196 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-07-17T16:40:04.502873+0200 |
SID: | 2840787 |
Source Port: | 49715 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 2024-07-17T16:44:05.188143+0200 |
SID: | 2852870 |
Source Port: | 9196 |
Destination Port: | 49723 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-07-17T16:44:05.188143+0200 |
SID: | 2852874 |
Source Port: | 9196 |
Destination Port: | 49723 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-07-17T16:40:56.953871+0200 |
SID: | 2855924 |
Source Port: | 49723 |
Destination Port: | 9196 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_079D98A8 |
Source: | Code function: | 0_2_01348385 | |
Source: | Code function: | 0_2_01344E98 | |
Source: | Code function: | 0_2_0134B2A0 | |
Source: | Code function: | 0_2_01347418 | |
Source: | Code function: | 0_2_01347A30 | |
Source: | Code function: | 0_2_01344E88 | |
Source: | Code function: | 0_2_0134B270 | |
Source: | Code function: | 0_2_0134BB4D | |
Source: | Code function: | 0_2_075BA788 | |
Source: | Code function: | 0_2_075BE7A8 | |
Source: | Code function: | 0_2_075BC7A0 | |
Source: | Code function: | 0_2_075B2E78 | |
Source: | Code function: | 0_2_075BCEC9 | |
Source: | Code function: | 0_2_075BBB5F | |
Source: | Code function: | 0_2_075BD89A | |
Source: | Code function: | 0_2_075BD718 | |
Source: | Code function: | 0_2_075BC786 | |
Source: | Code function: | 0_2_075BE7A4 | |
Source: | Code function: | 0_2_075BF650 | |
Source: | Code function: | 0_2_075BF640 | |
Source: | Code function: | 0_2_075B2E45 | |
Source: | Code function: | 0_2_075BE6E2 | |
Source: | Code function: | 0_2_075BF45A | |
Source: | Code function: | 0_2_075BEBE8 | |
Source: | Code function: | 0_2_079D87AD | |
Source: | Code function: | 0_2_079D4350 | |
Source: | Code function: | 0_2_079D4A99 | |
Source: | Code function: | 0_2_079D7AA8 | |
Source: | Code function: | 0_2_079D9E40 | |
Source: | Code function: | 0_2_079D28E0 | |
Source: | Code function: | 0_2_079D4048 | |
Source: | Code function: | 0_2_079D2B80 | |
Source: | Code function: | 0_2_079DF728 | |
Source: | Code function: | 0_2_079D4340 | |
Source: | Code function: | 0_2_079D2B72 | |
Source: | Code function: | 0_2_079D7A98 | |
Source: | Code function: | 0_2_079D3210 | |
Source: | Code function: | 0_2_079D3200 | |
Source: | Code function: | 0_2_079D81D8 | |
Source: | Code function: | 0_2_079D81D1 | |
Source: | Code function: | 0_2_079DEDC8 | |
Source: | Code function: | 0_2_079D7CA1 | |
Source: | Code function: | 0_2_079D68D9 | |
Source: | Code function: | 0_2_079D28D2 | |
Source: | Code function: | 0_2_079D68E8 | |
Source: | Code function: | 0_2_079D0006 | |
Source: | Code function: | 0_2_079D4038 | |
Source: | Code function: | 0_2_079D0040 | |
Source: | Code function: | 0_2_079D3878 | |
Source: | Code function: | 0_2_079D3867 | |
Source: | Code function: | 0_2_07F134E8 | |
Source: | Code function: | 0_2_07F1EC48 | |
Source: | Code function: | 0_2_07F134D8 | |
Source: | Code function: | 0_2_07F1D410 | |
Source: | Code function: | 0_2_08313538 | |
Source: | Code function: | 0_2_0831E328 | |
Source: | Code function: | 0_2_0831E317 | |
Source: | Code function: | 0_2_08322AD0 | |
Source: | Code function: | 0_2_0832E830 | |
Source: | Code function: | 0_2_0832E608 | |
Source: | Code function: | 0_2_0832EC70 | |
Source: | Code function: | 0_2_0832EC60 | |
Source: | Code function: | 0_2_0832E840 | |
Source: | Code function: | 0_2_0832E288 | |
Source: | Code function: | 0_2_0832DF98 | |
Source: | Code function: | 0_2_08329D85 | |
Source: | Code function: | 0_2_0832DF88 | |
Source: | Code function: | 0_2_0832E5F8 | |
Source: | Code function: | 0_2_08322ACF | |
Source: | Code function: | 4_2_02734460 | |
Source: | Code function: | 4_2_02731320 | |
Source: | Code function: | 4_2_02733848 | |
Source: | Code function: | 4_2_02733E69 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 0_2_07F1F651 | |
Source: | Code function: | 0_2_08310721 | |
Source: | Code function: | 0_2_08320256 | |
Source: | Code function: | 0_2_0832A003 |
Source: | Static PE information: |
Source: | High entropy of concatenated method names: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: |
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 11 Windows Management Instrumentation | 1 Valid Accounts | 1 Valid Accounts | 1 Masquerading | 1 Input Capture | 121 Security Software Discovery | Remote Services | 1 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | 1 Valid Accounts | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 311 Process Injection | 1 Access Token Manipulation | Security Account Manager | 131 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 2 Registry Run Keys / Startup Folder | 1 Disable or Modify Tools | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 1 DLL Side-Loading | 131 Virtualization/Sandbox Evasion | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 311 Process Injection | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Deobfuscate/Decode Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Hidden Files and Directories | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 2 Obfuscated Files or Information | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 21 Software Packing | Network Sniffing | Network Service Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Network Security Appliances | Domains | Compromise Software Dependencies and Development Tools | AppleScript | Launchd | Launchd | 1 DLL Side-Loading | Input Capture | System Network Connections Discovery | Software Deployment Tools | Remote Data Staging | Mail Protocols | Exfiltration Over Unencrypted Non-C2 Protocol | Firmware Corruption |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
61% | ReversingLabs | ByteCode-MSIL.Trojan.DarkTortilla | ||
100% | Avira | HEUR/AGEN.1306792 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
nnx.linkworldlogiticservices.online | 168.119.55.248 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
168.119.55.248 | nnx.linkworldlogiticservices.online | Germany | 24940 | HETZNER-ASDE | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1475143 |
Start date and time: | 2024-07-17 16:39:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 8m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@5/4@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Time | Type | Description |
---|---|---|
10:40:31 | API Interceptor | |
10:40:43 | API Interceptor | |
16:40:42 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
HETZNER-ASDE | Get hash | malicious | Phisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Roaming\diagaudio.exe | Get hash | malicious | DarkTortilla, XWorm | Browse | ||
Get hash | malicious | DarkTortilla, XWorm | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | DarkTortilla, XWorm | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | DarkTortilla, XWorm | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | DarkTortilla, XWorm | Browse | |||
Get hash | malicious | DarkTortilla, XWorm | Browse |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.log
Download File
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1216 |
Entropy (8bit): | 5.34331486778365 |
Encrypted: | false |
SSDEEP: | 24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea |
MD5: | 7B709BC412BEC5C3CFD861C041DAD408 |
SHA1: | 532EA6BB3018AE3B51E7A5788F614A6C49252BCF |
SHA-256: | 733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75 |
SHA-512: | B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29 |
Entropy (8bit): | 3.598349098128234 |
Encrypted: | false |
SSDEEP: | 3:rRSFYJKXzovNsra:EFYJKDoWra |
MD5: | 2C11513C4FAB02AEDEE23EC05A2EB3CC |
SHA1: | 59177C177B2546FBD8EC7688BAD19D08D32640DE |
SHA-256: | BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699 |
SHA-512: | 08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk
Download File
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 779 |
Entropy (8bit): | 5.08365306878482 |
Encrypted: | false |
SSDEEP: | 12:8cvodm/CI4Ipnu8ChBlXIsY//Zp0Le+LDnt8M/jAwFs+HPJm3COomV:8c/2QDklXUWe+tLAw+AJmypm |
MD5: | E774A477DB4524756214502F357B2D65 |
SHA1: | 3321762F2A4C2BA87AB2644B510EA04A60F6E551 |
SHA-256: | ED44EFD1BEB45A66AAE80E844C135DF55B2DE94EAFB5F93E9B549A980C0EC032 |
SHA-512: | 51192CD9707A6F63113DE79A4B4118F030E6A8F14C664FA8C0089AD14124EF690F690355F521147C5F862B3D1167E746BDE1862CF944D810A52F9B1CDF00E699 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 42064 |
Entropy (8bit): | 6.19564898727408 |
Encrypted: | false |
SSDEEP: | 384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP |
MD5: | 5D4073B2EB6D217C19F2B22F21BF8D57 |
SHA1: | F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8 |
SHA-256: | AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3 |
SHA-512: | 9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.051736371232691 |
TrID: |
|
File name: | SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe |
File size: | 392'192 bytes |
MD5: | 8aae495569f2eba4371a7666c6066c2e |
SHA1: | bdb285e457e68fe05974e62671754277a3c22d5d |
SHA256: | 6664c76fa812ee8c12dfd4d5763a29d10b66b7f3beff780ff13e67dd667e575d |
SHA512: | aaa784cc6c7ce321b229b22b141c4e02886fe1e7274e78608f17a5e4336aa7c3b3837f3b2fedaf2c55d7e945c6f767920941cc531559de179341e1d851b05fe6 |
SSDEEP: | 6144:idF6sCOSqlT31ikgUS77g1UzvqPVdjtFKIdSM4LHCbvvw:YzSql31HgUS77gKzyPVhtFiMaHJ |
TLSH: | 1F84AC4E1BC9AA05C4BE367852B5102497F1F4CA2963F34F0AC465F67B737A19E423A3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Zt>.........."...P.............>.... ... ....@.. .......................`............`................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x46133e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x3E745A2E [Sun Mar 16 11:04:14 2003 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x612f0 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x62000 | 0x3fc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x64000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x5f344 | 0x5f400 | 710d865f2ebdbd4350017522044510c1 | False | 0.690668061023622 | data | 7.0677126968600845 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x62000 | 0x3fc | 0x400 | 1b94706196efd08ec48d82c3481813a9 | False | 0.4267578125 | data | 3.4818051772188543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x64000 | 0xc | 0x200 | 5b3f91862b5c7835f3809918c5a4cede | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x62058 | 0x3a4 | data | 0.4356223175965665 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
07/17/24-16:42:27.466949 | TCP | 2853193 | ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
07/17/24-16:40:56.953871 | TCP | 2855924 | ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
07/17/24-16:44:05.044084 | TCP | 2852923 | ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
07/17/24-16:44:05.188143 | TCP | 2852870 | ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
07/17/24-16:44:05.188143 | TCP | 2852874 | ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
2024-07-17T16:44:05.044084+0200 | TCP | 2852923 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
2024-07-17T16:42:27.466949+0200 | TCP | 2853193 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
2024-07-17T16:40:04.502873+0200 | TCP | 2840787 | ETPRO HUNTING Request for config.json | 49715 | 443 | 192.168.2.6 | 184.28.90.27 |
2024-07-17T16:44:05.188143+0200 | TCP | 2852870 | ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
2024-07-17T16:44:05.188143+0200 | TCP | 2852874 | ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
2024-07-17T16:40:56.953871+0200 | TCP | 2855924 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 17, 2024 16:40:44.304138899 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:40:44.309077978 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:40:44.309201002 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:40:44.399096012 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:40:44.404033899 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:40:56.953871012 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:40:56.962935925 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:40:57.345909119 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:40:57.360462904 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:40:57.365974903 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:05.343766928 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:05.388784885 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:09.514313936 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:09.826052904 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:09.850945950 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:09.850966930 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:10.217606068 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:10.219448090 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:10.224411964 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:22.077681065 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:22.082914114 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:22.529150009 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:22.532361031 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:22.537405968 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:34.639702082 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:34.649363995 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:34.859262943 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:34.861263990 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:34.866292953 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:35.451407909 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:35.497972965 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:44.420116901 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:44.426230907 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:44.783082962 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:44.785773039 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:44.790782928 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:50.732703924 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:50.738466978 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:50.988276005 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:50.991415977 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:51.094610929 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:51.138906956 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:51.143888950 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:51.651835918 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:51.657869101 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:51.663366079 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:56.545171022 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:56.550218105 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.076370001 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:57.302583933 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.305149078 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.305207014 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:57.310544014 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.506246090 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.507868052 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:57.513127089 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.576554060 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:57.583139896 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.813769102 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:41:57.823292971 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:41:57.828227043 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:03.889269114 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:03.903904915 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:04.135891914 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:04.139317036 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:04.171492100 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:05.569591999 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:05.638542891 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:06.081171036 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:06.081233978 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:06.081429958 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:06.081476927 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:09.532114029 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:09.539729118 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:11.166274071 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:11.166735888 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:11.167006016 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:11.167891979 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:11.168005943 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:11.168864965 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:11.182724953 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:22.092241049 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:22.159962893 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:22.683912992 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:22.689543962 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:22.700089931 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:24.357821941 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:24.368022919 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:24.373645067 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:24.378984928 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:24.576411009 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:24.581247091 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:24.592176914 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:24.597871065 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.224987984 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.228807926 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.229212999 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:25.229433060 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:25.235819101 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.411089897 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.420351982 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:25.456561089 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.515305996 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.523683071 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:25.528565884 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:25.528654099 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:25.533541918 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:27.310883045 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:27.357043982 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:27.466948986 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:27.471961021 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:27.682923079 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:27.686003923 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:27.692959070 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:27.807739973 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:27.810209036 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:27.822242975 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:35.157582998 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:35.204159975 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:39.857620955 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:39.867613077 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:40.172750950 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:40.175487995 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:40.181436062 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:43.779448032 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:43.784652948 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:44.075505972 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:44.077765942 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:44.092633963 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:45.702313900 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:45.707330942 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:46.079670906 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:46.081387043 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:46.086319923 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:58.263973951 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:58.295100927 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:58.850053072 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:42:58.854180098 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:42:58.859376907 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:05.252522945 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:05.312546015 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:10.828567028 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:10.839857101 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:11.426075935 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:11.427706003 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:11.434259892 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.045146942 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:12.051143885 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.107695103 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:12.112855911 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.318238020 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.319961071 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:12.325134993 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.532545090 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.534256935 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:12.539393902 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.576579094 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:12.581633091 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.592125893 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:12.597317934 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.920120955 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:12.938014030 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:13.248049021 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:13.499073982 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:13.505486965 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:13.505559921 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:13.514197111 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:13.514360905 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:13.514370918 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:13.514414072 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:13.514439106 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:13.543306112 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:18.467092037 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:18.472616911 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:18.661488056 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:18.663590908 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:18.669862032 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:27.763909101 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:27.793659925 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:27.793730021 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:27.810373068 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:28.119112015 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:28.121469975 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:28.126282930 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:28.343223095 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:28.345254898 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:28.417989016 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:34.954818010 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:34.998220921 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:38.592103004 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:38.597088099 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:38.956043005 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:38.969374895 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:38.974364042 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:40.357898951 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:40.363205910 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:40.918958902 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:40.920835972 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:40.928925037 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:42.108392954 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:42.113260031 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:42.478447914 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:42.480068922 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:42.484813929 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:47.389626980 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:47.394529104 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:47.758322001 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:47.796816111 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:47.801842928 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.498394966 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:48.503550053 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.545186043 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:48.552366972 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.560772896 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:48.565776110 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.576380014 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:48.588141918 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.775157928 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.779872894 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:48.786078930 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.990715981 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:48.998224020 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:49.003232002 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:49.206074953 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:49.207617998 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:49.213007927 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:49.509871006 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:49.511673927 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:49.516625881 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:53.889238119 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:53.894279003 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:54.082987070 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:54.086977005 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:54.092041016 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:54.354697943 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:54.365483046 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:54.592297077 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:54.626015902 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:54.685956001 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:54.693512917 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:54.717204094 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:54.722451925 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:54.732804060 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:54.747100115 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:55.098088980 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:55.102230072 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:55.107207060 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:55.249830008 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:55.252547979 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:55.257900000 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:43:55.257987976 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:43:55.262893915 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:00.114831924 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:44:00.120585918 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:01.071923018 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:01.075786114 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:44:01.083621979 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:04.592056036 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:44:04.600676060 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:05.043268919 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:05.044084072 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Jul 17, 2024 16:44:05.049024105 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:05.188143015 CEST | 9196 | 49723 | 168.119.55.248 | 192.168.2.6 |
Jul 17, 2024 16:44:05.232407093 CEST | 49723 | 9196 | 192.168.2.6 | 168.119.55.248 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 17, 2024 16:40:44.282222033 CEST | 61615 | 53 | 192.168.2.6 | 1.1.1.1 |
Jul 17, 2024 16:40:44.298877954 CEST | 53 | 61615 | 1.1.1.1 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jul 17, 2024 16:40:44.282222033 CEST | 192.168.2.6 | 1.1.1.1 | 0x9fdc | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jul 17, 2024 16:40:44.298877954 CEST | 1.1.1.1 | 192.168.2.6 | 0x9fdc | No error (0) | 168.119.55.248 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 10:39:56 |
Start date: | 17/07/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x870000 |
File size: | 392'192 bytes |
MD5 hash: | 8AAE495569F2EBA4371A7666C6066C2E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 10:39:59 |
Start date: | 17/07/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x60000 |
File size: | 42'064 bytes |
MD5 hash: | 5D4073B2EB6D217C19F2B22F21BF8D57 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Target ID: | 4 |
Start time: | 10:40:01 |
Start date: | 17/07/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x510000 |
File size: | 42'064 bytes |
MD5 hash: | 5D4073B2EB6D217C19F2B22F21BF8D57 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | false |
Analysis Process: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exePID: 5044, Parent PID: 4004COMMON
Execution Graph
Execution Coverage: | 17.5% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 16% |
Total number of Nodes: | 119 |
Total number of Limit Nodes: | 13 |
Graph
Function 08322AD0 Relevance: 5.6, Instructions: 5633COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08322ACF Relevance: 5.6, Instructions: 5633COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08313538 Relevance: 5.2, Instructions: 5170COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D9E40 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D28E0 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BD89A Relevance: 2.7, Strings: 2, Instructions: 164COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D28D2 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BA788 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075B2E78 Relevance: 1.1, Instructions: 1084COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 07F1EC48 Relevance: .8, Instructions: 806COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01348385 Relevance: .8, Instructions: 771COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 07F134E8 Relevance: .6, Instructions: 596COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 07F134D8 Relevance: .6, Instructions: 583COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01347418 Relevance: .4, Instructions: 450COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01347A30 Relevance: .4, Instructions: 441COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BE6E2 Relevance: .4, Instructions: 390COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01344E98 Relevance: .3, Instructions: 326COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D4A99 Relevance: .3, Instructions: 286COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BE7A8 Relevance: .3, Instructions: 278COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BE7A4 Relevance: .3, Instructions: 269COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D7AA8 Relevance: .2, Instructions: 250COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134B270 Relevance: .2, Instructions: 250COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D7A98 Relevance: .2, Instructions: 241COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134B2A0 Relevance: .2, Instructions: 233COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D87AD Relevance: .2, Instructions: 189COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BC786 Relevance: .2, Instructions: 185COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BC7A0 Relevance: .2, Instructions: 177COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D4350 Relevance: .2, Instructions: 150COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BCEC9 Relevance: .1, Instructions: 147COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D4340 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01344E88 Relevance: .1, Instructions: 145COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D4038 Relevance: .1, Instructions: 120COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D4048 Relevance: .1, Instructions: 118COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BBB5F Relevance: .1, Instructions: 79COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832B548 Relevance: 2.1, Strings: 1, Instructions: 881COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832BA45 Relevance: 1.8, Strings: 1, Instructions: 508COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DD140 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DB378 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DC970 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D27D0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BBAA9 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0831B1D0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D27D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BBAB0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DBE50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DD3C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DFD90 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DBA20 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01349230 Relevance: .8, Instructions: 823COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320E99 Relevance: .6, Instructions: 567COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320EA8 Relevance: .6, Instructions: 561COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134ACC1 Relevance: .5, Instructions: 482COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832ADF6 Relevance: .5, Instructions: 452COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 013468F8 Relevance: .4, Instructions: 433COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320620 Relevance: .4, Instructions: 419COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832A1E0 Relevance: .4, Instructions: 366COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832B537 Relevance: .3, Instructions: 344COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832AE64 Relevance: .3, Instructions: 331COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832AEA7 Relevance: .3, Instructions: 312COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832A197 Relevance: .3, Instructions: 289COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832A1D1 Relevance: .3, Instructions: 276COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134CDA8 Relevance: .3, Instructions: 272COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832D3A8 Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01346FE8 Relevance: .2, Instructions: 233COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832D06C Relevance: .2, Instructions: 219COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01348EF0 Relevance: .2, Instructions: 213COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01344B43 Relevance: .2, Instructions: 212COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134C238 Relevance: .2, Instructions: 201COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134AA1C Relevance: .1, Instructions: 140COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134A800 Relevance: .1, Instructions: 135COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 013457F0 Relevance: .1, Instructions: 120COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01348CF0 Relevance: .1, Instructions: 110COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08321867 Relevance: .1, Instructions: 103COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 013457E0 Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01344560 Relevance: .1, Instructions: 98COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 013459C0 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320067 Relevance: .1, Instructions: 93COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08321880 Relevance: .1, Instructions: 91COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320257 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01349111 Relevance: .1, Instructions: 89COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01349120 Relevance: .1, Instructions: 87COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832CF70 Relevance: .1, Instructions: 82COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320284 Relevance: .1, Instructions: 79COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 013468D8 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01346E40 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832CF80 Relevance: .1, Instructions: 74COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 011ED01C Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 011ED1D4 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 083202A0 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134CA19 Relevance: .1, Instructions: 65COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134FEB0 Relevance: .1, Instructions: 65COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 011ED006 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134E789 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134A850 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134E798 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01346E50 Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01349DB8 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320610 Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134A958 Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 011ED1CF Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01346F22 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 011DD789 Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01348E38 Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 011DD788 Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320508 Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320557 Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320518 Relevance: .0, Instructions: 30COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01345390 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832CF33 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832A050 Relevance: .0, Instructions: 24COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08320568 Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01347287 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01349C98 Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01349E65 Relevance: .0, Instructions: 16COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01347298 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832F298 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BD718 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BF650 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BF640 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075B2E45 Relevance: .6, Instructions: 571COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DEDC8 Relevance: .4, Instructions: 366COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0134BB4D Relevance: .3, Instructions: 328COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 07F1D410 Relevance: .3, Instructions: 319COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079DF728 Relevance: .3, Instructions: 298COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0831E317 Relevance: .3, Instructions: 268COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0831E328 Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08329D85 Relevance: .2, Instructions: 197COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832E830 Relevance: .2, Instructions: 174COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832E840 Relevance: .2, Instructions: 173COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832DF98 Relevance: .2, Instructions: 160COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832E288 Relevance: .2, Instructions: 159COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832DF88 Relevance: .2, Instructions: 158COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832EC60 Relevance: .1, Instructions: 131COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D0006 Relevance: .1, Instructions: 125COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832E5F8 Relevance: .1, Instructions: 116COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BEBE8 Relevance: .1, Instructions: 114COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832E608 Relevance: .1, Instructions: 113COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 075BF45A Relevance: .1, Instructions: 111COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0832EC70 Relevance: .1, Instructions: 110COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D0040 Relevance: .1, Instructions: 106COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D7CA1 Relevance: .1, Instructions: 97COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D3210 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D2B80 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D81D8 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D2B72 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D68E8 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D3878 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D3200 Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D3867 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D68D9 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 079D81D1 Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 8.1% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 14 |
Total number of Limit Nodes: | 0 |
Graph
Function 0273A9D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0273AED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02735B80 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02735B78 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 025CD0FC Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 025CD01C Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 025CD006 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 025CD0F7 Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|