Edit tour
Windows
Analysis Report
ExeFile (317).exe
Overview
General Information
| Sample name: | ExeFile (317).exe |
| Analysis ID: | 1495943 |
| MD5: | 1d94974d27fc9127c69992d325afbc89 |
| SHA1: | f238ed9987b52b8368c872804e64fea64360f0be |
| SHA256: | 8c040d75defb681d1757421cad1fde62b74ba124a23e3b9ab3826d9806dcb35a |
| Tags: | EmotetHeodo |
| Infos: |   |
 | |
Detection
Emotet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Emotet
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Connects to several IPs in different countries
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
ExeFile (317).exe (PID: 7076 cmdline: "C:\Users\ user\Deskt op\ExeFile (317).exe " MD5: 1D94974D27FC9127C69992D325AFBC89) - oleaut32.exe (PID: 6348 cmdline:
"C:\Window s\SysWOW64 \KBDOLDIT\ oleaut32.e xe" MD5: 1D94974D27FC9127C69992D325AFBC89)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Emotet | While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. |
{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["71.72.196.159:80", "134.209.36.254:8080", "120.138.30.150:8080", "94.23.216.33:80", "157.245.99.39:8080", "137.59.187.107:8080", "94.23.237.171:443", "61.19.246.238:443", "156.155.166.221:80", "50.35.17.13:80", "153.137.36.142:80", "91.211.88.52:7080", "209.141.54.221:8080", "185.94.252.104:443", "174.45.13.118:80", "87.106.136.232:8080", "62.75.141.82:80", "213.196.135.145:80", "188.219.31.12:80", "82.80.155.43:80", "187.161.206.24:80", "172.91.208.86:80", "124.41.215.226:80", "107.5.122.110:80", "200.123.150.89:443", "95.179.229.244:8080", "83.169.36.251:8080", "1.221.254.82:80", "95.213.236.64:8080", "181.169.34.190:80", "47.144.21.12:443", "203.153.216.189:7080", "89.216.122.92:80", "84.39.182.7:80", "94.200.114.161:80", "104.236.246.93:8080", "139.99.158.11:443", "176.111.60.55:8080", "78.24.219.147:8080", "220.245.198.194:80", "62.30.7.67:443", "139.162.108.71:8080", "104.32.141.43:80", "153.232.188.106:80", "93.147.212.206:80", "79.137.83.50:443", "96.249.236.156:443", "24.43.99.75:80", "75.80.124.4:80", "42.200.107.142:80", "110.5.16.198:80", "5.196.74.210:8080", "110.145.77.103:80", "200.114.213.233:8080", "85.152.162.105:80", "5.39.91.110:7080", "109.74.5.95:8080", "140.186.212.146:80", "37.187.72.193:8080", "97.82.79.83:80", "139.130.242.43:80", "201.173.217.124:443", "123.176.25.234:80", "104.131.44.150:8080", "74.208.45.104:8080", "139.59.60.244:8080", "120.150.60.189:80", "74.219.172.26:80", "219.75.128.166:80", "82.225.49.121:80", "85.105.205.77:8080", "24.179.13.119:80", "74.120.55.163:80", "174.102.48.180:443", "219.74.18.66:443", "168.235.67.138:7080", "194.187.133.160:443", "78.187.156.31:80", "103.86.49.11:8080", "61.92.17.12:80", "24.137.76.62:80", "104.131.11.150:443", "79.98.24.39:8080", "75.139.38.211:80", "162.241.242.173:8080", "195.251.213.56:80", "37.139.21.175:8080", "46.105.131.79:8080", "50.91.114.38:80", "121.124.124.40:7080", "74.134.41.124:80", "68.188.112.97:80", "137.119.36.33:80", "121.7.127.163:80", "87.106.139.101:8080", "94.1.108.190:443", "169.239.182.217:8080"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_5528b3b0 | unknown | unknown |
| |
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_5528b3b0 | unknown | unknown |
| |
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_5528b3b0 | unknown | unknown |
| |
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_5528b3b0 | unknown | unknown |
| |
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Click to see the 15 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Timestamp: | 2024-08-20T18:08:26.272087+0200 |
| SID: | 2030868 |
| Severity: | 1 |
| Source Port: | 49739 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-08-20T18:08:30.100075+0200 |
| SID: | 2854388 |
| Severity: | 1 |
| Source Port: | 49740 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-08-20T18:08:21.130577+0200 |
| SID: | 2854388 |
| Severity: | 1 |
| Source Port: | 49737 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-08-20T18:09:00.006506+0200 |
| SID: | 2854388 |
| Severity: | 1 |
| Source Port: | 49742 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-08-20T18:07:56.975897+0200 |
| SID: | 2854388 |
| Severity: | 1 |
| Source Port: | 49730 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-08-20T18:09:32.382105+0200 |
| SID: | 2854388 |
| Severity: | 1 |
| Source Port: | 49745 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-08-20T18:07:21.955224+0200 |
| SID: | 2030868 |
| Severity: | 1 |
| Source Port: | 49744 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-08-20T18:08:36.308902+0200 |
| SID: | 2854388 |
| Severity: | 1 |
| Source Port: | 49741 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 1_2_005E25A0 | |
| Source: | Code function: | 1_2_005E2210 | |
| Source: | Code function: | 1_2_005E1FA0 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_006238B0 | |
| Source: | Code function: | 1_2_005E38B0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 1_2_005E25A0 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 0_2_006280D0 | |
| Source: | Code function: | 0_2_00627D60 | |
| Source: | Code function: | 0_2_00621C70 | |
| Source: | Code function: | 0_2_00627530 | |
| Source: | Code function: | 0_2_006263F0 | |
| Source: | Code function: | 0_2_00539C6E | |
| Source: | Code function: | 0_2_0053380E | |
| Source: | Code function: | 0_2_005390CE | |
| Source: | Code function: | 0_2_005398FE | |
| Source: | Code function: | 1_2_005E80D0 | |
| Source: | Code function: | 1_2_005E1C70 | |
| Source: | Code function: | 1_2_005E7D60 | |
| Source: | Code function: | 1_2_005E7530 | |
| Source: | Code function: | 1_2_005E63F0 | |
| Source: | Code function: | 1_2_004F9C6E | |
| Source: | Code function: | 1_2_004F380E | |
| Source: | Code function: | 1_2_004F90CE | |
| Source: | Code function: | 1_2_004F98FE | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0040E170 | |
| Source: | Code function: | 0_2_0040E220 | |
| Source: | Code function: | 1_2_0040E220 | |
| Source: | Code function: | 0_2_00628660 | |
| Source: | Code function: | 0_2_0040F510 | |
| Source: | Code function: | 0_2_00624F50 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 0_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Command line argument: | 1_2_0040FA80 | |
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00415F77 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00411ED8 | |
| Source: | Code function: | 0_2_00625C51 | |
| Source: | Code function: | 0_2_00625CF1 | |
| Source: | Code function: | 0_2_00625CD1 | |
| Source: | Code function: | 0_2_00625C91 | |
| Source: | Code function: | 0_2_00625D71 | |
| Source: | Code function: | 0_2_00625D21 | |
| Source: | Code function: | 0_2_00625DE1 | |
| Source: | Code function: | 0_2_00625DB1 | |
| Source: | Code function: | 0_2_00625E41 | |
| Source: | Code function: | 0_2_00625EE1 | |
| Source: | Code function: | 0_2_00625EA1 | |
| Source: | Code function: | 0_2_00537A7F | |
| Source: | Code function: | 0_2_0053786F | |
| Source: | Code function: | 0_2_0053E01A | |
| Source: | Code function: | 0_2_00537A3F | |
| Source: | Code function: | 0_2_0053782F | |
| Source: | Code function: | 0_2_0053788F | |
| Source: | Code function: | 0_2_005378BF | |
| Source: | Code function: | 0_2_0053794F | |
| Source: | Code function: | 0_2_0053797F | |
| Source: | Code function: | 0_2_0053790F | |
| Source: | Code function: | 0_2_005379DF | |
| Source: | Code function: | 0_2_005377EF | |
| Source: | Code function: | 1_2_00411ED8 | |
| Source: | Code function: | 1_2_005E5C51 | |
| Source: | Code function: | 1_2_005E5CD1 | |
| Source: | Code function: | 1_2_005E5CF1 | |
| Source: | Code function: | 1_2_005E5C91 | |
| Source: | Code function: | 1_2_005E5D71 | |
| Source: | Code function: | 1_2_005E5D21 | |
Persistence and Installation Behavior | |
|---|
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | PE file moved: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-23298 | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_006238B0 | |
| Source: | Code function: | 1_2_005E38B0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-23404 | ||
| Source: | API call chain: | graph_0-23057 | ||
| Source: | API call chain: | graph_1-23200 | ||
| Source: | API call chain: | graph_1-23037 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040E930 | |
| Source: | Code function: | 0_2_00411C5F | |
| Source: | Code function: | 0_2_00415F77 | |
| Source: | Code function: | 0_2_00624D00 | |
| Source: | Code function: | 0_2_00623E40 | |
| Source: | Code function: | 0_2_00530456 | |
| Source: | Code function: | 0_2_00530C9F | |
| Source: | Code function: | 0_2_0053689E | |
| Source: | Code function: | 0_2_005359DE | |
| Source: | Code function: | 0_2_00641030 | |
| Source: | Code function: | 1_2_005E4D00 | |
| Source: | Code function: | 1_2_005E3E40 | |
| Source: | Code function: | 1_2_004F0456 | |
| Source: | Code function: | 1_2_004F0C9F | |
| Source: | Code function: | 1_2_004F689E | |
| Source: | Code function: | 1_2_004F59DE | |
| Source: | Code function: | 1_2_020D1030 | |
| Source: | Code function: | 0_2_00623060 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00411C5F | |
| Source: | Code function: | 0_2_004100FB | |
| Source: | Code function: | 0_2_00413E30 | |
| Source: | Code function: | 1_2_00411C5F | |
| Source: | Code function: | 1_2_004100FB | |
| Source: | Code function: | 1_2_00413E30 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00414640 | |
| Source: | Code function: | 0_2_0040F510 | |
| Source: | Code function: | 1_2_005E52E0 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 2 Windows Service | 1 Access Token Manipulation | 12 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 22 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Data Encrypted for Impact |
| Credentials | Domains | Default Accounts | 1 Service Execution | 1 DLL Side-Loading | 2 Windows Service | 1 Access Token Manipulation | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 11 Native API | Logon Script (Windows) | 1 Process Injection | 1 Process Injection | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 1 Hidden Files and Directories | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | 112 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 2 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 File Deletion | DCSync | 15 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 92% | ReversingLabs | Win32.Trojan.Emotet | ||
| 100% | Avira | HEUR/AGEN.1318091 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 94.200.114.161 | unknown | United Arab Emirates | 15802 | DU-AS1AE | true | |
| 71.72.196.159 | unknown | United States | 10796 | TWC-10796-MIDWESTUS | true | |
| 85.152.162.105 | unknown | Spain | 12946 | TELECABLESpainES | true | |
| 174.102.48.180 | unknown | United States | 10796 | TWC-10796-MIDWESTUS | true | |
| 169.239.182.217 | unknown | South Africa | 37153 | xneeloZA | true | |
| 200.123.150.89 | unknown | Argentina | 16814 | NSSSAAR | true | |
| 220.245.198.194 | unknown | Australia | 7545 | TPG-INTERNET-APTPGTelecomLimitedAU | true | |
| 104.131.11.150 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 176.111.60.55 | unknown | Ukraine | 24703 | UN-UKRAINE-ASKievUkraineUA | true | |
| 94.23.237.171 | unknown | France | 16276 | OVHFR | true | |
| 187.161.206.24 | unknown | Mexico | 11888 | TelevisionInternacionalSAdeCVMX | true | |
| 139.162.108.71 | unknown | Netherlands | 63949 | LINODE-APLinodeLLCUS | true | |
| 156.155.166.221 | unknown | South Africa | 37611 | AfrihostZA | true | |
| 104.32.141.43 | unknown | United States | 20001 | TWC-20001-PACWESTUS | true | |
| 94.1.108.190 | unknown | United Kingdom | 5607 | BSKYB-BROADBAND-ASGB | true | |
| 87.106.139.101 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 213.196.135.145 | unknown | Switzerland | 21040 | DATAPARKCH | true | |
| 62.30.7.67 | unknown | United Kingdom | 5089 | NTLGB | true | |
| 79.98.24.39 | unknown | Lithuania | 62282 | RACKRAYUABRakrejusLT | true | |
| 107.5.122.110 | unknown | United States | 7922 | COMCAST-7922US | true | |
| 75.139.38.211 | unknown | United States | 20115 | CHARTER-20115US | true | |
| 87.106.136.232 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 110.5.16.198 | unknown | Japan | 4685 | ASAHI-NETAsahiNetJP | true | |
| 104.131.44.150 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 62.75.141.82 | unknown | Germany | 8972 | GD-EMEA-DC-SXB1DE | true | |
| 124.41.215.226 | unknown | Nepal | 17501 | WLINK-NEPAL-AS-APWorldLinkCommunicationsPvtLtdNP | true | |
| 172.91.208.86 | unknown | United States | 20001 | TWC-20001-PACWESTUS | true | |
| 37.139.21.175 | unknown | Netherlands | 14061 | DIGITALOCEAN-ASNUS | true | |
| 153.137.36.142 | unknown | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true | |
| 194.187.133.160 | unknown | Bulgaria | 13124 | IBGCBG | true | |
| 24.43.99.75 | unknown | United States | 20001 | TWC-20001-PACWESTUS | true | |
| 95.213.236.64 | unknown | Russian Federation | 49505 | SELECTELRU | true | |
| 46.105.131.79 | unknown | France | 16276 | OVHFR | true | |
| 139.130.242.43 | unknown | Australia | 1221 | ASN-TELSTRATelstraCorporationLtdAU | true | |
| 82.80.155.43 | unknown | Israel | 8551 | BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL | true | |
| 110.145.77.103 | unknown | Australia | 1221 | ASN-TELSTRATelstraCorporationLtdAU | true | |
| 61.92.17.12 | unknown | Hong Kong | 9269 | HKBN-AS-APHongKongBroadbandNetworkLtdHK | true | |
| 120.150.60.189 | unknown | Australia | 1221 | ASN-TELSTRATelstraCorporationLtdAU | true | |
| 93.147.212.206 | unknown | Italy | 30722 | VODAFONE-IT-ASNIT | true | |
| 91.211.88.52 | unknown | Ukraine | 206638 | HOSTFORYUA | true | |
| 153.232.188.106 | unknown | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true | |
| 68.188.112.97 | unknown | United States | 20115 | CHARTER-20115US | true | |
| 140.186.212.146 | unknown | United States | 11232 | MIDCO-NETUS | true | |
| 121.7.127.163 | unknown | Singapore | 9506 | SINGTEL-FIBRESingtelFibreBroadbandSG | true | |
| 50.35.17.13 | unknown | United States | 27017 | ZIPLY-FIBER-LEGACY-ASNUS | true | |
| 157.245.99.39 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 203.153.216.189 | unknown | Indonesia | 45291 | SURF-IDPTSurfindoNetworkID | true | |
| 174.45.13.118 | unknown | United States | 33588 | BRESNAN-33588US | true | |
| 162.241.242.173 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
| 96.249.236.156 | unknown | United States | 701 | UUNETUS | true | |
| 123.176.25.234 | unknown | Maldives | 7642 | DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV | true | |
| 85.105.205.77 | unknown | Turkey | 9121 | TTNETTR | true | |
| 74.120.55.163 | unknown | Canada | 32315 | WJBTN-ASCA | true | |
| 200.114.213.233 | unknown | Argentina | 10318 | TelecomArgentinaSAAR | true | |
| 50.91.114.38 | unknown | United States | 33363 | BHN-33363US | true | |
| 78.24.219.147 | unknown | Russian Federation | 29182 | THEFIRST-ASRU | true | |
| 24.179.13.119 | unknown | United States | 20115 | CHARTER-20115US | true | |
| 139.99.158.11 | unknown | Canada | 16276 | OVHFR | true | |
| 201.173.217.124 | unknown | Mexico | 11888 | TelevisionInternacionalSAdeCVMX | true | |
| 134.209.36.254 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 75.80.124.4 | unknown | United States | 20001 | TWC-20001-PACWESTUS | true | |
| 195.251.213.56 | unknown | Greece | 12364 | UOMGR | true | |
| 121.124.124.40 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
| 47.144.21.12 | unknown | United States | 5650 | FRONTIER-FRTRUS | true | |
| 139.59.60.244 | unknown | Singapore | 14061 | DIGITALOCEAN-ASNUS | true | |
| 61.19.246.238 | unknown | Thailand | 9335 | CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH | true | |
| 168.235.67.138 | unknown | United States | 3842 | RAMNODEUS | true | |
| 137.59.187.107 | unknown | Hong Kong | 18106 | VIEWQWEST-SG-APViewqwestPteLtdSG | true | |
| 219.74.18.66 | unknown | Singapore | 9506 | SINGTEL-FIBRESingtelFibreBroadbandSG | true | |
| 78.187.156.31 | unknown | Turkey | 9121 | TTNETTR | true | |
| 188.219.31.12 | unknown | Italy | 30722 | VODAFONE-IT-ASNIT | true | |
| 83.169.36.251 | unknown | Germany | 20773 | GODADDYDE | true | |
| 74.134.41.124 | unknown | United States | 10796 | TWC-10796-MIDWESTUS | true | |
| 42.200.107.142 | unknown | Hong Kong | 4760 | HKTIMS-APHKTLimitedHK | true | |
| 5.196.74.210 | unknown | France | 16276 | OVHFR | true | |
| 1.221.254.82 | unknown | Korea Republic of | 3786 | LGDACOMLGDACOMCorporationKR | true | |
| 74.208.45.104 | unknown | United States | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 120.138.30.150 | unknown | New Zealand | 45179 | SITEHOST-AS-APSiteHostNewZealandNZ | true | |
| 84.39.182.7 | unknown | Spain | 15704 | AS15704ES | true | |
| 97.82.79.83 | unknown | United States | 20115 | CHARTER-20115US | true | |
| 24.137.76.62 | unknown | Canada | 11260 | EASTLINK-HSICA | true | |
| 82.225.49.121 | unknown | France | 12322 | PROXADFR | true | |
| 37.187.72.193 | unknown | France | 16276 | OVHFR | true | |
| 181.169.34.190 | unknown | Argentina | 10318 | TelecomArgentinaSAAR | true | |
| 95.179.229.244 | unknown | Netherlands | 20473 | AS-CHOOPAUS | true | |
| 109.74.5.95 | unknown | Sweden | 43948 | GLESYS-ASSE | true | |
| 74.219.172.26 | unknown | United States | 5787 | SNAPONSBSUS | true | |
| 79.137.83.50 | unknown | France | 16276 | OVHFR | true | |
| 103.86.49.11 | unknown | Thailand | 58955 | BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH | true | |
| 209.141.54.221 | unknown | United States | 53667 | PONYNETUS | true | |
| 89.216.122.92 | unknown | Serbia | 31042 | SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze | true | |
| 185.94.252.104 | unknown | Germany | 197890 | MEGASERVERS-DE | true | |
| 5.39.91.110 | unknown | France | 16276 | OVHFR | true | |
| 137.119.36.33 | unknown | United States | 11426 | TWC-11426-CAROLINASUS | true | |
| 104.236.246.93 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 94.23.216.33 | unknown | France | 16276 | OVHFR | true | |
| 219.75.128.166 | unknown | Japan | 17511 | OPTAGEOPTAGEIncJP | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1495943 |
| Start date and time: | 2024-08-20 18:06:34 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 31s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | ExeFile (317).exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@3/0@0/97 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: ExeFile (317).exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 94.200.114.161 | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| 71.72.196.159 | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 85.152.162.105 | Get hash | malicious | Emotet | Browse | ||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TWC-10796-MIDWESTUS | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| TWC-10796-MIDWESTUS | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| TELECABLESpainES | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| DU-AS1AE | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.185263206813159 |
| TrID: |
|
| File name: | ExeFile (317).exe |
| File size: | 437'248 bytes |
| MD5: | 1d94974d27fc9127c69992d325afbc89 |
| SHA1: | f238ed9987b52b8368c872804e64fea64360f0be |
| SHA256: | 8c040d75defb681d1757421cad1fde62b74ba124a23e3b9ab3826d9806dcb35a |
| SHA512: | f700f54141b1d7d628bb2c64b2d6aae85225d9839d79b16c7179ccc86210723eb3d237c453b1e15fbe19eb150cc688470cb833c47b7e3a7dcd285ecc0491098b |
| SSDEEP: | 6144:vXBr9LW/6DUvum8471YQvq6H/iaRT8oITZO/rVurq:vXdNDDUvum845lv7Ha+ThmZo5uG |
| TLSH: | 27947B136AC4C138F4961B35F8AAEAF14391BD1A5F3882CBFEC4775B6D671809C36606 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|..L...L...L...#k..\...#k*.,...Ee..A...L...<...#k+.e...#k..M...k.[.M...#k..M...RichL...................PE..L.....e_........... |
 | |
| Icon Hash: | 0e0e0f0d1e3add1f |
| Entrypoint: | 0x410a9b |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5F6508C3 [Fri Sep 18 19:21:39 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 39948763cc1873dc50981ea479aab099 |
| Instruction |
|---|
| call 00007FCFE4E11625h |
| jmp 00007FCFE4E0D90Eh |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov edx, dword ptr [ebp+08h] |
| push esi |
| push edi |
| test edx, edx |
| je 00007FCFE4E0DA89h |
| mov edi, dword ptr [ebp+0Ch] |
| test edi, edi |
| jne 00007FCFE4E0DA95h |
| call 00007FCFE4E0EDF2h |
| push 00000016h |
| pop esi |
| mov dword ptr [eax], esi |
| call 00007FCFE4E0ED96h |
| mov eax, esi |
| jmp 00007FCFE4E0DAB5h |
| mov eax, dword ptr [ebp+10h] |
| test eax, eax |
| jne 00007FCFE4E0DA86h |
| mov byte ptr [edx], al |
| jmp 00007FCFE4E0DA64h |
| mov esi, edx |
| sub esi, eax |
| mov cl, byte ptr [eax] |
| mov byte ptr [esi+eax], cl |
| inc eax |
| test cl, cl |
| je 00007FCFE4E0DA85h |
| dec edi |
| jne 00007FCFE4E0DA75h |
| test edi, edi |
| jne 00007FCFE4E0DA93h |
| mov byte ptr [edx], 00000000h |
| call 00007FCFE4E0EDBCh |
| push 00000022h |
| pop ecx |
| mov dword ptr [eax], ecx |
| mov esi, ecx |
| jmp 00007FCFE4E0DA48h |
| xor eax, eax |
| pop edi |
| pop esi |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ecx, dword ptr [esp+04h] |
| test ecx, 00000003h |
| je 00007FCFE4E0DAA6h |
| mov al, byte ptr [ecx] |
| add ecx, 01h |
| test al, al |
| je 00007FCFE4E0DAD0h |
| test ecx, 00000003h |
| jne 00007FCFE4E0DA71h |
| add eax, 00000000h |
| lea esp, dword ptr [esp+00000000h] |
| lea esp, dword ptr [esp+00000000h] |
| mov eax, dword ptr [ecx] |
| mov edx, 7EFEFEFFh |
| add edx, eax |
| xor eax, FFFFFFFFh |
| xor eax, edx |
| add ecx, 04h |
| test eax, 81010100h |
| je 00007FCFE4E0DA6Ah |
| mov eax, dword ptr [ecx-04h] |
| test al, al |
| je 00007FCFE4E0DAB4h |
| test ah, ah |
| je 00007FCFE4E0DAA6h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1c9f0 | 0x42 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1c01c | 0x8c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x22000 | 0x4c1f0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6f000 | 0xeec | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x191f0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1b838 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x19000 | 0x1ac | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x17a6e | 0x17c00 | 2918294d11fcf50d51f870e66a4e619e | False | 0.5352487664473684 | DOS executable (COM) | 6.120585434914318 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x19000 | 0x3a32 | 0x3c00 | 7fb0ff3fe31bdade0801fee9c309da5a | False | 0.3529296875 | data | 4.851518814724672 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x1d000 | 0x416c | 0x1000 | c6306a330127025aa96c1b57a0fcd902 | False | 0.221923828125 | data | 2.5497119214608133 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x22000 | 0x4c1f0 | 0x4c200 | add876cb58db3633c854af0e75fe9ec8 | False | 0.31388867508210183 | data | 6.141207657208505 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x6f000 | 0x1d30 | 0x1e00 | ea9aac25c86f4cd5d2db5957b7bc6e8f | False | 0.4217447916666667 | data | 4.176257282412653 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| DAGHHHHHTY | 0x22520 | 0xde00 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | English | United States | 0.506809543918919 |
| RT_ICON | 0x30320 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x328c8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x34e70 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x37418 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x399c0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x3bf68 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x3e510 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x40ab8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x43060 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x45608 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x47bb0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x4a158 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x4c700 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x4eca8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x51250 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x537f8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x55da0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x58348 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x5a8f0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_ICON | 0x5ce98 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5428423236514522 |
| RT_GROUP_ICON | 0x5f440 | 0x11e | data | English | United States | 0.24125874125874125 |
| RT_MANIFEST | 0x5f560 | 0x15a | ASCII text, with CRLF line terminators | English | United States | 0.5491329479768786 |
| None | 0x5f6bc | 0xeb33 | data | English | United States | 1.0004318147846738 |
| DLL | Import |
|---|---|
| KERNEL32.dll | VirtualAlloc, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, CreateThread, SetStdHandle, SetFilePointer, WriteConsoleW, LoadLibraryW, GetStringTypeW, LCMapStringW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, HeapReAlloc, MultiByteToWideChar, CreateProcessW, OpenProcess, TerminateProcess, QueryFullProcessImageNameW, CloseHandle, GetCurrentProcess, GetLastError, FormatMessageW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetSystemTimeAsFileTime, HeapAlloc, RaiseException, RtlUnwind, EncodePointer, DecodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, HeapFree, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetProcAddress, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, CreateFileW |
| USER32.dll | SendMessageW, CreateWindowExW, wsprintfW, LoadIconW, LoadCursorW, RegisterClassExW, SetTimer, UpdateWindow, GetMessageW, TranslateMessage, DispatchMessageW, PostQuitMessage, ShowWindow, MessageBoxW, SetWindowTextW, GetWindowTextW, DefWindowProcW |
| ADVAPI32.dll | GetUserNameW, GetTokenInformation, LookupAccountSidW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges |
| COMCTL32.dll | InitCommonControlsEx |
| PSAPI.DLL | GetProcessMemoryInfo |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| Name | Ordinal | Address |
|---|---|---|
| Run | 1 | 0x40ec40 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Signature | Severity | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|---|
| 2024-08-20T18:08:26.272087+0200 | TCP | 2030868 | ET MALWARE Win32/Emotet CnC Activity (POST) M10 | 1 | 49739 | 8080 | 192.168.2.4 | 120.138.30.150 |
| 2024-08-20T18:08:30.100075+0200 | TCP | 2854388 | ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 | 1 | 49740 | 80 | 192.168.2.4 | 94.23.216.33 |
| 2024-08-20T18:08:21.130577+0200 | TCP | 2854388 | ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 | 1 | 49737 | 8080 | 192.168.2.4 | 134.209.36.254 |
| 2024-08-20T18:09:00.006506+0200 | TCP | 2854388 | ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 | 1 | 49742 | 8080 | 192.168.2.4 | 137.59.187.107 |
| 2024-08-20T18:07:56.975897+0200 | TCP | 2854388 | ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 | 1 | 49730 | 80 | 192.168.2.4 | 71.72.196.159 |
| 2024-08-20T18:09:32.382105+0200 | TCP | 2854388 | ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 | 1 | 49745 | 80 | 192.168.2.4 | 156.155.166.221 |
| 2024-08-20T18:07:21.955224+0200 | TCP | 2030868 | ET MALWARE Win32/Emotet CnC Activity (POST) M10 | 1 | 49744 | 443 | 192.168.2.4 | 61.19.246.238 |
| 2024-08-20T18:08:36.308902+0200 | TCP | 2854388 | ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 | 1 | 49741 | 8080 | 192.168.2.4 | 157.245.99.39 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 20, 2024 18:07:35.557763100 CEST | 49730 | 80 | 192.168.2.4 | 71.72.196.159 |
| Aug 20, 2024 18:07:35.562776089 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:35.562850952 CEST | 49730 | 80 | 192.168.2.4 | 71.72.196.159 |
| Aug 20, 2024 18:07:35.563587904 CEST | 49730 | 80 | 192.168.2.4 | 71.72.196.159 |
| Aug 20, 2024 18:07:35.563635111 CEST | 49730 | 80 | 192.168.2.4 | 71.72.196.159 |
| Aug 20, 2024 18:07:35.568464994 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:35.568480015 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:35.568511009 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:35.568521023 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:35.573182106 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:56.975836039 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:56.975897074 CEST | 49730 | 80 | 192.168.2.4 | 71.72.196.159 |
| Aug 20, 2024 18:07:56.976006031 CEST | 49730 | 80 | 192.168.2.4 | 71.72.196.159 |
| Aug 20, 2024 18:07:56.980730057 CEST | 80 | 49730 | 71.72.196.159 | 192.168.2.4 |
| Aug 20, 2024 18:07:59.750101089 CEST | 49737 | 8080 | 192.168.2.4 | 134.209.36.254 |
| Aug 20, 2024 18:07:59.755081892 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:07:59.755170107 CEST | 49737 | 8080 | 192.168.2.4 | 134.209.36.254 |
| Aug 20, 2024 18:07:59.755335093 CEST | 49737 | 8080 | 192.168.2.4 | 134.209.36.254 |
| Aug 20, 2024 18:07:59.755386114 CEST | 49737 | 8080 | 192.168.2.4 | 134.209.36.254 |
| Aug 20, 2024 18:07:59.760215998 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:07:59.760226965 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:07:59.760236979 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:07:59.760253906 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:07:59.760596991 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:08:21.130495071 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:08:21.130577087 CEST | 49737 | 8080 | 192.168.2.4 | 134.209.36.254 |
| Aug 20, 2024 18:08:21.130683899 CEST | 49737 | 8080 | 192.168.2.4 | 134.209.36.254 |
| Aug 20, 2024 18:08:21.135564089 CEST | 8080 | 49737 | 134.209.36.254 | 192.168.2.4 |
| Aug 20, 2024 18:08:24.217974901 CEST | 49739 | 8080 | 192.168.2.4 | 120.138.30.150 |
| Aug 20, 2024 18:08:24.223268032 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:24.223378897 CEST | 49739 | 8080 | 192.168.2.4 | 120.138.30.150 |
| Aug 20, 2024 18:08:24.223545074 CEST | 49739 | 8080 | 192.168.2.4 | 120.138.30.150 |
| Aug 20, 2024 18:08:24.223578930 CEST | 49739 | 8080 | 192.168.2.4 | 120.138.30.150 |
| Aug 20, 2024 18:08:24.228647947 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:24.228657961 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:24.228667974 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:24.228676081 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:24.228787899 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:26.272000074 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:26.272087097 CEST | 49739 | 8080 | 192.168.2.4 | 120.138.30.150 |
| Aug 20, 2024 18:08:26.272178888 CEST | 49739 | 8080 | 192.168.2.4 | 120.138.30.150 |
| Aug 20, 2024 18:08:26.277124882 CEST | 8080 | 49739 | 120.138.30.150 | 192.168.2.4 |
| Aug 20, 2024 18:08:28.470295906 CEST | 49740 | 80 | 192.168.2.4 | 94.23.216.33 |
| Aug 20, 2024 18:08:28.475697041 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:28.475837946 CEST | 49740 | 80 | 192.168.2.4 | 94.23.216.33 |
| Aug 20, 2024 18:08:28.476016045 CEST | 49740 | 80 | 192.168.2.4 | 94.23.216.33 |
| Aug 20, 2024 18:08:28.476069927 CEST | 49740 | 80 | 192.168.2.4 | 94.23.216.33 |
| Aug 20, 2024 18:08:28.481153011 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:28.481203079 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:28.481211901 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:28.481220007 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:28.481231928 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:30.099977016 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:30.100075006 CEST | 49740 | 80 | 192.168.2.4 | 94.23.216.33 |
| Aug 20, 2024 18:08:30.100178003 CEST | 49740 | 80 | 192.168.2.4 | 94.23.216.33 |
| Aug 20, 2024 18:08:30.105140924 CEST | 80 | 49740 | 94.23.216.33 | 192.168.2.4 |
| Aug 20, 2024 18:08:34.086340904 CEST | 49741 | 8080 | 192.168.2.4 | 157.245.99.39 |
| Aug 20, 2024 18:08:34.091763020 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:34.091850042 CEST | 49741 | 8080 | 192.168.2.4 | 157.245.99.39 |
| Aug 20, 2024 18:08:34.092017889 CEST | 49741 | 8080 | 192.168.2.4 | 157.245.99.39 |
| Aug 20, 2024 18:08:34.092058897 CEST | 49741 | 8080 | 192.168.2.4 | 157.245.99.39 |
| Aug 20, 2024 18:08:34.096981049 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:34.097008944 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:34.097018957 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:34.097028017 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:34.097039938 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:36.308810949 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:36.308902025 CEST | 49741 | 8080 | 192.168.2.4 | 157.245.99.39 |
| Aug 20, 2024 18:08:36.309026003 CEST | 49741 | 8080 | 192.168.2.4 | 157.245.99.39 |
| Aug 20, 2024 18:08:36.313785076 CEST | 8080 | 49741 | 157.245.99.39 | 192.168.2.4 |
| Aug 20, 2024 18:08:38.639569998 CEST | 49742 | 8080 | 192.168.2.4 | 137.59.187.107 |
| Aug 20, 2024 18:08:38.644686937 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:08:38.644761086 CEST | 49742 | 8080 | 192.168.2.4 | 137.59.187.107 |
| Aug 20, 2024 18:08:38.645030022 CEST | 49742 | 8080 | 192.168.2.4 | 137.59.187.107 |
| Aug 20, 2024 18:08:38.645068884 CEST | 49742 | 8080 | 192.168.2.4 | 137.59.187.107 |
| Aug 20, 2024 18:08:38.649996042 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:08:38.650024891 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:08:38.650047064 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:08:38.650106907 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:08:38.650115967 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:09:00.006405115 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:09:00.006505966 CEST | 49742 | 8080 | 192.168.2.4 | 137.59.187.107 |
| Aug 20, 2024 18:09:00.006632090 CEST | 49742 | 8080 | 192.168.2.4 | 137.59.187.107 |
| Aug 20, 2024 18:09:00.012171030 CEST | 8080 | 49742 | 137.59.187.107 | 192.168.2.4 |
| Aug 20, 2024 18:09:03.832498074 CEST | 49743 | 443 | 192.168.2.4 | 94.23.237.171 |
| Aug 20, 2024 18:09:03.832534075 CEST | 443 | 49743 | 94.23.237.171 | 192.168.2.4 |
| Aug 20, 2024 18:09:03.832736015 CEST | 49743 | 443 | 192.168.2.4 | 94.23.237.171 |
| Aug 20, 2024 18:09:03.832806110 CEST | 49743 | 443 | 192.168.2.4 | 94.23.237.171 |
| Aug 20, 2024 18:09:03.832813025 CEST | 443 | 49743 | 94.23.237.171 | 192.168.2.4 |
| Aug 20, 2024 18:09:03.832937956 CEST | 443 | 49743 | 94.23.237.171 | 192.168.2.4 |
| Aug 20, 2024 18:09:03.832967997 CEST | 49743 | 443 | 192.168.2.4 | 94.23.237.171 |
| Aug 20, 2024 18:09:03.832979918 CEST | 443 | 49743 | 94.23.237.171 | 192.168.2.4 |
| Aug 20, 2024 18:09:07.545902967 CEST | 49744 | 443 | 192.168.2.4 | 61.19.246.238 |
| Aug 20, 2024 18:09:07.545984983 CEST | 443 | 49744 | 61.19.246.238 | 192.168.2.4 |
| Aug 20, 2024 18:09:07.546073914 CEST | 49744 | 443 | 192.168.2.4 | 61.19.246.238 |
| Aug 20, 2024 18:09:07.546197891 CEST | 49744 | 443 | 192.168.2.4 | 61.19.246.238 |
| Aug 20, 2024 18:09:07.546219110 CEST | 443 | 49744 | 61.19.246.238 | 192.168.2.4 |
| Aug 20, 2024 18:09:07.546252966 CEST | 49744 | 443 | 192.168.2.4 | 61.19.246.238 |
| Aug 20, 2024 18:09:07.546269894 CEST | 443 | 49744 | 61.19.246.238 | 192.168.2.4 |
| Aug 20, 2024 18:09:07.546358109 CEST | 443 | 49744 | 61.19.246.238 | 192.168.2.4 |
| Aug 20, 2024 18:09:10.999577045 CEST | 49745 | 80 | 192.168.2.4 | 156.155.166.221 |
| Aug 20, 2024 18:09:11.004904985 CEST | 80 | 49745 | 156.155.166.221 | 192.168.2.4 |
| Aug 20, 2024 18:09:11.005038023 CEST | 49745 | 80 | 192.168.2.4 | 156.155.166.221 |
| Aug 20, 2024 18:09:11.005219936 CEST | 49745 | 80 | 192.168.2.4 | 156.155.166.221 |
| Aug 20, 2024 18:09:11.005259037 CEST | 49745 | 80 | 192.168.2.4 | 156.155.166.221 |
| Aug 20, 2024 18:09:11.010130882 CEST | 80 | 49745 | 156.155.166.221 | 192.168.2.4 |
| Aug 20, 2024 18:09:11.010143995 CEST | 80 | 49745 | 156.155.166.221 | 192.168.2.4 |
| Aug 20, 2024 18:09:11.010154009 CEST | 80 | 49745 | 156.155.166.221 | 192.168.2.4 |
| Aug 20, 2024 18:09:11.010308027 CEST | 80 | 49745 | 156.155.166.221 | 192.168.2.4 |
| Aug 20, 2024 18:09:11.010317087 CEST | 80 | 49745 | 156.155.166.221 | 192.168.2.4 |
| Aug 20, 2024 18:09:32.382025957 CEST | 80 | 49745 | 156.155.166.221 | 192.168.2.4 |
| Aug 20, 2024 18:09:32.382105112 CEST | 49745 | 80 | 192.168.2.4 | 156.155.166.221 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 71.72.196.159 | 80 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:07:35.563587904 CEST | 636 | OUT | |
| Aug 20, 2024 18:07:35.563635111 CEST | 4692 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49737 | 134.209.36.254 | 8080 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:07:59.755335093 CEST | 541 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49739 | 120.138.30.150 | 8080 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:08:24.223545074 CEST | 593 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49740 | 94.23.216.33 | 80 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:08:28.476016045 CEST | 524 | OUT | |
| Aug 20, 2024 18:08:28.476069927 CEST | 4644 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49741 | 157.245.99.39 | 8080 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:08:34.092017889 CEST | 507 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49742 | 137.59.187.107 | 8080 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:08:38.645030022 CEST | 591 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 94.23.237.171 | 443 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:09:03.832806110 CEST | 576 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49744 | 61.19.246.238 | 443 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:09:07.546197891 CEST | 490 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49745 | 156.155.166.221 | 80 | 6348 | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Aug 20, 2024 18:09:11.005219936 CEST | 646 | OUT | |
| Aug 20, 2024 18:09:11.005259037 CEST | 4660 | OUT |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:07:25 |
| Start date: | 20/08/2024 |
| Path: | C:\Users\user\Desktop\ExeFile (317).exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 437'248 bytes |
| MD5 hash: | 1D94974D27FC9127C69992D325AFBC89 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:07:25 |
| Start date: | 20/08/2024 |
| Path: | C:\Windows\SysWOW64\KBDOLDIT\oleaut32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 437'248 bytes |
| MD5 hash: | 1D94974D27FC9127C69992D325AFBC89 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.4% |
| Dynamic/Decrypted Code Coverage: | 73.2% |
| Signature Coverage: | 29.2% |
| Total number of Nodes: | 421 |
| Total number of Limit Nodes: | 27 |
Graph
Function 0040FA80 Relevance: 63.2, APIs: 23, Strings: 13, Instructions: 250windowregistrythreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00627D60 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 006238B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 006280D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00624F50 Relevance: 3.2, APIs: 2, Instructions: 249memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00623060 Relevance: 1.7, APIs: 1, Instructions: 166memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00626D70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0053002D Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041025B Relevance: 4.6, APIs: 3, Instructions: 58memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00624A80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EC40 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00641D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00623670 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00626CD0 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 006427B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00641820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F510 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 155processCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006263F0 Relevance: 4.3, Strings: 3, Instructions: 560COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005398FE Relevance: 4.0, Strings: 3, Instructions: 219COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00539C6E Relevance: 3.9, Strings: 3, Instructions: 169COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00628660 Relevance: 3.9, Strings: 3, Instructions: 160COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E930 Relevance: 3.1, APIs: 2, Instructions: 54libraryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005390CE Relevance: 2.8, Strings: 2, Instructions: 266COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00627530 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413E30 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0053380E Relevance: 1.4, Strings: 1, Instructions: 104COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00621C70 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005359DE Relevance: 1.3, Strings: 1, Instructions: 89COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00623E40 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00530C9F Relevance: .1, Instructions: 93COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00530456 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0053689E Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00624D00 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413A77 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F7B0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 190windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E800 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 76windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006414A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413801 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413191 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006421A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00642430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.3% |
| Dynamic/Decrypted Code Coverage: | 76.8% |
| Signature Coverage: | 5.3% |
| Total number of Nodes: | 491 |
| Total number of Limit Nodes: | 56 |
Graph
Function 0040FA80 Relevance: 63.2, APIs: 23, Strings: 13, Instructions: 250windowregistrythreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E38B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E25A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E80D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E2210 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E2B60 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 311networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E4B90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E6D70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E9BF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E5B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004F002D Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E9A90 Relevance: 4.6, APIs: 3, Instructions: 95stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041025B Relevance: 4.6, APIs: 3, Instructions: 58memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E3060 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E41C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EC40 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 020D1D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E45C0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E5410 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E6CD0 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E4BA8 Relevance: 1.5, APIs: 1, Instructions: 28processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 020D27B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 020D1820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E1FA0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413A77 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F7B0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 190windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F510 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 155processCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E800 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 76windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 020D14A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413801 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413191 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 020D21A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 020D2430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|