Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1516783
MD5:5aefab6d98b943df267e28b42b5871e0
SHA1:de1c5175217692ecec57e495324b0c614aa720bc
SHA256:3896dedb4a4ca12282a10e96c17a220ee4a223ff3f786284e12a42fe3c59a114
Tags:exeuser-jstrosch
Infos:

Detection

Reverse SSH
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Outlook Reverse SSH
AI detected suspicious sample
Machine Learning detection for sample
Uses whoami command line tool to query computer and username
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

  • System is w10x64
  • file.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5AEFAB6D98B943DF267E28B42B5871E0)
    • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 6416 cmdline: C:\Users\user\Desktop\file.exe MD5: 5AEFAB6D98B943DF267E28B42B5871E0)
      • whoami.exe (PID: 1732 cmdline: whoami MD5: 801D9A1C1108360B84E60A457D5A773A)
        • conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.2926566985.000000000089C000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_ReverseSSHYara detected Outlook Reverse SSHJoe Security
    00000000.00000002.1689192224.000000000089C000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_ReverseSSHYara detected Outlook Reverse SSHJoe Security
      Process Memory Space: file.exe PID: 7100JoeSecurity_ReverseSSHYara detected Outlook Reverse SSHJoe Security
        Process Memory Space: file.exe PID: 6416JoeSecurity_ReverseSSHYara detected Outlook Reverse SSHJoe Security
          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.160000.0.unpackJoeSecurity_ReverseSSHYara detected Outlook Reverse SSHJoe Security
            2.2.file.exe.160000.0.unpackJoeSecurity_ReverseSSHYara detected Outlook Reverse SSHJoe Security
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: whoami, CommandLine: whoami, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\whoami.exe, NewProcessName: C:\Windows\SysWOW64\whoami.exe, OriginalFileName: C:\Windows\SysWOW64\whoami.exe, ParentCommandLine: C:\Users\user\Desktop\file.exe, ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6416, ParentProcessName: file.exe, ProcessCommandLine: whoami, ProcessId: 1732, ProcessName: whoami.exe
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: file.exeReversingLabs: Detection: 52%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\rprichard\proj\winpty\src\Release\Win32\winpty.pdb source: file.exe, 00000000.00000002.1689192224.0000000000666000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1689192224.00000000006E2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.00000000006E2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.0000000000666000.00000040.00000001.01000000.00000003.sdmp
              Source: Binary string: C:\rprichard\proj\winpty\src\Release\Win32\winpty-agent.pdb source: file.exe, 00000000.00000002.1689192224.000000000076D000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1689192224.00000000007FB000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.000000000076D000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.00000000007FB000.00000040.00000001.01000000.00000003.sdmp
              Source: global trafficTCP traffic: 192.168.2.4:49731 -> 45.152.67.101:3232
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: unknownTCP traffic detected without corresponding DNS query: 45.152.67.101
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: classification engineClassification label: mal76.troj.winEXE@7/2@0/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 52%
              Source: file.exeString found in binary or memory: -add!zb'f'sub!cmp\'
              Source: file.exeString found in binary or memory: /Addr6
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\whoami.exe whoami
              Source: C:\Windows\SysWOW64\whoami.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\whoami.exe whoamiJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeSection loaded: authz.dllJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeSection loaded: netutils.dllJump to behavior
              Source: file.exeStatic file information: File size 3891712 > 1048576
              Source: file.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x3b5e00
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\rprichard\proj\winpty\src\Release\Win32\winpty.pdb source: file.exe, 00000000.00000002.1689192224.0000000000666000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1689192224.00000000006E2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.00000000006E2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.0000000000666000.00000040.00000001.01000000.00000003.sdmp
              Source: Binary string: C:\rprichard\proj\winpty\src\Release\Win32\winpty-agent.pdb source: file.exe, 00000000.00000002.1689192224.000000000076D000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1689192224.00000000007FB000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.000000000076D000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.2926566985.00000000007FB000.00000040.00000001.01000000.00000003.sdmp
              Source: file.exeStatic PE information: section name: UPX2
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\whoami.exe whoami
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\whoami.exe whoamiJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: file.exe, 00000000.00000002.1691033546.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.2927699228.0000000001398000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\whoami.exeProcess token adjusted: DebugJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\whoami.exe whoamiJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 0.2.file.exe.160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.file.exe.160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2926566985.000000000089C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1689192224.000000000089C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6416, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 0.2.file.exe.160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.file.exe.160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2926566985.000000000089C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1689192224.000000000089C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6416, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter
              1
              DLL Side-Loading
              11
              Process Injection
              1
              Software Packing
              OS Credential Dumping1
              System Time Discovery
              Remote ServicesData from Local System1
              Non-Standard Port
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading
              11
              Process Injection
              LSASS Memory1
              Security Software Discovery
              Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              DLL Side-Loading
              Security Account Manager1
              Process Discovery
              SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information
              NTDS11
              System Information Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1516783 Sample: file.exe Startdate: 24/09/2024 Architecture: WINDOWS Score: 76 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Outlook Reverse SSH 2->27 29 2 other signatures 2->29 8 file.exe 1 2->8         started        process3 signatures4 31 Uses whoami command line tool to query computer and username 8->31 11 file.exe 8->11         started        15 conhost.exe 8->15         started        process5 dnsIp6 21 45.152.67.101, 3232, 49731 CODECCLOUD-AS-APCodecCloudHKLimitedHK Italy 11->21 33 Uses whoami command line tool to query computer and username 11->33 17 whoami.exe 1 11->17         started        signatures7 process8 process9 19 conhost.exe 17->19         started       

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe53%ReversingLabsWin32.Trojan.RevhellMarte
              file.exe100%AviraTR/AVI.Agent.cskbp
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No contacted domains info
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              45.152.67.101
              unknownItaly
              138576CODECCLOUD-AS-APCodecCloudHKLimitedHKfalse
              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1516783
              Start date and time:2024-09-24 15:38:51 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 32s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal76.troj.winEXE@7/2@0/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: file.exe
              No simulations
              No context
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CODECCLOUD-AS-APCodecCloudHKLimitedHKfile.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousStealcBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousStealcBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousStealcBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousStealcBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousStealcBrowse
              • 45.152.113.10
              PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
              • 45.152.113.10
              file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
              • 45.152.113.10
              No context
              No context
              Process:C:\Users\user\Desktop\file.exe
              File Type:GLS_BINARY_LSB_FIRST
              Category:dropped
              Size (bytes):116
              Entropy (8bit):4.053374040827532
              Encrypted:false
              SSDEEP:3:rmHD/tH//lllLGlA1yqGlgZty:rmH2oty
              MD5:080E701E8B8E2E9C68203C150AC7C6B7
              SHA1:4EF041621388B805758AE1D3B122F9D364705223
              SHA-256:FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
              SHA-512:C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:........t.......................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......,..l..@E............
              Process:C:\Users\user\Desktop\file.exe
              File Type:ASCII text
              Category:dropped
              Size (bytes):964
              Entropy (8bit):5.138318928211823
              Encrypted:false
              SSDEEP:24:RQwN2wA2XvrY3zGVuC2XvFDuC2XvFDrDAZrhNreFNjt:zvMVvFgvFFt
              MD5:3EAE304D13E34F582E95BD7085173895
              SHA1:CB425773005C6CF6FD3D1D0731A7C089DD1BA1AF
              SHA-256:E03ABB5A617C5B02628F788C0B3E91135FA0D90A7CE480DA6B5CD909687FD6C7
              SHA-512:438D9260D5306B481AF6315D4A093BB48346B37780CBA7F922CEAE4F03E33859E8E76F6C063452F445A4523ABB0D7CA96C2F76FC832E5981AE1264DDEF19802D
              Malicious:false
              Reputation:low
              Preview:2024/09/24 09:39:43 Connecting to 45.152.67.101:3232.2024/09/24 09:39:46 Successfully connnected 45.152.67.101:3232.2024/09/24 09:39:47 [client] INFO global.go:118 RegisterChannelCallbacks() : Handling channel: jump.2024/09/24 09:39:49 [45.152.67.101:3232] INFO jumphost.go:52 func1() : New SSH connection, version SSH-2.0-paramiko_3.0.0.2024/09/24 09:39:50 [45.152.67.101:3232] INFO global.go:118 RegisterChannelCallbacks() : Handling channel: session.2024/09/24 09:39:50 [45.152.67.101:3232] INFO global.go:118 RegisterChannelCallbacks() : Handling channel: session.2024/09/24 09:39:51 [45.152.67.101:3232] INFO session.go:57 Session() : Session got request: "exec".2024/09/24 09:39:51 [45.152.67.101:3232] INFO session.go:109 Session() : Session disconnected.2024/09/24 09:39:51 [45.152.67.101:3232] INFO session.go:157 Session() : Session disconnected.2024/09/24 09:39:51 [client] ERROR jumphost.go:97 func1() : Channel call back error: connection terminated.
              File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
              Entropy (8bit):7.8955675416201965
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:file.exe
              File size:3'891'712 bytes
              MD5:5aefab6d98b943df267e28b42b5871e0
              SHA1:de1c5175217692ecec57e495324b0c614aa720bc
              SHA256:3896dedb4a4ca12282a10e96c17a220ee4a223ff3f786284e12a42fe3c59a114
              SHA512:7482e019ca7e25145e97465c5f8f58a9785317d40c37a85058a6ef1c93dad2fcd39ec3864a9bd894fec2313ae2243f3b43b2cbfba2ec8f447d29d56c01ca086a
              SSDEEP:98304:7aui/tKaSe0HQxy0G/GcDW2fx2ZHbXXjCR9u:7aMaT0CC/GcDWSSbXXje9
              TLSH:000633C42A424DDBAF3D243D5C93AF1E46CAA43831E585940E58B346A97F27532376CF
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B...............`;.......j.@{... j.......@.......................................@................................
              Icon Hash:90cececece8e8eb0
              Entrypoint:0xe57b40
              Entrypoint Section:UPX1
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:1
              File Version Major:6
              File Version Minor:1
              Subsystem Version Major:6
              Subsystem Version Minor:1
              Import Hash:6ed4f5f04d62b18d96b26d6db7c18840
              Instruction
              pushad
              mov esi, 00AA2015h
              lea edi, dword ptr [esi-006A1015h]
              push edi
              or ebp, FFFFFFFFh
              jmp 00007F452C887142h
              nop
              nop
              nop
              nop
              nop
              nop
              mov al, byte ptr [esi]
              inc esi
              mov byte ptr [edi], al
              inc edi
              add ebx, ebx
              jne 00007F452C887139h
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              jc 00007F452C88711Fh
              mov eax, 00000001h
              add ebx, ebx
              jne 00007F452C887139h
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              adc eax, eax
              add ebx, ebx
              jnc 00007F452C88713Dh
              jne 00007F452C88715Ah
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              jc 00007F452C887151h
              dec eax
              add ebx, ebx
              jne 00007F452C887139h
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              adc eax, eax
              jmp 00007F452C887106h
              add ebx, ebx
              jne 00007F452C887139h
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              adc ecx, ecx
              jmp 00007F452C887184h
              xor ecx, ecx
              sub eax, 03h
              jc 00007F452C887143h
              shl eax, 08h
              mov al, byte ptr [esi]
              inc esi
              xor eax, FFFFFFFFh
              je 00007F452C8871A7h
              sar eax, 1
              mov ebp, eax
              jmp 00007F452C88713Dh
              add ebx, ebx
              jne 00007F452C887139h
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              jc 00007F452C8870FEh
              inc ecx
              add ebx, ebx
              jne 00007F452C887139h
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              jc 00007F452C8870F0h
              add ebx, ebx
              jne 00007F452C887139h
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              adc ecx, ecx
              add ebx, ebx
              jnc 00007F452C887121h
              jne 00007F452C88713Bh
              mov ebx, dword ptr [esi]
              sub esi, FFFFFFFCh
              adc ebx, ebx
              jnc 00007F452C887116h
              add ecx, 02h
              cmp ebp, FFFFFB00h
              adc ecx, 02h
              lea edx, dword ptr [eax+eax]
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa580000x88UPX2
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa580880xcUPX2
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              UPX00x10000x6a10000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              UPX10x6a20000x3b60000x3b5e00179aedc367adb5f3ea918da332956022unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              UPX20xa580000x10000x2007fab496d44771e0b72e556c0c1129a89False0.212890625data1.5487272665399665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              DLLImport
              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
              TimestampSource PortDest PortSource IPDest IP
              Sep 24, 2024 15:39:44.653018951 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:44.659012079 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:44.659090042 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:44.660423040 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:44.665278912 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:45.555212975 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:45.555891037 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:45.560655117 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:45.647674084 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:45.649219990 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:45.654069901 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.133909941 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.180697918 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:46.273488045 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:46.273550034 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:46.278577089 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.278722048 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.286936045 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.334625959 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:46.662431955 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.662689924 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:46.709184885 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.979137897 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:46.979553938 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:46.984571934 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.295954943 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.296528101 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:47.301440954 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.611988068 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.659832001 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:47.743983984 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.744240999 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:47.749141932 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.925354004 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.925734043 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:47.925815105 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:47.930641890 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:47.930680990 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:48.323652983 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:48.371324062 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:48.451971054 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:48.451988935 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:48.452102900 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:48.452985048 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:48.453169107 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:48.457792997 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:48.457930088 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.035594940 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.083930016 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.164187908 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.164483070 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.165802002 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.165868044 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.165909052 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.169351101 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.170653105 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.170700073 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.170727015 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.757556915 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.805246115 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.891997099 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.892268896 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.892328978 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:49.897285938 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:49.897322893 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:50.207734108 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:50.255413055 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:50.344675064 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:50.344969988 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:50.346390009 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:50.349756002 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:50.351166010 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:50.922470093 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:50.970191002 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.051964045 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.052197933 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.052340031 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.056917906 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.057301044 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.368197918 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.417035103 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.499942064 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.509532928 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.509651899 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.514426947 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.514436960 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.825140953 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.872860909 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.951997995 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.952384949 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.952518940 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:51.957473040 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:51.957482100 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:52.083244085 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:52.083415031 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:52.088052034 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:52.088280916 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:52.151151896 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:52.156274080 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:52.298233986 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:52.345927000 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:52.521573067 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:52.569354057 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:52.627886057 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:52.628298998 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:52.633229971 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:53.103267908 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:53.103528023 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:53.108397007 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:58.486538887 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:39:58.486928940 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:39:58.491688967 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:03.803443909 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:03.803781033 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:03.808645010 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:09.121546030 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:09.121819973 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:09.126713037 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:14.439363956 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:14.439652920 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:14.444569111 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:19.757858992 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:19.758120060 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:19.763870955 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:25.074029922 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:25.074218988 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:25.079071999 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:30.390502930 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:30.390882015 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:30.395643950 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:35.706497908 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:35.706809044 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:35.711750984 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:41.157823086 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:41.158284903 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:41.163158894 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:46.474853992 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:46.475100994 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:46.479938030 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:51.791795015 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:51.792273045 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:51.797132969 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:57.109741926 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:40:57.110078096 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:40:57.115123987 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:02.427306890 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:02.427614927 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:02.434155941 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:07.744843960 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:07.746280909 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:07.751068115 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:13.062768936 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:13.063080072 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:13.069149971 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:18.382155895 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:18.382651091 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:18.387526035 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:23.698662996 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:23.699167013 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:23.704143047 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:29.015697956 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:29.015974045 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:29.020783901 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:34.342948914 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:34.343274117 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:34.348098993 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:39.672075987 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:39.672620058 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:39.679590940 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:44.990333080 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:44.990638018 CEST497313232192.168.2.445.152.67.101
              Sep 24, 2024 15:41:44.995523930 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:50.308073997 CEST32324973145.152.67.101192.168.2.4
              Sep 24, 2024 15:41:50.350687981 CEST497313232192.168.2.445.152.67.101
              TimestampSource PortDest PortSource IPDest IP
              Sep 24, 2024 15:40:05.827290058 CEST53563791.1.1.1192.168.2.4

              Click to jump to process

              Click to jump to process

              Click to dive into process behavior distribution

              Click to jump to process

              Target ID:0
              Start time:09:39:43
              Start date:24/09/2024
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\file.exe"
              Imagebase:0x160000
              File size:3'891'712 bytes
              MD5 hash:5AEFAB6D98B943DF267E28B42B5871E0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_ReverseSSH, Description: Yara detected Outlook Reverse SSH, Source: 00000000.00000002.1689192224.000000000089C000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              Has exited:true

              Target ID:1
              Start time:09:39:43
              Start date:24/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Target ID:2
              Start time:09:39:43
              Start date:24/09/2024
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\file.exe
              Imagebase:0x160000
              File size:3'891'712 bytes
              MD5 hash:5AEFAB6D98B943DF267E28B42B5871E0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_ReverseSSH, Description: Yara detected Outlook Reverse SSH, Source: 00000002.00000002.2926566985.000000000089C000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              Target ID:3
              Start time:09:39:51
              Start date:24/09/2024
              Path:C:\Windows\SysWOW64\whoami.exe
              Wow64 process (32bit):true
              Commandline:whoami
              Imagebase:0xed0000
              File size:58'880 bytes
              MD5 hash:801D9A1C1108360B84E60A457D5A773A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Target ID:4
              Start time:09:39:51
              Start date:24/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              No disassembly