Edit tour
Windows
Analysis Report
injector V2.5.exe
Overview
General Information
| Sample name: | injector V2.5.exe |
| Analysis ID: | 1560308 |
| MD5: | 96f89e1cb2a8789acee8720d872b4cc5 |
| SHA1: | 03e6c31a56329ac737de81a43c9b8b9266fd31a3 |
| SHA256: | 313d44650a5c5c542bbbcae9d17c03cc0981642b1450a092bfa95956bbead114 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
injector V2.5.exe (PID: 3608 cmdline: "C:\Users\ user\Deskt op\injecto r V2.5.exe " MD5: 96F89E1CB2A8789ACEE8720D872B4CC5) 
conhost.exe (PID: 2108 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - injector V2.5.exe (PID: 4928 cmdline:
"C:\Users\ user\Deskt op\injecto r V2.5.exe " MD5: 96F89E1CB2A8789ACEE8720D872B4CC5)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["processhol.sbs", "p10tgrace.sbs", "3xp3cts1aim.sbs", "p3ar11fter.sbs", "revirepart.biz", "peepburry828.sbs"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:01.849846+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| 2024-11-21T16:53:04.773518+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:07.304425+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:09.637707+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:11.904443+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:14.238396+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:17.118224+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49740 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:19.296454+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49744 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:22.158221+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49746 | 172.67.206.172 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:02.533163+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| 2024-11-21T16:53:05.490496+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:08.044029+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:22.898587+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49746 | 172.67.206.172 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:02.533163+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| 2024-11-21T16:53:05.490496+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:08.044029+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:02.928237+0100 | 2057697 | 1 | A Network Trojan was detected | 192.168.2.4 | 58217 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:04.773518+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:07.304425+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:09.637707+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49736 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:11.904443+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49737 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:14.238396+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49738 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:17.118224+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49740 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:19.296454+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49744 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:22.158221+0100 | 2057659 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49746 | 172.67.206.172 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:01.849846+0100 | 2057647 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:03.175291+0100 | 2057658 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 61931 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:02.928237+0100 | 2057668 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 58217 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:00.244535+0100 | 2057646 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 65437 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:17.867851+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49740 | 172.67.206.172 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00B4F680 | |
| Source: | Code function: | 0_2_00B4F731 | |
| Source: | Code function: | 2_2_00B4F680 | |
| Source: | Code function: | 2_2_00442140 | |
| Source: | Code function: | 2_2_0040C916 | |
| Source: | Code function: | 2_2_0040DD2B | |
| Source: | Code function: | 2_2_004251E0 | |
| Source: | Code function: | 2_2_004251E0 | |
| Source: | Code function: | 2_2_00409D80 | |
| Source: | Code function: | 2_2_00440E40 | |
| Source: | Code function: | 2_2_0040A210 | |
| Source: | Code function: | 2_2_00439B70 | |
| Source: | Code function: | 2_2_0040CF82 | |
| Source: | Code function: | 2_2_00441460 | |
| Source: | Code function: | 2_2_00440C90 | |
| Source: | Code function: | 2_2_0040D4B9 | |
| Source: | Code function: | 2_2_00409940 | |
| Source: | Code function: | 2_2_00409940 | |
| Source: | Code function: | 2_2_00409940 | |
| Source: | Code function: | 2_2_0042BD40 | |
| Source: | Code function: | 2_2_0040CD42 | |
| Source: | Code function: | 2_2_0043A5D0 | |
| Source: | Code function: | 2_2_0040C991 | |
| Source: | Code function: | 2_2_0040E59B | |
| Source: | Code function: | 2_2_004411B0 | |
| Source: | Code function: | 2_2_0040CA52 | |
| Source: | Code function: | 2_2_004202F0 | |
| Source: | Code function: | 2_2_00441A90 | |
| Source: | Code function: | 2_2_00440300 | |
| Source: | Code function: | 2_2_00401F10 | |
| Source: | Code function: | 2_2_0043A720 | |
| Source: | Code function: | 2_2_0043FF20 | |
| Source: | Code function: | 2_2_0043FF20 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00434B70 | |
| Source: | Code function: | 2_2_00434B70 | |
| Source: | Code function: | 0_2_00B3D4A0 | |
| Source: | Code function: | 0_2_00B44CD0 | |
| Source: | Code function: | 0_2_00B46CD0 | |
| Source: | Code function: | 0_2_00B34CC0 | |
| Source: | Code function: | 0_2_00B46800 | |
| Source: | Code function: | 0_2_00B33440 | |
| Source: | Code function: | 0_2_00B47840 | |
| Source: | Code function: | 0_2_00B355F0 | |
| Source: | Code function: | 0_2_00B25930 | |
| Source: | Code function: | 0_2_00B41D30 | |
| Source: | Code function: | 0_2_00B38129 | |
| Source: | Code function: | 0_2_00B34910 | |
| Source: | Code function: | 0_2_00B3DD00 | |
| Source: | Code function: | 0_2_00B44170 | |
| Source: | Code function: | 0_2_00B2B964 | |
| Source: | Code function: | 0_2_00B32AE7 | |
| Source: | Code function: | 0_2_00B55E22 | |
| Source: | Code function: | 0_2_00B39B80 | |
| Source: | Code function: | 0_2_00B33F80 | |
| Source: | Code function: | 0_2_00B36330 | |
| Source: | Code function: | 0_2_00B47330 | |
| Source: | Code function: | 0_2_00B35F60 | |
| Source: | Code function: | 0_2_00B41367 | |
| Source: | Code function: | 0_2_00B2A36B | |
| Source: | Code function: | 0_2_00B37F54 | |
| Source: | Code function: | 0_2_00B3F340 | |
| Source: | Code function: | 2_2_0040A467 | |
| Source: | Code function: | 2_2_004280D0 | |
| Source: | Code function: | 2_2_0043C490 | |
| Source: | Code function: | 2_2_00442140 | |
| Source: | Code function: | 2_2_0040DD2B | |
| Source: | Code function: | 2_2_004251E0 | |
| Source: | Code function: | 2_2_00409D80 | |
| Source: | Code function: | 2_2_00421230 | |
| Source: | Code function: | 2_2_00439B70 | |
| Source: | Code function: | 2_2_0040DB17 | |
| Source: | Code function: | 2_2_00408FA0 | |
| Source: | Code function: | 2_2_004233B0 | |
| Source: | Code function: | 2_2_00405036 | |
| Source: | Code function: | 2_2_0040B080 | |
| Source: | Code function: | 2_2_00420090 | |
| Source: | Code function: | 2_2_004064B0 | |
| Source: | Code function: | 2_2_0040D4B9 | |
| Source: | Code function: | 2_2_00409940 | |
| Source: | Code function: | 2_2_00425D40 | |
| Source: | Code function: | 2_2_0040B550 | |
| Source: | Code function: | 2_2_0043C910 | |
| Source: | Code function: | 2_2_00428530 | |
| Source: | Code function: | 2_2_004091D0 | |
| Source: | Code function: | 2_2_00403980 | |
| Source: | Code function: | 2_2_00439190 | |
| Source: | Code function: | 2_2_00407AE0 | |
| Source: | Code function: | 2_2_004052E9 | |
| Source: | Code function: | 2_2_004202F0 | |
| Source: | Code function: | 2_2_00441A90 | |
| Source: | Code function: | 2_2_00406B40 | |
| Source: | Code function: | 2_2_0041F740 | |
| Source: | Code function: | 2_2_00440300 | |
| Source: | Code function: | 2_2_0043A720 | |
| Source: | Code function: | 2_2_0043FF20 | |
| Source: | Code function: | 2_2_00438F30 | |
| Source: | Code function: | 2_2_00406FD0 | |
| Source: | Code function: | 2_2_00405FF0 | |
| Source: | Code function: | 2_2_00402F80 | |
| Source: | Code function: | 2_2_00B3C0A0 | |
| Source: | Code function: | 2_2_00B21000 | |
| Source: | Code function: | 2_2_00B46800 | |
| Source: | Code function: | 2_2_00B47840 | |
| Source: | Code function: | 2_2_00B30190 | |
| Source: | Code function: | 2_2_00B2A180 | |
| Source: | Code function: | 2_2_00B25930 | |
| Source: | Code function: | 2_2_00B34910 | |
| Source: | Code function: | 2_2_00B44170 | |
| Source: | Code function: | 2_2_00B32AA0 | |
| Source: | Code function: | 2_2_00B39B80 | |
| Source: | Code function: | 2_2_00B37BD0 | |
| Source: | Code function: | 2_2_00B36330 | |
| Source: | Code function: | 2_2_00B47330 | |
| Source: | Code function: | 2_2_00B3F340 | |
| Source: | Code function: | 2_2_00B3D4A0 | |
| Source: | Code function: | 2_2_00B44CD0 | |
| Source: | Code function: | 2_2_00B46CD0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B33440 | |
| Source: | Code function: | 2_2_00B355F0 | |
| Source: | Code function: | 2_2_00B25540 | |
| Source: | Code function: | 2_2_00B55E22 | |
| Source: | Code function: | 2_2_00B3DE70 | |
| Source: | Code function: | 2_2_00B23E60 | |
| Source: | Code function: | 2_2_00B33F80 | |
| Source: | Code function: | 2_2_00B35F60 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00439B70 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00B5010D | |
| Source: | Code function: | 2_2_00B5010D | |
| Source: | Static PE information: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00B4F680 | |
| Source: | Code function: | 0_2_00B4F731 | |
| Source: | Code function: | 2_2_00B4F680 | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0043E730 | |
| Source: | Code function: | 0_2_00B496AF | |
| Source: | Code function: | 0_2_00B5D18D | |
| Source: | Code function: | 0_2_00B2D475 | |
| Source: | Code function: | 0_2_00B2D07E | |
| Source: | Code function: | 0_2_00B32C40 | |
| Source: | Code function: | 0_2_00B32C40 | |
| Source: | Code function: | 0_2_00B2CD0A | |
| Source: | Code function: | 0_2_00B2E93A | |
| Source: | Code function: | 0_2_00B2CD0A | |
| Source: | Code function: | 0_2_00B2D6B8 | |
| Source: | Code function: | 0_2_00B2D6B8 | |
| Source: | Code function: | 0_2_00B2DA6C | |
| Source: | Code function: | 0_2_00B32B9B | |
| Source: | Code function: | 0_2_00B32B9B | |
| Source: | Code function: | 0_2_00B2E350 | |
| Source: | Code function: | 2_2_00B32AA0 | |
| Source: | Code function: | 2_2_00B32AA0 | |
| Source: | Code function: | 2_2_00B32AA0 | |
| Source: | Code function: | 2_2_00B32AA0 | |
| Source: | Code function: | 2_2_00B32AA0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 2_2_00B2CCC0 | |
| Source: | Code function: | 0_2_00B4CB10 | |
| Source: | Code function: | 0_2_00B4902F | |
| Source: | Code function: | 0_2_00B496A3 | |
| Source: | Code function: | 0_2_00B496AF | |
| Source: | Code function: | 0_2_00B4B79A | |
| Source: | Code function: | 2_2_00B4902F | |
| Source: | Code function: | 2_2_00B496A3 | |
| Source: | Code function: | 2_2_00B496AF | |
| Source: | Code function: | 2_2_00B4B79A | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_00B5D18D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00B498D5 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00B49566 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 131 Security Software Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 4 Obfuscated Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | ReversingLabs | Win32.Trojan.Stealerc | ||
| 100% | Avira | HEUR/AGEN.1361736 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| librari-night.sbs | 172.67.206.172 | true | false | high | |
| revirepart.biz | 104.21.43.198 | true | false | high | |
| processhol.sbs | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.206.172 | librari-night.sbs | United States | 13335 | CLOUDFLARENETUS | false | |
| 104.21.43.198 | revirepart.biz | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1560308 |
| Start date and time: | 2024-11-21 16:52:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 7s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | injector V2.5.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: injector V2.5.exe
| Time | Type | Description |
|---|---|---|
| 10:53:01 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.206.172 | Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| 104.21.43.198 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| revirepart.biz | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| librari-night.sbs | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.69373304289523 |
| TrID: |
|
| File name: | injector V2.5.exe |
| File size: | 587'904 bytes |
| MD5: | 96f89e1cb2a8789acee8720d872b4cc5 |
| SHA1: | 03e6c31a56329ac737de81a43c9b8b9266fd31a3 |
| SHA256: | 313d44650a5c5c542bbbcae9d17c03cc0981642b1450a092bfa95956bbead114 |
| SHA512: | 8aacc3f740abf77e70ebbcfcbf29c010eb4d9f7e43f68f3841102c248fb89c0a433916927be7a471e280037ec3058ab02a2b48e2c6312782a9cb74dc0ab2fcee |
| SSDEEP: | 12288:SRgyqSwAN2kLkjnP13tGHaSQ3fTPTzLXwlIfykWetYbVYN5BUPx3ABtCT7lr7v:ig2N2kLkTd3AHah3f7DyJqYGBUPx3AuJ |
| TLSH: | BDC4D0165141F8A3F88758FF38A2A31724E733B2A7B1CDE3C175756887801C1D5EAA6E |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....2?g.................V........................@.......................................@.................................T...(.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4292c0 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x673F321B [Thu Nov 21 13:14:03 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 3a33a82bcd5969a5b19ce5fba049e5b4 |
| Signature Valid: | false |
| Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | AD1BCBF19AE2F91BB114D33B85359E56 |
| Thumbprint SHA-1: | 141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128 |
| Thumbprint SHA-256: | A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48 |
| Serial: | 00D0461B529F67189D43744E9CEFE172AE |
| Instruction |
|---|
| call 00007F3498C7EBEBh |
| jmp 00007F3498C7E7FDh |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007F3498C7E99Fh |
| neg eax |
| pop ecx |
| sbb eax, eax |
| neg eax |
| dec eax |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [0043E488h], FFFFFFFFh |
| push dword ptr [ebp+08h] |
| jne 00007F3498C7E999h |
| call 00007F3498C8081Bh |
| jmp 00007F3498C7E99Dh |
| push 0043E488h |
| call 00007F3498C8079Eh |
| pop ecx |
| neg eax |
| pop ecx |
| sbb eax, eax |
| not eax |
| and eax, dword ptr [ebp+08h] |
| pop ebp |
| ret |
| push 00000008h |
| push 0043C8E0h |
| call 00007F3498C7EF0Dh |
| and dword ptr [ebp-04h], 00000000h |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| jne 00007F3498C7E9EFh |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007F3498C7E9DEh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007F3498C7E9D0h |
| mov eax, dword ptr [ebp+08h] |
| mov ecx, 00400000h |
| sub eax, ecx |
| push eax |
| push ecx |
| call 00007F3498C7EB12h |
| pop ecx |
| pop ecx |
| test eax, eax |
| je 00007F3498C7E9B9h |
| cmp dword ptr [eax+24h], 00000000h |
| jl 00007F3498C7E9B3h |
| mov dword ptr [ebp-04h], FFFFFFFEh |
| mov al, 01h |
| jmp 00007F3498C7E9B1h |
| mov eax, dword ptr [ebp-14h] |
| mov eax, dword ptr [eax] |
| xor ecx, ecx |
| cmp dword ptr [eax], C0000005h |
| sete cl |
| mov eax, ecx |
| ret |
| mov esp, dword ptr [ebp-18h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3c054 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x8ca00 | 0x2e80 | .coS |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x40000 | 0x2608 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x37160 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3c198 | 0x11c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3544c | 0x35600 | 479743414830a5568bcada3f710e0c1a | False | 0.49541221457845436 | data | 6.9570693373870895 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x37000 | 0x5e44 | 0x6000 | fa3c2f19487ee30f8cd241552465a803 | False | 0.4083251953125 | data | 4.760675312198424 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3d000 | 0x1ba4 | 0x1000 | ff4f8fd6963b4f7d1c08f13031fa0788 | False | 0.470703125 | OpenPGP Secret Key | 4.849894766585126 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x3f000 | 0x8 | 0x200 | 056d58e83a0a9dfd46d11d226dee9030 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x40000 | 0x2608 | 0x2800 | 01d8884685c61e5615f1d070b294bafc | False | 0.7767578125 | data | 6.602867365262165 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x43000 | 0x4d400 | 0x4d400 | 6db305dec2cdadff4d5bbbc9bb78b961 | False | 1.0003350020226538 | data | 7.999328108956239 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-21T16:53:00.244535+0100 | 2057646 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz) | 1 | 192.168.2.4 | 65437 | 1.1.1.1 | 53 | UDP |
| 2024-11-21T16:53:01.849846+0100 | 2057647 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI) | 1 | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| 2024-11-21T16:53:01.849846+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| 2024-11-21T16:53:02.533163+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| 2024-11-21T16:53:02.533163+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | TCP |
| 2024-11-21T16:53:02.928237+0100 | 2057668 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) | 1 | 192.168.2.4 | 58217 | 1.1.1.1 | 53 | UDP |
| 2024-11-21T16:53:02.928237+0100 | 2057697 | ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) | 1 | 192.168.2.4 | 58217 | 1.1.1.1 | 53 | UDP |
| 2024-11-21T16:53:03.175291+0100 | 2057658 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) | 1 | 192.168.2.4 | 61931 | 1.1.1.1 | 53 | UDP |
| 2024-11-21T16:53:04.773518+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:04.773518+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:05.490496+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:05.490496+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:07.304425+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:07.304425+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:08.044029+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:08.044029+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:09.637707+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49736 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:09.637707+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:11.904443+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49737 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:11.904443+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:14.238396+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49738 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:14.238396+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:17.118224+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49740 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:17.118224+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49740 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:17.867851+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49740 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:19.296454+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49744 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:19.296454+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49744 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:22.158221+0100 | 2057659 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) | 1 | 192.168.2.4 | 49746 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:22.158221+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49746 | 172.67.206.172 | 443 | TCP |
| 2024-11-21T16:53:22.898587+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49746 | 172.67.206.172 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 21, 2024 16:53:00.572503090 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:00.572559118 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:00.572662115 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:00.575666904 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:00.575695038 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:01.849714994 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:01.849845886 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:01.863226891 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:01.863284111 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:01.863715887 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:01.917469978 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:01.926575899 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:01.926626921 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:01.926695108 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:02.533148050 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:02.533242941 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:02.533350945 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:02.596353054 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:02.596406937 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:02.596448898 CET | 49733 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 21, 2024 16:53:02.596467018 CET | 443 | 49733 | 104.21.43.198 | 192.168.2.4 |
| Nov 21, 2024 16:53:03.501310110 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:03.501347065 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:03.501449108 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:03.501884937 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:03.501900911 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:04.773416042 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:04.773518085 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:04.776412010 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:04.776421070 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:04.776820898 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:04.778561115 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:04.778600931 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:04.778645992 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:05.490461111 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:05.490576982 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:05.490627050 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:05.505897045 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:05.505909920 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:05.505937099 CET | 49734 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:05.505943060 CET | 443 | 49734 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:06.040349960 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:06.040446997 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:06.040539026 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:06.041747093 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:06.041781902 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:07.304291964 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:07.304425001 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:07.306143999 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:07.306157112 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:07.306498051 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:07.307864904 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:07.307864904 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:07.307951927 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.043956995 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.044004917 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.044035912 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.044064999 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.044085979 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.044097900 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.044133902 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.044168949 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.044193029 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.046435118 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.054825068 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.054889917 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.054903030 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.063234091 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.063363075 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.063374996 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.104995966 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.105014086 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.151866913 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.165209055 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.214440107 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.251440048 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.255434990 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.255507946 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.255526066 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.255656958 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.255923033 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.255964041 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.255992889 CET | 49735 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.256011009 CET | 443 | 49735 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.370498896 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.370604038 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:08.370717049 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.371134996 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:08.371146917 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:09.637597084 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:09.637706995 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:09.639040947 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:09.639050007 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:09.639394999 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:09.640543938 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:09.640707970 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:09.640743017 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:09.640824080 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:09.640830994 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:10.517935991 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:10.518172979 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:10.518239021 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:10.518275023 CET | 49736 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:10.518294096 CET | 443 | 49736 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:10.630341053 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:10.630433083 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:10.630522966 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:10.630794048 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:10.630826950 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:11.904347897 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:11.904443026 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:11.908401966 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:11.908430099 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:11.908860922 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:11.910172939 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:11.910397053 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:11.910443068 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:12.672852039 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:12.673101902 CET | 443 | 49737 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:12.673131943 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:12.673170090 CET | 49737 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:12.973896027 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:12.973965883 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:12.974121094 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:12.974594116 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:12.974611044 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:14.238311052 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:14.238395929 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:14.239934921 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:14.239942074 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:14.240183115 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:14.241755962 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:14.241899967 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:14.241933107 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:14.242014885 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:14.242022038 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:15.154295921 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:15.154405117 CET | 443 | 49738 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:15.154814005 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:15.154901028 CET | 49738 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:15.788804054 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:15.788903952 CET | 443 | 49740 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:15.789011955 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:15.789582968 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:15.789602041 CET | 443 | 49740 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:17.118093014 CET | 443 | 49740 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:17.118223906 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:17.175429106 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:17.175477982 CET | 443 | 49740 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:17.176371098 CET | 443 | 49740 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:17.178092957 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:17.179014921 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:17.179033041 CET | 443 | 49740 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:17.867963076 CET | 443 | 49740 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:17.868215084 CET | 49740 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:18.010845900 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:18.010886908 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:18.011012077 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:18.011385918 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:18.011403084 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:19.296331882 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:19.296453953 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:19.298209906 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:19.298221111 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:19.298655033 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:19.300358057 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:19.300481081 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:19.300487995 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:20.804935932 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:20.805042028 CET | 443 | 49744 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:20.805248022 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:20.805274963 CET | 49744 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:20.935633898 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:20.935698032 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:20.935791016 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:20.937026024 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:20.937053919 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.158117056 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.158221006 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:22.160269022 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:22.160286903 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.160619974 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.173527002 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:22.173527956 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:22.173733950 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.898611069 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.898875952 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.898993015 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:22.910845995 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:22.910878897 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Nov 21, 2024 16:53:22.910938025 CET | 49746 | 443 | 192.168.2.4 | 172.67.206.172 |
| Nov 21, 2024 16:53:22.910955906 CET | 443 | 49746 | 172.67.206.172 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 21, 2024 16:53:00.244534969 CET | 65437 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 21, 2024 16:53:00.568051100 CET | 53 | 65437 | 1.1.1.1 | 192.168.2.4 |
| Nov 21, 2024 16:53:02.928236961 CET | 58217 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 21, 2024 16:53:03.167165995 CET | 53 | 58217 | 1.1.1.1 | 192.168.2.4 |
| Nov 21, 2024 16:53:03.175291061 CET | 61931 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 21, 2024 16:53:03.499919891 CET | 53 | 61931 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 21, 2024 16:53:00.244534969 CET | 192.168.2.4 | 1.1.1.1 | 0xf23b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 21, 2024 16:53:02.928236961 CET | 192.168.2.4 | 1.1.1.1 | 0xc6c2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 21, 2024 16:53:03.175291061 CET | 192.168.2.4 | 1.1.1.1 | 0x3a43 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 21, 2024 16:53:00.568051100 CET | 1.1.1.1 | 192.168.2.4 | 0xf23b | No error (0) | 104.21.43.198 | A (IP address) | IN (0x0001) | false | ||
| Nov 21, 2024 16:53:00.568051100 CET | 1.1.1.1 | 192.168.2.4 | 0xf23b | No error (0) | 172.67.184.174 | A (IP address) | IN (0x0001) | false | ||
| Nov 21, 2024 16:53:03.167165995 CET | 1.1.1.1 | 192.168.2.4 | 0xc6c2 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Nov 21, 2024 16:53:03.499919891 CET | 1.1.1.1 | 192.168.2.4 | 0x3a43 | No error (0) | 172.67.206.172 | A (IP address) | IN (0x0001) | false | ||
| Nov 21, 2024 16:53:03.499919891 CET | 1.1.1.1 | 192.168.2.4 | 0x3a43 | No error (0) | 104.21.85.146 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49733 | 104.21.43.198 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:01 UTC | 261 | OUT | |
| 2024-11-21 15:53:01 UTC | 8 | OUT | |
| 2024-11-21 15:53:02 UTC | 992 | IN | |
| 2024-11-21 15:53:02 UTC | 9 | IN | |
| 2024-11-21 15:53:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49734 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:04 UTC | 264 | OUT | |
| 2024-11-21 15:53:04 UTC | 8 | OUT | |
| 2024-11-21 15:53:05 UTC | 1004 | IN | |
| 2024-11-21 15:53:05 UTC | 7 | IN | |
| 2024-11-21 15:53:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49735 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:07 UTC | 265 | OUT | |
| 2024-11-21 15:53:07 UTC | 86 | OUT | |
| 2024-11-21 15:53:08 UTC | 995 | IN | |
| 2024-11-21 15:53:08 UTC | 374 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN | |
| 2024-11-21 15:53:08 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49736 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:09 UTC | 281 | OUT | |
| 2024-11-21 15:53:09 UTC | 15331 | OUT | |
| 2024-11-21 15:53:09 UTC | 2827 | OUT | |
| 2024-11-21 15:53:10 UTC | 998 | IN | |
| 2024-11-21 15:53:10 UTC | 19 | IN | |
| 2024-11-21 15:53:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49737 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:11 UTC | 277 | OUT | |
| 2024-11-21 15:53:11 UTC | 8761 | OUT | |
| 2024-11-21 15:53:12 UTC | 1002 | IN | |
| 2024-11-21 15:53:12 UTC | 19 | IN | |
| 2024-11-21 15:53:12 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49738 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:14 UTC | 279 | OUT | |
| 2024-11-21 15:53:14 UTC | 15331 | OUT | |
| 2024-11-21 15:53:14 UTC | 5089 | OUT | |
| 2024-11-21 15:53:15 UTC | 996 | IN | |
| 2024-11-21 15:53:15 UTC | 19 | IN | |
| 2024-11-21 15:53:15 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49740 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:17 UTC | 281 | OUT | |
| 2024-11-21 15:53:17 UTC | 1258 | OUT | |
| 2024-11-21 15:53:17 UTC | 992 | IN | |
| 2024-11-21 15:53:17 UTC | 19 | IN | |
| 2024-11-21 15:53:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49744 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:19 UTC | 282 | OUT | |
| 2024-11-21 15:53:19 UTC | 1136 | OUT | |
| 2024-11-21 15:53:20 UTC | 998 | IN | |
| 2024-11-21 15:53:20 UTC | 19 | IN | |
| 2024-11-21 15:53:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49746 | 172.67.206.172 | 443 | 4928 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-21 15:53:22 UTC | 266 | OUT | |
| 2024-11-21 15:53:22 UTC | 121 | OUT | |
| 2024-11-21 15:53:22 UTC | 993 | IN | |
| 2024-11-21 15:53:22 UTC | 54 | IN | |
| 2024-11-21 15:53:22 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:52:55 |
| Start date: | 21/11/2024 |
| Path: | C:\Users\user\Desktop\injector V2.5.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb20000 |
| File size: | 587'904 bytes |
| MD5 hash: | 96F89E1CB2A8789ACEE8720D872B4CC5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 10:52:55 |
| Start date: | 21/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 10:52:58 |
| Start date: | 21/11/2024 |
| Path: | C:\Users\user\Desktop\injector V2.5.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb20000 |
| File size: | 587'904 bytes |
| MD5 hash: | 96F89E1CB2A8789ACEE8720D872B4CC5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.1% |
| Dynamic/Decrypted Code Coverage: | 0.7% |
| Signature Coverage: | 4.2% |
| Total number of Nodes: | 1164 |
| Total number of Limit Nodes: | 20 |
Graph
Function 00B5D18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2D475 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B50E88 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4D4CA Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4D2B2 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2A0B0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4C7CC Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4DC4B Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4DA59 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2B0E4 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4EB9B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B36330 Relevance: 77.7, Strings: 61, Instructions: 1445COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B39B80 Relevance: 45.8, Strings: 35, Instructions: 2072COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B41D30 Relevance: 32.0, Strings: 24, Instructions: 1978COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B3F340 Relevance: 19.6, Strings: 14, Instructions: 2099COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B47840 Relevance: 17.1, Strings: 13, Instructions: 886COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B35F60 Relevance: 9.0, Strings: 7, Instructions: 233COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2A36B Relevance: 9.0, Strings: 7, Instructions: 230COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B3D4A0 Relevance: 8.1, Strings: 6, Instructions: 552COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B33440 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B33F80 Relevance: 6.8, Strings: 5, Instructions: 572COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B47330 Relevance: 6.6, Strings: 5, Instructions: 310COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2B964 Relevance: 6.5, Strings: 5, Instructions: 235COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4F731 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B496AF Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B44CD0 Relevance: 4.8, APIs: 3, Instructions: 287COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B41367 Relevance: 4.2, Strings: 3, Instructions: 413COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B34CC0 Relevance: 4.2, Strings: 3, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B37F54 Relevance: 4.0, Strings: 3, Instructions: 243COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2D07E Relevance: 4.0, Strings: 3, Instructions: 203COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B38129 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2DA6C Relevance: 2.6, Strings: 2, Instructions: 149COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4F680 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B498D5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B496A3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B32AE7 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B32B9B Relevance: 1.4, Strings: 1, Instructions: 156COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B32C40 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2D6B8 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2CD0A Relevance: 1.3, Strings: 1, Instructions: 99COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2E350 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2E93A Relevance: 1.3, Strings: 1, Instructions: 84COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4CB10 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B355F0 Relevance: .6, Instructions: 552COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B44170 Relevance: .5, Instructions: 459COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B46CD0 Relevance: .4, Instructions: 395COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B25930 Relevance: .4, Instructions: 361COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B46800 Relevance: .3, Instructions: 282COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B34910 Relevance: .2, Instructions: 232COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B2A2F2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 163fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B525C3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B448F0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4C89A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4A925 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B529E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B50C22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4F50E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B5020A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B5225C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 33.5% |
| Total number of Nodes: | 206 |
| Total number of Limit Nodes: | 4 |
Graph
Function 00439B70 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 614memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408FA0 Relevance: 7.7, APIs: 5, Instructions: 184threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CF82 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409D80 Relevance: 4.1, Strings: 3, Instructions: 351COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440E40 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A210 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E730 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442140 Relevance: .3, Instructions: 317COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CA52 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CD42 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C991 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C916 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C3F0 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C380 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CF44 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409940 Relevance: 10.4, Strings: 8, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004202F0 Relevance: 8.3, Strings: 6, Instructions: 838COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4F680 Relevance: 6.3, APIs: 4, Instructions: 291fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B496AF Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441A90 Relevance: 1.6, Strings: 1, Instructions: 300COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441460 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440C90 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FF20 Relevance: 1.0, Instructions: 966COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440300 Relevance: .7, Instructions: 691COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D4B9 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A720 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BD40 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A5D0 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E59B Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F10 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004411B0 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B525C3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B448F0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4C89A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4A925 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B50E88 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B529E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B50C22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4F50E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B4FAB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B5020A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B5225C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|