Edit tour
Windows
Analysis Report
RHxJqGoGFB.exe
Overview
General Information
Sample name: | RHxJqGoGFB.exerenamed because original name is a hash value |
Original sample name: | 2e6402a52ca73f3390ee4f703a1f509a3f2e05220034b1b36c013a083a1222bd.exe |
Analysis ID: | 1563008 |
MD5: | 4f7fa0b66a6e153089ab00199b04356b |
SHA1: | 7c2a6d1a21501502e2186ca493a1069909bba703 |
SHA256: | 2e6402a52ca73f3390ee4f703a1f509a3f2e05220034b1b36c013a083a1222bd |
Tags: | 86-104-74-51exeuser-JAMESWT_MHT |
Infos: | |
Detection
Sality
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Sality
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Connects to several IPs in different countries
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- RHxJqGoGFB.exe (PID: 7300 cmdline:
"C:\Users\ user\Deskt op\RHxJqGo GFB.exe" MD5: 4F7FA0B66A6E153089AB00199B04356B) - conhost.exe (PID: 7308 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - fontdrvhost.exe (PID: 776 cmdline:
"fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F) - fontdrvhost.exe (PID: 784 cmdline:
"fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F) - ShellExperienceHost.exe (PID: 7460 cmdline:
"C:\Window s\SystemAp ps\ShellEx perienceHo st_cw5n1h2 txyewy\She llExperien ceHost.exe " -ServerN ame:App.Ap pXtk181tbx bce2qsex02 s8tw7hfxa9 xb3t.mca MD5: 9B8DE9D4EDF68EEF2C1E490ABC291567) - dwm.exe (PID: 988 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - RuntimeBroker.exe (PID: 7732 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - sihost.exe (PID: 3420 cmdline:
sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80) - svchost.exe (PID: 3456 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p -s CDPUs erSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 3528 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p -s WpnUs erService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - ctfmon.exe (PID: 3832 cmdline:
"ctfmon.ex e" MD5: B625C18E177D5BEB5A6F6432CCF46FB3) - explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - svchost.exe (PID: 4196 cmdline:
C:\Windows \system32\ svchost.ex e -k Clipb oardSvcGro up -p -s c bdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - StartMenuExperienceHost.exe (PID: 4660 cmdline:
"C:\Window s\SystemAp ps\Microso ft.Windows .StartMenu Experience Host_cw5n1 h2txyewy\S tartMenuEx perienceHo st.exe" -S erverName: App.AppXyw brabmsek0g m3tkwpr5kw zbs55tkqay .mca MD5: 5CDDF06A40E89358807A2B9506F064D9) - RuntimeBroker.exe (PID: 4872 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - SearchApp.exe (PID: 4984 cmdline:
"C:\Window s\SystemAp ps\Microso ft.Windows .Search_cw 5n1h2txyew y\SearchAp p.exe" -Se rverName:C ortanaUI.A ppX8z9r6jm 96hw4bsbne egw0kyxx29 6wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168) - RuntimeBroker.exe (PID: 5092 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - smartscreen.exe (PID: 5584 cmdline:
C:\Windows \System32\ smartscree n.exe -Emb edding MD5: 02FB7069B8D8426DC72C9D8A495AF55A) - TextInputHost.exe (PID: 3788 cmdline:
"C:\Window s\SystemAp ps\Microso ftWindows. Client.CBS _cw5n1h2tx yewy\TextI nputHost.e xe" -Serve rName:Inpu tApp.AppXj d5de1g66v2 06tj52m9d0 dtpppx4cgp n.mca MD5: F050189D49E17D0D340DE52E9E5B711F) - RuntimeBroker.exe (PID: 5116 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - RuntimeBroker.exe (PID: 1532 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - ApplicationFrameHost.exe (PID: 5736 cmdline:
C:\Windows \system32\ Applicatio nFrameHost .exe -Embe dding MD5: D58A8A987A8DAFAD9DC32A548CC061E7) - WinStore.App.exe (PID: 2524 cmdline:
"C:\Progra m Files\Wi ndowsApps\ Microsoft. WindowsSto re_11910.1 002.5.0_x6 4__8wekyb3 d8bbwe\Win Store.App. exe" -Serv erName:App .AppXc75wv wned5vhz4x yxxecvgdjh dkgsdza.mc a MD5: 6C44453CD661FC2DB18E4C09C4940399) - RuntimeBroker.exe (PID: 1760 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - SystemSettings.exe (PID: 6060 cmdline:
"C:\Window s\Immersiv eControlPa nel\System Settings.e xe" -Serve rName:micr osoft.wind ows.immers ivecontrol panel MD5: 3CD3CD85226FCF576DFE9B70B6DA2630) - UserOOBEBroker.exe (PID: 3924 cmdline:
C:\Windows \System32\ oobe\UserO OBEBroker. exe -Embed ding MD5: BCE744909EB87F293A85830D02B3D6EB) - svchost.exe (PID: 4600 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dllhost.exe (PID: 2288 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{3EB3C8 77-1F16-48 7C-9050-10 4DBCD66683 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - conhost.exe (PID: 3688 cmdline:
C:\Windows \system32\ conhost.ex e 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RuntimeBroker.exe (PID: 3548 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - RuntimeBroker.exe (PID: 5000 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 3632 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 5728 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 5100 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 5296 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 2336 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 5984 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 2564 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - kgTxkwCMEtRJHvgbWwUB.exe (PID: 3604 cmdline:
"C:\Progra m Files (x 86)\bhLpQO YLVRtOCiph tvfkMjMamk HSiOTVodwF adhXQze\kg TxkwCMEtRJ HvgbWwUB.e xe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Sality | F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Sality | Yara detected Sality | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
JoeSecurity_Sality | Yara detected Sality | Joe Security | ||
INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
JoeSecurity_Sality | Yara detected Sality | Joe Security | ||
INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: vburov: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-26T11:42:11.899329+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49732 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:16.743004+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49735 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:21.684084+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49737 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:26.565787+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49742 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:31.368788+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49745 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:36.200224+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49746 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:41.050525+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49747 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:45.964254+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49748 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:50.728667+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49749 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:55.543033+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49750 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:00.519992+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49752 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:05.291200+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49759 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:10.085351+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49774 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:14.964564+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49786 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:19.753858+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49797 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:24.934464+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49808 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:30.379426+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49819 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:35.273608+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49834 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:40.463057+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49846 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:45.715241+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49857 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:50.655396+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49868 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:55.459153+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49880 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:00.276318+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49891 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:05.354825+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49902 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:11.156348+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49914 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:16.040513+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49925 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:20.885968+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49940 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:25.781545+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49951 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:30.615302+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49962 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:35.444529+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49973 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:40.366730+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49984 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:45.244056+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49995 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:50.147625+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50006 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:55.298067+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50019 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:00.538110+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50032 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:05.399094+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50042 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:10.307722+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50043 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:15.407489+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50044 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:20.712933+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50045 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:25.593889+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50046 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:30.698514+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50047 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:35.698392+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50048 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:41.155369+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50049 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:46.228245+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50050 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:51.090228+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50051 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:56.062306+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50052 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:46:00.949414+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50053 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:46:05.871611+0100 | 2018340 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50054 | 46.105.103.219 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-26T11:42:11.899329+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49732 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:16.743004+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49735 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:21.684084+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49737 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:26.565787+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49742 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:31.368788+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49745 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:36.200224+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49746 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:41.050525+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49747 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:45.964254+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49748 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:50.728667+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49749 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:42:55.543033+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49750 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:00.519992+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49752 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:05.291200+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49759 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:10.085351+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49774 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:14.964564+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49786 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:19.753858+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49797 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:24.934464+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49808 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:30.379426+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49819 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:35.273608+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49834 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:40.463057+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49846 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:45.715241+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49857 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:50.655396+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49868 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:43:55.459153+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49880 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:00.276318+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49891 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:05.354825+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49902 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:11.156348+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49914 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:16.040513+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49925 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:20.885968+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49940 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:25.781545+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49951 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:30.615302+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49962 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:35.444529+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49973 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:40.366730+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49984 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:45.244056+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49995 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:50.147625+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50006 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:44:55.298067+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50019 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:00.538110+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50032 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:05.399094+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50042 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:10.307722+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50043 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:15.407489+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50044 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:20.712933+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50045 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:25.593889+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50046 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:30.698514+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50047 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:35.698392+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50048 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:41.155369+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50049 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:46.228245+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50050 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:51.090228+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50051 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:45:56.062306+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50052 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:46:00.949414+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50053 | 46.105.103.219 | 80 | TCP |
2024-11-26T11:46:05.871611+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 50054 | 46.105.103.219 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Spreading |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File created: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |