Edit tour
Windows
Analysis Report
fkydjyhjadg.exe
Overview
General Information
| Sample name: | fkydjyhjadg.exe |
| Analysis ID: | 1565835 |
| MD5: | b2c8bf8a5797d9ee73c205e27cfdbbfb |
| SHA1: | da8b2fa38e7c0fef5d13cef94f0028b75e05e8ab |
| SHA256: | 784bcd0555e5e1ab25b212f28bd84b64eac99270afb0a73fb4cd92fb737d6c7f |
| Tags: | exeuser-aachum |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
fkydjyhjadg.exe (PID: 7644 cmdline: "C:\Users\ user\Deskt op\fkydjyh jadg.exe" MD5: B2C8BF8A5797D9EE73C205E27CFDBBFB)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-30T22:30:25.324602+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49706 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:28.409310+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49707 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:31.200859+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49708 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:33.849234+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49709 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:36.656991+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49710 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:40.015292+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49711 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:43.202591+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49714 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:47.705064+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49715 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-30T22:30:27.042968+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.8 | 49706 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:29.523262+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.8 | 49707 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:48.487809+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.8 | 49715 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-30T22:30:27.042968+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.8 | 49706 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-30T22:30:29.523262+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.8 | 49707 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-30T22:30:40.876959+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49711 | 172.67.165.166 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_009B3EB6 | |
| Source: | Code function: | 0_3_009B4059 | |
| Source: | Code function: | 0_3_009B406B | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00A10A21 | |
| Source: | Code function: | 0_3_00A10A21 | |
| Source: | Code function: | 0_3_00A10A21 | |
| Source: | Code function: | 0_3_00A10A21 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10DB1 | |
| Source: | Code function: | 0_3_00A10DB1 | |
| Source: | Code function: | 0_3_00A10DB1 | |
| Source: | Code function: | 0_3_00A10DB1 | |
| Source: | Code function: | 0_3_00A10B91 | |
| Source: | Code function: | 0_3_00A10B91 | |
| Source: | Code function: | 0_3_00A10B91 | |
| Source: | Code function: | 0_3_00A10B91 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A0BA65 | |
| Source: | Code function: | 0_3_00A0BA65 | |
| Source: | Code function: | 0_3_00A10B81 | |
| Source: | Code function: | 0_3_00A10B81 | |
| Source: | Code function: | 0_3_00A10B81 | |
| Source: | Code function: | 0_3_00A10B81 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10F31 | |
| Source: | Code function: | 0_3_00A10DB1 | |
| Source: | Code function: | 0_3_00A10DB1 | |
| Source: | Code function: | 0_3_00A10DB1 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 221 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 2 Obfuscated Files or Information | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Software Packing | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 14 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 21 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 100% | Avira | HEUR/AGEN.1314134 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| atten-supporse.biz | 172.67.165.166 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 147.45.47.81 | unknown | Russian Federation | 2895 | FREE-NET-ASFREEnetEU | false | |
| 172.67.165.166 | atten-supporse.biz | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1565835 |
| Start date and time: | 2024-11-30 22:29:31 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 40s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | fkydjyhjadg.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/2 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target fkydjyhjadg.exe, PID 7644 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: fkydjyhjadg.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 147.45.47.81 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
| ||
| 172.67.165.166 | Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| atten-supporse.biz | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| FREE-NET-ASFREEnetEU | Get hash | malicious | Amadey | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Raccoon Stealer v2 | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| |
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.986396852374167 |
| TrID: |
|
| File name: | fkydjyhjadg.exe |
| File size: | 1'278'464 bytes |
| MD5: | b2c8bf8a5797d9ee73c205e27cfdbbfb |
| SHA1: | da8b2fa38e7c0fef5d13cef94f0028b75e05e8ab |
| SHA256: | 784bcd0555e5e1ab25b212f28bd84b64eac99270afb0a73fb4cd92fb737d6c7f |
| SHA512: | aa5d2bdb1d00faf877502c35ef5716c5ccfde18c26deebd7436e246b9a82069fd8834b8b8c24adfdf5bf89385c214b49ec4c5d6021f6ac72b0d8b998ad223ec2 |
| SSDEEP: | 24576:kMnfGPxgVa9CaVmOqF3x3UtfwDwxOD9xD5CDRQ7jb52OGxu:kMfGPxgOVpo3xcbc9B5CDRQ7jb50u |
| TLSH: | 794533645B303F8ECDFBF87DA551F05553A580C2683A48B72A1A30E61B16F1A866DF3C |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...@0Gg............................&.............@...........................;...........@................................. p-.... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x412e26 |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67473040 [Wed Nov 27 14:44:16 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 71cc5af9daad65e58c6f29c42cdf9201 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00401000h |
| call 00007F3FF51BD2C6h |
| call far 5DE5h : 8B10C483h |
| jmp 00007F3FF5564E6Bh |
| clc |
| out dx, eax |
| jl 00007F3FF51BD2D4h |
| ror esi, 58h |
| idiv ecx |
| pop esp |
| inc ebx |
| push FFFFFF91h |
| cmc |
| je 00007F3FF51BD2B0h |
| jnp 00007F3FF51BD2C7h |
| loop 00007F3FF51BD252h |
| xor dword ptr [eax+12C4CA68h], edx |
| or eax, A43B4ECEh |
| jno 00007F3FF51BD2AEh |
| xor al, 45h |
| xchg eax, esp |
| mov dh, EFh |
| sub ah, bl |
| adc al, 34h |
| test dword ptr [ebx], ebx |
| sub dword ptr [ebx], 91F45039h |
| in al, dx |
| fiadd word ptr [eax+03h] |
| or esp, 4AAD09B9h |
| outsd |
| xchg eax, edi |
| rcr dword ptr [edi-0Dh], 1 |
| in al, dx |
| scasd |
| jnbe 00007F3FF51BD254h |
| or byte ptr [edi+09h], ah |
| mov dword ptr [edi+79EF9FADh], ebp |
| neg dword ptr [esi+06D6ED82h] |
| test bl, cl |
| rcr dword ptr [edi+0Eh], 7Dh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2d7020 | 0x214 | .data |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2d7000 | 0xc | .data |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| 0x1000 | 0x3f000 | 0x20c00 | 291cb6b731d751a3a5ad7d4700c065c2 | False | 0.9995601741412213 | data | 7.998422403780575 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x40000 | 0x3000 | 0xe00 | eb0251cae712b406f53eab2655310b31 | False | 0.9854910714285714 | data | 7.89367915472244 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x43000 | 0x10000 | 0x3400 | c90969e3e7fb0b289f08ec7164487f8c | False | 0.9749849759615384 | data | 7.921647567448789 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x53000 | 0x1000 | 0x200 | 7eb0f77a1f13999a37f83a792b059f74 | False | 0.04296875 | data | 0.1794325416558982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x54000 | 0x4000 | 0x2400 | d2c0ad62bad5c504992f11666e796a04 | False | 0.9557291666666666 | DOS executable (COM) | 7.846300396379283 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x58000 | 0x27f000 | 0x2ba00 | 9b19b508d4406778a910449fe32d2472 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| .data | 0x2d7000 | 0xe5000 | 0xe5000 | 52cbf0d50064185d3c6bd937f4949469 | False | 0.996925320687773 | data | 7.977531258783219 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| kernel32.dll | GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA |
| user32.dll | MessageBoxA |
| advapi32.dll | RegCloseKey |
| oleaut32.dll | SysFreeString |
| gdi32.dll | CreateFontA |
| shell32.dll | ShellExecuteA |
| version.dll | GetFileVersionInfoA |
| ole32.dll | CoCreateInstance |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-30T22:30:25.324602+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49706 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:27.042968+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.8 | 49706 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:27.042968+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.8 | 49706 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:28.409310+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49707 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:29.523262+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.8 | 49707 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:29.523262+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.8 | 49707 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:31.200859+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49708 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:33.849234+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49709 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:36.656991+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49710 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:40.015292+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49711 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:40.876959+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.8 | 49711 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:43.202591+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49714 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:47.705064+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49715 | 172.67.165.166 | 443 | TCP |
| 2024-11-30T22:30:48.487809+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.8 | 49715 | 172.67.165.166 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 30, 2024 22:30:23.955790997 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:23.955842972 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:23.955919027 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:23.958888054 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:23.958905935 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:25.324507952 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:25.324601889 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:25.382780075 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:25.382797003 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:25.383043051 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:25.433723927 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:25.915721893 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:25.915750027 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:25.915889025 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:27.042978048 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:27.043066025 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:27.043126106 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:27.045078039 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:27.045099020 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:27.045109987 CET | 49706 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:27.045114994 CET | 443 | 49706 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:27.088186026 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:27.088239908 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:27.088329077 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:27.088619947 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:27.088646889 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:28.409220934 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:28.409310102 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:28.505971909 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:28.505992889 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:28.506303072 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:28.526731968 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:28.526766062 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:28.526819944 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.523248911 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.523508072 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.523538113 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.523555994 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.523574114 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.523622036 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.523992062 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.531552076 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.531599045 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.531608105 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.533289909 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.533338070 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.533345938 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.541735888 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.541781902 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.541789055 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.589936018 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.643102884 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.683700085 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.683718920 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.728256941 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.728287935 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.728306055 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.728319883 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.728358984 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.728365898 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.728384018 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.728423119 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.728547096 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.728565931 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.728575945 CET | 49707 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.728583097 CET | 443 | 49707 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.839622021 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.839643002 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:29.839715958 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.840169907 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:29.840181112 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:31.200746059 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:31.200859070 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:31.202172041 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:31.202183008 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:31.202409983 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:31.203493118 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:31.203618050 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:31.203655958 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:32.333179951 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:32.333260059 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:32.333302975 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:32.333467960 CET | 49708 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:32.333477020 CET | 443 | 49708 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:32.490160942 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:32.490190983 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:32.490264893 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:32.490639925 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:32.490657091 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:33.849153996 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:33.849234104 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:33.850527048 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:33.850533009 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:33.851058960 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:33.852293968 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:33.852436066 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:33.852504969 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:33.852560997 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:33.899333954 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:34.747731924 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:34.747834921 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:34.747898102 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:34.768475056 CET | 49709 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:34.768498898 CET | 443 | 49709 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:35.440025091 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:35.440072060 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:35.440129995 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:35.440707922 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:35.440721035 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:36.656899929 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:36.656991005 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:36.658245087 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:36.658251047 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:36.658480883 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:36.662481070 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:36.662601948 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:36.662632942 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:36.662727118 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:36.662734985 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:37.856230974 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:37.856327057 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:37.856386900 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:38.212505102 CET | 49710 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:38.212537050 CET | 443 | 49710 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:38.724136114 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:38.724186897 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:38.724247932 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:38.724591970 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:38.724610090 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:40.015224934 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:40.015291929 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:40.017123938 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:40.017131090 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:40.017359018 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:40.018771887 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:40.018893003 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:40.018898964 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:40.876966953 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:40.877068043 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:40.877147913 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:40.877708912 CET | 49711 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:40.877747059 CET | 443 | 49711 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:41.985409975 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:41.985471964 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:41.985542059 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:41.985908031 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:41.985925913 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.202337980 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.202590942 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.206296921 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.206309080 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.206564903 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.212477922 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.212477922 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.212522030 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.213438034 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.213476896 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.214354038 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.214402914 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.214551926 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.214580059 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.214724064 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.214760065 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.214937925 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.214963913 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.214972019 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.214984894 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.215116024 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.215142012 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.215173006 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.215502977 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.215532064 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.259322882 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.259481907 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.259524107 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.259555101 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.259572983 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:43.259628057 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:43.259649038 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:46.389887094 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:46.389965057 CET | 443 | 49714 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:46.390217066 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:46.390270948 CET | 49714 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:46.399449110 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:46.399487019 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:46.399549961 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:46.399862051 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:46.399874926 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:47.704998970 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:47.705064058 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:47.706497908 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:47.706506968 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:47.706753969 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:47.708097935 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:47.708203077 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:47.708240986 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:48.487804890 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:48.487896919 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:48.488164902 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:48.488274097 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:48.488289118 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:48.488297939 CET | 49715 | 443 | 192.168.2.8 | 172.67.165.166 |
| Nov 30, 2024 22:30:48.488303900 CET | 443 | 49715 | 172.67.165.166 | 192.168.2.8 |
| Nov 30, 2024 22:30:48.489938021 CET | 49716 | 80 | 192.168.2.8 | 147.45.47.81 |
| Nov 30, 2024 22:30:48.609827995 CET | 80 | 49716 | 147.45.47.81 | 192.168.2.8 |
| Nov 30, 2024 22:30:48.609935999 CET | 49716 | 80 | 192.168.2.8 | 147.45.47.81 |
| Nov 30, 2024 22:30:48.610131979 CET | 49716 | 80 | 192.168.2.8 | 147.45.47.81 |
| Nov 30, 2024 22:30:48.730140924 CET | 80 | 49716 | 147.45.47.81 | 192.168.2.8 |
| Nov 30, 2024 22:31:10.539182901 CET | 80 | 49716 | 147.45.47.81 | 192.168.2.8 |
| Nov 30, 2024 22:31:10.539325953 CET | 49716 | 80 | 192.168.2.8 | 147.45.47.81 |
| Nov 30, 2024 22:31:10.539407969 CET | 49716 | 80 | 192.168.2.8 | 147.45.47.81 |
| Nov 30, 2024 22:31:10.659360886 CET | 80 | 49716 | 147.45.47.81 | 192.168.2.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 30, 2024 22:30:23.811773062 CET | 65045 | 53 | 192.168.2.8 | 1.1.1.1 |
| Nov 30, 2024 22:30:23.949934006 CET | 53 | 65045 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 30, 2024 22:30:23.811773062 CET | 192.168.2.8 | 1.1.1.1 | 0x812b | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 30, 2024 22:30:23.949934006 CET | 1.1.1.1 | 192.168.2.8 | 0x812b | No error (0) | 172.67.165.166 | A (IP address) | IN (0x0001) | false | ||
| Nov 30, 2024 22:30:23.949934006 CET | 1.1.1.1 | 192.168.2.8 | 0x812b | No error (0) | 104.21.16.9 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49716 | 147.45.47.81 | 80 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Nov 30, 2024 22:30:48.610131979 CET | 198 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49706 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:25 UTC | 265 | OUT | |
| 2024-11-30 21:30:25 UTC | 8 | OUT | |
| 2024-11-30 21:30:27 UTC | 1016 | IN | |
| 2024-11-30 21:30:27 UTC | 7 | IN | |
| 2024-11-30 21:30:27 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.8 | 49707 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:28 UTC | 266 | OUT | |
| 2024-11-30 21:30:28 UTC | 49 | OUT | |
| 2024-11-30 21:30:29 UTC | 1022 | IN | |
| 2024-11-30 21:30:29 UTC | 347 | IN | |
| 2024-11-30 21:30:29 UTC | 1369 | IN | |
| 2024-11-30 21:30:29 UTC | 1369 | IN | |
| 2024-11-30 21:30:29 UTC | 1369 | IN | |
| 2024-11-30 21:30:29 UTC | 1369 | IN | |
| 2024-11-30 21:30:29 UTC | 1369 | IN | |
| 2024-11-30 21:30:29 UTC | 387 | IN | |
| 2024-11-30 21:30:29 UTC | 1369 | IN | |
| 2024-11-30 21:30:29 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.8 | 49708 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:31 UTC | 283 | OUT | |
| 2024-11-30 21:30:31 UTC | 12842 | OUT | |
| 2024-11-30 21:30:32 UTC | 1022 | IN | |
| 2024-11-30 21:30:32 UTC | 20 | IN | |
| 2024-11-30 21:30:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.8 | 49709 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:33 UTC | 276 | OUT | |
| 2024-11-30 21:30:33 UTC | 15029 | OUT | |
| 2024-11-30 21:30:34 UTC | 1024 | IN | |
| 2024-11-30 21:30:34 UTC | 20 | IN | |
| 2024-11-30 21:30:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.8 | 49710 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:36 UTC | 274 | OUT | |
| 2024-11-30 21:30:36 UTC | 15331 | OUT | |
| 2024-11-30 21:30:36 UTC | 4853 | OUT | |
| 2024-11-30 21:30:37 UTC | 1022 | IN | |
| 2024-11-30 21:30:37 UTC | 20 | IN | |
| 2024-11-30 21:30:37 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.8 | 49711 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:40 UTC | 282 | OUT | |
| 2024-11-30 21:30:40 UTC | 1224 | OUT | |
| 2024-11-30 21:30:40 UTC | 1016 | IN | |
| 2024-11-30 21:30:40 UTC | 20 | IN | |
| 2024-11-30 21:30:40 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.8 | 49714 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:43 UTC | 286 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:43 UTC | 15331 | OUT | |
| 2024-11-30 21:30:46 UTC | 1023 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.8 | 49715 | 172.67.165.166 | 443 | 7644 | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-30 21:30:47 UTC | 266 | OUT | |
| 2024-11-30 21:30:47 UTC | 84 | OUT | |
| 2024-11-30 21:30:48 UTC | 1017 | IN | |
| 2024-11-30 21:30:48 UTC | 126 | IN | |
| 2024-11-30 21:30:48 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 16:30:22 |
| Start date: | 30/11/2024 |
| Path: | C:\Users\user\Desktop\fkydjyhjadg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd0000 |
| File size: | 1'278'464 bytes |
| MD5 hash: | B2C8BF8A5797D9EE73C205E27CFDBBFB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Function 009B3EB6 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009B4059 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009B406B Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|