Edit tour
Windows
Analysis Report
SC3sPWT51E.exe
Overview
General Information
| Sample name: | SC3sPWT51E.exerenamed because original name is a hash value |
| Original sample name: | 7cb559130bbd743d4cdb0891749c5643.exe |
| Analysis ID: | 1572177 |
| MD5: | 7cb559130bbd743d4cdb0891749c5643 |
| SHA1: | 7e8cb60118a778a23fe6215c790ace9f730e87fb |
| SHA256: | 08c071698f610c4b2ad9a8c18ffac37b4db9728cff608eb92e7c0728ee5a2482 |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
SC3sPWT51E.exe (PID: 5740 cmdline: "C:\Users\ user\Deskt op\SC3sPWT 51E.exe" MD5: 7CB559130BBD743D4CDB0891749C5643) 
conhost.exe (PID: 3260 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
{"C2 url": ["formy-spill.biz", "dare-curbys.biz", "print-vexer.biz", "se-blurry.biz", "covery-mover.biz", "dwell-exclaim.biz", "zinc-sneark.biz", "impend-differ.biz"], "Build id": "H8NgCl--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:50.565536+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:52.676605+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:55.314765+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49726 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:57.830374+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49733 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:00.400807+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49739 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:03.854690+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:06.641874+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:10.137703+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:12.494692+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49778 | 172.67.161.29 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:51.395004+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:53.700164+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:10.941515+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:51.395004+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:53.700164+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:50.565536+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:52.676605+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:55.314765+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49726 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:57.830374+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49733 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:00.400807+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49739 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:03.854690+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:06.641874+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:10.137703+0100 | 2057984 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:48.893770+0100 | 2057969 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 62137 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:49.128176+0100 | 2057983 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 54284 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:48:04.584027+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:48:06.649588+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | File created: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FEF7BA | |
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00FD99FA | |
| Source: | Code function: | 0_3_00F85750 | |
| Source: | Code function: | 0_3_00F6DE00 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FEA701 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00FE8D40 | |
| Source: | Code function: | 0_3_00F6C365 | |
| Source: | Code function: | 0_3_00F6CB65 | |
| Source: | Code function: | 0_3_00F6CF65 | |
| Source: | Code function: | 0_3_00F6C361 | |
| Source: | Code function: | 0_3_00F6CB61 | |
| Source: | Code function: | 0_3_00F6CF61 | |
| Source: | Code function: | 0_3_00F6C36D | |
| Source: | Code function: | 0_3_00F6CB6D | |
| Source: | Code function: | 0_3_00F6CF6D | |
| Source: | Code function: | 0_3_00F6C355 | |
| Source: | Code function: | 0_3_00F6CB55 | |
| Source: | Code function: | 0_3_00F6CF55 | |
| Source: | Code function: | 0_3_00F6C351 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | 31 Data from Local System | 3 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 4 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 115 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Spyware.Lummastealer | ||
| 50% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | URL Reputation | malware |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| gamertool.eu | 172.67.161.29 | true | false | unknown | |
| se-blurry.biz | 172.67.162.65 | true | false | high | |
| impend-differ.biz | unknown | unknown | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false |
| unknown | |
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.162.65 | se-blurry.biz | United States | 13335 | CLOUDFLARENETUS | false | |
| 172.67.161.29 | gamertool.eu | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1572177 |
| Start date and time: | 2024-12-10 07:46:49 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 52s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SC3sPWT51E.exerenamed because original name is a hash value |
| Original Sample Name: | 7cb559130bbd743d4cdb0891749c5643.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/3@3/2 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target SC3sPWT51E.exe, PID 5740 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.162.65 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, Cryptbot, LummaC Stealer, Nymaim | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| gamertool.eu | Get hash | malicious | Amadey, LummaC Stealer | Browse |
| |
| se-blurry.biz | Get hash | malicious | Amadey, LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Cryptbot, LummaC Stealer, Nymaim | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Zhark RAT | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MalLnk | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Zhark RAT | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MalLnk | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\SC3sPWT51E.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 548 |
| Entropy (8bit): | 4.688532577858027 |
| Encrypted: | false |
| SSDEEP: | 12:TjeRHVIdtklI5r8INGlTF5TF5TF5TF5TF5TFK:neRH68DTPTPTPTPTPTc |
| MD5: | 370E16C3B7DBA286CFF055F93B9A94D8 |
| SHA1: | 65F3537C3C798F7DA146C55AEF536F7B5D0CB943 |
| SHA-256: | D465172175D35D493FB1633E237700022BD849FA123164790B168B8318ACB090 |
| SHA-512: | 75CD6A0AC7D6081D35140ABBEA018D1A2608DD936E2E21F61BF69E063F6FA16DD31C62392F5703D7A7C828EE3D4ECC838E73BFF029A98CED8986ACB5C8364966 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\SC3sPWT51E.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.465929377504803 |
| Encrypted: | false |
| SSDEEP: | 6144:3zZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:jZHtBZWOKnMM6bFpZj4 |
| MD5: | 48AEC83898DC0B781C4B82AB56A9DA67 |
| SHA1: | 24FBE58C3EEC4E4F7CD8A01DB0F2B8D2DC2676DF |
| SHA-256: | B53772D822C42510D71C0ADC874FBFBF73E42505B6EC02F8498A04CC0B1A2AB8 |
| SHA-512: | DD9DFD9693D985FE973FBAEC3379BC73C6B2EF5B5E41F4F440AF9FF456524F2F5567934AE112112376C355DDC15661064035D0C53A8EA0D179324B14CB231EE0 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\SC3sPWT51E.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 643 |
| Entropy (8bit): | 5.791324649098374 |
| Encrypted: | false |
| SSDEEP: | 12:NyjZ7S1/srSLxMd3Vso2eXfc+rHJK9CJmTyaHT0/Y+adNdnBuzMqYfn:NyF7s/sWKdlsxeZk4IT/0/Zwpf |
| MD5: | 7B7CDE31791403E2D2BD6C2B125F677D |
| SHA1: | 5F8F28E2BDFACCB51AE803697BE5670C625B0CFA |
| SHA-256: | 7DCF2EB90BC52E2C2BEDFA99EA52A1B0AB27DC9E5EAF7A7B60FA087CEB738627 |
| SHA-512: | 152AC37D13F62FAFCAE99F87930DFC84AB951B20DEB3D8FC12E145A0FDECCF373FBAF393F9E2AC7371763C857399BADC16C53C51A95C042D8C12DDE90BDB65E9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.405346920581365 |
| TrID: |
|
| File name: | SC3sPWT51E.exe |
| File size: | 1'461'248 bytes |
| MD5: | 7cb559130bbd743d4cdb0891749c5643 |
| SHA1: | 7e8cb60118a778a23fe6215c790ace9f730e87fb |
| SHA256: | 08c071698f610c4b2ad9a8c18ffac37b4db9728cff608eb92e7c0728ee5a2482 |
| SHA512: | 75d1c0c1f7a5b141847f6bdab88dad4ba2d71e6b857ae92f3b60053c98bc6c1672261baa2871d8fa4f2823af942278017adfc2e08a6a6670eadc73fc57f7d6bc |
| SSDEEP: | 24576:7CZ0v6c8cawPzUopzenuwMloUm8CG1Xw+Eahn3R5+8pzb2hyS333XuuW8888DGAn:7x6c8caYzUopzenuwMloUm8CG1Xw+EaK |
| TLSH: | 3265BF27610294F5CD3366F10AC7BBABE624CE1D54231A1FF7888D64EBF6910743E266 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........"..<N.........(.@...F...............P....@.................................JL....@... ............................ |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x401307 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x407025, 0x406ff4, 0x410d20 |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d21a73dbff86d9b062174060882302c5 |
| Instruction |
|---|
| xor eax, eax |
| mov dword ptr [00493054h], eax |
| jmp 00007F0E40F6D5EFh |
| push ebp |
| mov ebp, esp |
| sub esp, 18h |
| mov eax, dword ptr [ebp+08h] |
| mov dword ptr [esp], eax |
| call 00007F0E40F7AD61h |
| leave |
| cmp eax, 01h |
| sbb eax, eax |
| ret |
| nop |
| push ebp |
| mov ebp, esp |
| sub esp, 18h |
| mov dword ptr [esp], 00401340h |
| call 00007F0E40F6D7BAh |
| leave |
| ret |
| ret |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| sub esp, 10h |
| mov eax, dword ptr [ebp+08h] |
| mov dword ptr [ebp-08h], eax |
| mov eax, dword ptr [ebp+0Ch] |
| mov dword ptr [ebp-0Ch], eax |
| mov dword ptr [ebp-04h], 00000000h |
| jmp 00007F0E40F6D7FBh |
| mov edx, dword ptr [ebp-0Ch] |
| mov eax, dword ptr [ebp-04h] |
| add eax, edx |
| mov ecx, dword ptr [ebp-08h] |
| mov edx, dword ptr [ebp-04h] |
| add edx, ecx |
| movzx eax, byte ptr [eax] |
| mov byte ptr [edx], al |
| add dword ptr [ebp-04h], 01h |
| mov eax, dword ptr [ebp-04h] |
| cmp eax, dword ptr [ebp+10h] |
| jc 00007F0E40F6D7C1h |
| nop |
| nop |
| leave |
| ret |
| push ebp |
| mov ebp, esp |
| push edi |
| push esi |
| push ebx |
| sub esp, 000001BCh |
| mov dword ptr [ebp-00000194h], 00481950h |
| mov dword ptr [ebp-00000190h], 004831C0h |
| lea eax, dword ptr [ebp-0000018Ch] |
| mov dword ptr [eax], ebp |
| mov edx, 004016E7h |
| mov dword ptr [eax+04h], edx |
| mov dword ptr [eax+08h], esp |
| lea eax, dword ptr [ebp-000001ACh] |
| mov dword ptr [esp], eax |
| call 00007F0E40F7431Bh |
| lea eax, dword ptr [ebp-5Ch] |
| mov dword ptr [esp+04h], 00000017h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x94000 | 0x1030 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x98000 | 0xc29ac | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x15b000 | 0x5074 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x8ac2c | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x942b8 | 0x268 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x83ea0 | 0x84000 | 4b44dcc3991d16086efcccc74740892a | False | 0.3881040630918561 | data | 6.317371568675739 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x85000 | 0x1cac | 0x1e00 | 74d35296f54036d8de1b9148561802ce | False | 0.04309895833333333 | data | 0.4789262222503328 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x87000 | 0xb2cc | 0xb400 | f44c8b55c8b078210a51d902dfed3e2d | False | 0.29375 | data | 5.535179274349137 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .bss | 0x93000 | 0xad4 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x94000 | 0x1030 | 0x1200 | 404aef98d5daabc585394efcb65efb27 | False | 0.2973090277777778 | data | 4.447610458183875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x96000 | 0x34 | 0x200 | a754b25f1b15c99877cb8acfab297384 | False | 0.0703125 | data | 0.28578180731160896 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x97000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x98000 | 0xc29ac | 0xc2a00 | 562362962f014390700473eebdbbbdd5 | False | 0.4992824743095697 | data | 7.580396567801481 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x15b000 | 0x5074 | 0x5200 | ea0744716d5764d78acf4c85a7040ce0 | False | 0.6482469512195121 | data | 6.624920349670597 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /4 | 0x161000 | 0xd8 | 0x200 | 67ee53d973d97dc1f6902837e42133a2 | False | 0.189453125 | Matlab v4 mat-file (little endian) *, rows 2, columns 262144 | 1.0556800958108754 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /19 | 0x162000 | 0x5c86 | 0x5e00 | 6a6d66b4c0e444730f975c5a13708562 | False | 0.31004820478723405 | data | 5.858584109710874 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /31 | 0x168000 | 0xcbf | 0xe00 | b52812b940d9f8e70136090a410e1414 | False | 0.30859375 | data | 4.674279678764711 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /45 | 0x169000 | 0x10c6 | 0x1200 | 077ab79e0badb45ac8060cb622906610 | False | 0.4924045138888889 | data | 4.745583972687986 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /57 | 0x16b000 | 0x534 | 0x600 | 05735a6a972caab9be3a076d7128ee14 | False | 0.3346354166666667 | data | 4.066639463094351 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /70 | 0x16c000 | 0xae | 0x200 | ecfb83f2010f3cc6cf356b8e23e5fc36 | False | 0.291015625 | data | 2.433417869353787 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /81 | 0x16d000 | 0x4aa | 0x600 | 888577e9d93becae255b9c51c683988d | False | 0.146484375 | data | 4.004889258778971 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /97 | 0x16e000 | 0x1099 | 0x1200 | 528d279b0b149c6fa25eda6391cf563c | False | 0.4680989583333333 | data | 4.82827699828333 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /113 | 0x170000 | 0xf4 | 0x200 | 10f57fd77bc648dca311096855b1966b | False | 0.359375 | data | 2.444261744030452 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| $6Q<1UE`,_6MB1]O | 0x99130 | 0xdce | data | 0.8862478777589134 | ||
| $6Q<1UE`,_6MB1]O | 0x99f00 | 0xdce | data | 0.8862478777589134 | ||
| $6Q<1UE`,_6MB1]O | 0x9acd0 | 0xdce | data | 0.8862478777589134 | ||
| $I]5_}D=S<P | 0x9baa0 | 0x4d9c | OpenPGP Public Key | 0.8786994161465673 | ||
| $I]5_}D=S<P | 0xa083c | 0x4d9c | OpenPGP Public Key | 0.8786994161465673 | ||
| $I]5_}D=S<P | 0xa55d8 | 0x4d9c | OpenPGP Public Key | 0.8786994161465673 | ||
| $I]5_}D=S<P | 0xaa374 | 0x4d9c | OpenPGP Public Key | 0.8786994161465673 | ||
| &L1S5OL*M6K@Z^AJ0PT | 0xaf110 | 0x2c59 | data | 0.7379547256231833 | ||
| /J[Z5N{6,%DGO | 0xb1d6c | 0x6e14 | data | 0.8778566359119944 | ||
| 18^J8*.C | 0xb8b80 | 0x5408 | data | 0.8787188545927854 | ||
| 18^J8*.C | 0xbdf88 | 0x5408 | data | 0.8787188545927854 | ||
| 18^J8*.C | 0xc3390 | 0x5408 | data | 0.8787188545927854 | ||
| 18^J8*.C | 0xc8798 | 0x5408 | data | 0.8787188545927854 | ||
| 18^J8*.C | 0xcdba0 | 0x5408 | data | 0.8787188545927854 | ||
| 2PV4WYU4_V.L | 0xd2fa8 | 0x18cb | data | 0.8410272569717977 | ||
| 3%$S=CY?] | 0xd4874 | 0xc78 | data | 0.9404761904761905 | ||
| 7LC*AA>% | 0xd54ec | 0x830 | data | 0.8926526717557252 | ||
| 7LC*AA>% | 0xd5d1c | 0x830 | data | 0.8926526717557252 | ||
| 9:D}\~(&"QL]2XGGH | 0xd654c | 0x2627 | data | 0.8567625678304495 | ||
| <CS4@FXQ@XYA | 0xd8b74 | 0x25547 | data | 0.8003701693230348 | ||
| =Z#XIF]>@)~9% | 0xfe0bc | 0x3245 | data | 0.8614499961146942 | ||
| @S.U^W{4 | 0x101304 | 0x163d | data | 0.700158088881082 | ||
| A7@BGA:2] | 0x102944 | 0x16a5 | data | 0.8802829049508366 | ||
| BOBA | 0x103fec | 0x15b | ASCII text | 0.8933717579250721 | ||
| B]~XPQLA#-IF | 0x104148 | 0x2589 | data | 0.8446248308877095 | ||
| CSRJ1"J~L|\XOFAH | 0x1066d4 | 0x3277 | data | 0.8488273086152179 | ||
| D>L{ | 0x10994c | 0x19e7 | data | 0.8849343990348364 | ||
| E+& LYC"A]% | 0x10b334 | 0x6ba | data | 0.8989547038327527 | ||
| E+& LYC"A]% | 0x10b9f0 | 0x6ba | data | 0.8989547038327527 | ||
| E+& LYC"A]% | 0x10c0ac | 0x6ba | data | 0.8989547038327527 | ||
| FPRVP+G.MC$_! | 0x10c768 | 0x8f1 | data | 0.9217999126256007 | ||
| KEY FOR MY HOMY | 0x10d05c | 0x18 | ASCII text, with no line terminators | 1.25 | ||
| LILBTC>#~L? | 0x10d074 | 0x3d | ISO-8859 text, with CR, NEL line terminators | 1.0327868852459017 | ||
| M`]RS#R60<PJ_U1/N$>Y | 0x10d0b4 | 0x339c | data | 0.8512715712988193 | ||
| O$_UNEBQAT | 0x110450 | 0x3f31 | data | 0.8479322494900167 | ||
| Q=\TCA5@9 | 0x114384 | 0xc4e | data | 0.8866666666666667 | ||
| Q=\TCA5@9 | 0x114fd4 | 0xc4e | data | 0.8866666666666667 | ||
| Q=\TCA5@9 | 0x115c24 | 0xc4e | data | 0.8866666666666667 | ||
| R+:EVFXPAOG?TEW | 0x116874 | 0x23a4 | data | 0.8334064007014468 | ||
| RAGB9M|UDW-- | 0x118c18 | 0xbd4 | data | 0.8880449141347424 | ||
| RAGB9M|UDW-- | 0x1197ec | 0xbd4 | data | 0.8880449141347424 | ||
| RVQVXIJ | 0x11a3c0 | 0x757c | data | 0.8774770581194308 | ||
| RVQVXIJ | 0x12193c | 0x757c | data | 0.8774770581194308 | ||
| RVQVXIJ | 0x128eb8 | 0x757c | data | 0.8774770581194308 | ||
| U"%ZKE,.VJW | 0x130434 | 0x74 | data | 1.0948275862068966 | ||
| VB6}2*J_T$5XO6K!K | 0x1304a8 | 0x2a82 | data | 0.87897445322551 | ||
| _6KE1W'T9- | 0x132f2c | 0x33d5 | data | 0.8333710151480895 | ||
| {[7U#RSYEV6GCFVOW | 0x136304 | 0x6abc | data | 0.8776167471819646 | ||
| {[7U#RSYEV6GCFVOW | 0x13cdc0 | 0x6abc | data | 0.8776167471819646 | ||
| {[7U#RSYEV6GCFVOW | 0x14387c | 0x6abc | data | 0.8776167471819646 | ||
| H{M%G0WPI: | 0x14a338 | 0x26ff | OpenPGP Secret Key | 0.8790944605829911 | ||
| H{M%G0WPI: | 0x14ca38 | 0x26ff | OpenPGP Secret Key | 0.8790944605829911 | ||
| H{M%G0WPI: | 0x14f138 | 0x26ff | OpenPGP Secret Key | 0.8790944605829911 | ||
| :PX%^?>\ | 0x151838 | 0x3079 | data | 0.8783141268434201 | ||
| :PX%^?>\ | 0x1548b4 | 0x3079 | data | 0.8783141268434201 | ||
| :PX%^?>\ | 0x157930 | 0x3079 | data | 0.8783141268434201 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CreateEventA, CreateFileMappingA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FindResourceA, FormatMessageA, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, HeapAlloc, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LoadResource, LocalFree, LockResource, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseSemaphore, ResetEvent, ResumeThread, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SizeofResource, Sleep, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte |
| msvcrt.dll | __getmainargs, __initenv, __mb_cur_max, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _endthreadex, _errno, _filelengthi64, _fileno, _fstati64, _get_osfhandle, _initterm, _iob, _lock, _lseeki64, _onexit, _setjmp3, _unlock, _vsnprintf, _vsnwprintf, _wfopen, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fgetwc, fopen, fprintf, fputc, fputs, fread, free, fsetpos, fwrite, getc, getenv, getwc, iswctype, localeconv, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, putc, putwc, realloc, setlocale, setvbuf, signal, strchr, strcmp, strcoll, strcpy, strerror, strftime, strlen, strncmp, strtol, strtoul, strxfrm, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcsxfrm, _write, _strdup, _read, _fileno, _fdopen |
| USER32.dll | ShowWindow |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-10T07:47:48.893770+0100 | 2057935 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) | 1 | 192.168.2.6 | 62137 | 1.1.1.1 | 53 | UDP |
| 2024-12-10T07:47:48.893770+0100 | 2057969 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) | 1 | 192.168.2.6 | 62137 | 1.1.1.1 | 53 | UDP |
| 2024-12-10T07:47:49.128176+0100 | 2057945 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) | 1 | 192.168.2.6 | 54284 | 1.1.1.1 | 53 | UDP |
| 2024-12-10T07:47:49.128176+0100 | 2057983 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) | 1 | 192.168.2.6 | 54284 | 1.1.1.1 | 53 | UDP |
| 2024-12-10T07:47:50.565536+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:50.565536+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:50.565536+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:51.395004+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:51.395004+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:52.676605+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:52.676605+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:52.676605+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:53.700164+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:53.700164+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:55.314765+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49726 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:55.314765+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49726 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:55.314765+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49726 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:57.830374+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49733 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:57.830374+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49733 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:47:57.830374+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49733 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:00.400807+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49739 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:00.400807+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49739 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:00.400807+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49739 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:03.854690+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:03.854690+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:03.854690+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:04.584027+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:06.641874+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:06.641874+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:06.641874+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:06.649588+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:10.137703+0100 | 2057946 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:10.137703+0100 | 2057984 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) | 1 | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:10.137703+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:10.941515+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | TCP |
| 2024-12-10T07:48:12.494692+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49778 | 172.67.161.29 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 10, 2024 07:47:49.271977901 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:49.272034883 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:49.272113085 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:49.345263004 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:49.345289946 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:50.565459013 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:50.565536022 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:50.598651886 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:50.598674059 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:50.598968029 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:50.641549110 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:50.678941965 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:50.678970098 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:50.679050922 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:51.395050049 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:51.395152092 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:51.395267010 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:51.397351980 CET | 49714 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:51.397372961 CET | 443 | 49714 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:51.463423967 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:51.463490009 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:51.463608980 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:51.464020967 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:51.464040995 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:52.676476002 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:52.676604986 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:52.678136110 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:52.678155899 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:52.678406954 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:52.679828882 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:52.679828882 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:52.679933071 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.700155020 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.700232029 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.700259924 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.700297117 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.700306892 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.700329065 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.700342894 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.708646059 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.708679914 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.708725929 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.708739042 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.708836079 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.716931105 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.766421080 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.766441107 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.813324928 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.819557905 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.860157013 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.860173941 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.895756960 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.895811081 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.895817041 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.895831108 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.895891905 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.895910978 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.895936966 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.895986080 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.896203995 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.896219969 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:53.896254063 CET | 49715 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:53.896259069 CET | 443 | 49715 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:54.101980925 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:54.102042913 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:54.102134943 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:54.102446079 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:54.102463007 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:55.314668894 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:55.314764977 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:55.316148996 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:55.316159964 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:55.316384077 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:55.317728996 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:55.317893982 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:55.317914009 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:56.544903994 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:56.545008898 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:56.545068026 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:56.545226097 CET | 49726 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:56.545243979 CET | 443 | 49726 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:56.619395018 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:56.619443893 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:56.619535923 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:56.619925976 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:56.619937897 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:57.830244064 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:57.830374002 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:57.831701994 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:57.831712008 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:57.831939936 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:57.833158970 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:57.833291054 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:57.833323956 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:57.833376884 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:57.875345945 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:58.977499962 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:58.977591991 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:58.977644920 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:58.977854013 CET | 49733 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:58.977875948 CET | 443 | 49733 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:59.186853886 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:59.186913967 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:47:59.187021971 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:59.187349081 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:47:59.187362909 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:00.400691032 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:00.400806904 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:00.402116060 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:00.402127028 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:00.402367115 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:00.403748035 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:00.403896093 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:00.403930902 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:00.403989077 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:00.404001951 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:01.617275953 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:01.617397070 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:01.617475033 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:01.618027925 CET | 49739 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:01.618046045 CET | 443 | 49739 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:02.640809059 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:02.640858889 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:02.640939951 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:02.641233921 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:02.641247034 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:03.854551077 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:03.854690075 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:03.856120110 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:03.856129885 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:03.856374979 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:03.857585907 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:03.857687950 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:03.857693911 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:04.584014893 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:04.584120989 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:04.584260941 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:04.626188993 CET | 49750 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:04.626219034 CET | 443 | 49750 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:05.423423052 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:05.423461914 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:05.423557043 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:05.423899889 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:05.423913956 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.641798019 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.641874075 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.643229008 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.643239975 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.643507957 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.648127079 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.649123907 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.649168968 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.649297953 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.649328947 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.649446011 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.649482965 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.649637938 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.649665117 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.649890900 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.649920940 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.650137901 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.650166988 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.650176048 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.650516987 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.650552988 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.695332050 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.695581913 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.695633888 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.695647001 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.743334055 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.743983984 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.744040966 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.744069099 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.787333012 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.787702084 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:06.835340977 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:06.888961077 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:08.882644892 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:08.882760048 CET | 443 | 49757 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:08.882963896 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:08.882982016 CET | 49757 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:08.911298990 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:08.911358118 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:08.911427975 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:08.911762953 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:08.911777973 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.137638092 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.137702942 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:10.139462948 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:10.139476061 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.139729023 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.151058912 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:10.151083946 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:10.151153088 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.941500902 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.941589117 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.941754103 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:10.941883087 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:10.941900969 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.941931009 CET | 49771 | 443 | 192.168.2.6 | 172.67.162.65 |
| Dec 10, 2024 07:48:10.941937923 CET | 443 | 49771 | 172.67.162.65 | 192.168.2.6 |
| Dec 10, 2024 07:48:11.271976948 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:11.272011995 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:11.272435904 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:11.272435904 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:11.272479057 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:12.494545937 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:12.494692087 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:12.503813028 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:12.503875971 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:12.504158020 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:12.522811890 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:12.563342094 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:13.211992025 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:13.212120056 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:13.212249994 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:13.212502003 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:13.212512016 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Dec 10, 2024 07:48:13.212544918 CET | 49778 | 443 | 192.168.2.6 | 172.67.161.29 |
| Dec 10, 2024 07:48:13.212549925 CET | 443 | 49778 | 172.67.161.29 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 10, 2024 07:47:48.893769979 CET | 62137 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 10, 2024 07:47:49.115911961 CET | 53 | 62137 | 1.1.1.1 | 192.168.2.6 |
| Dec 10, 2024 07:47:49.128175974 CET | 54284 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 10, 2024 07:47:49.267240047 CET | 53 | 54284 | 1.1.1.1 | 192.168.2.6 |
| Dec 10, 2024 07:48:10.944785118 CET | 65345 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 10, 2024 07:48:11.271029949 CET | 53 | 65345 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 10, 2024 07:47:48.893769979 CET | 192.168.2.6 | 1.1.1.1 | 0x10ab | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 10, 2024 07:47:49.128175974 CET | 192.168.2.6 | 1.1.1.1 | 0xa40a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 10, 2024 07:48:10.944785118 CET | 192.168.2.6 | 1.1.1.1 | 0xaaa8 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 10, 2024 07:47:49.115911961 CET | 1.1.1.1 | 192.168.2.6 | 0x10ab | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 10, 2024 07:47:49.267240047 CET | 1.1.1.1 | 192.168.2.6 | 0xa40a | No error (0) | 172.67.162.65 | A (IP address) | IN (0x0001) | false | ||
| Dec 10, 2024 07:47:49.267240047 CET | 1.1.1.1 | 192.168.2.6 | 0xa40a | No error (0) | 104.21.81.153 | A (IP address) | IN (0x0001) | false | ||
| Dec 10, 2024 07:48:11.271029949 CET | 1.1.1.1 | 192.168.2.6 | 0xaaa8 | No error (0) | 172.67.161.29 | A (IP address) | IN (0x0001) | false | ||
| Dec 10, 2024 07:48:11.271029949 CET | 1.1.1.1 | 192.168.2.6 | 0xaaa8 | No error (0) | 104.21.9.168 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49714 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:47:50 UTC | 260 | OUT | |
| 2024-12-10 06:47:50 UTC | 8 | OUT | |
| 2024-12-10 06:47:51 UTC | 1003 | IN | |
| 2024-12-10 06:47:51 UTC | 7 | IN | |
| 2024-12-10 06:47:51 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49715 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:47:52 UTC | 261 | OUT | |
| 2024-12-10 06:47:52 UTC | 42 | OUT | |
| 2024-12-10 06:47:53 UTC | 1007 | IN | |
| 2024-12-10 06:47:53 UTC | 362 | IN | |
| 2024-12-10 06:47:53 UTC | 892 | IN | |
| 2024-12-10 06:47:53 UTC | 1369 | IN | |
| 2024-12-10 06:47:53 UTC | 1369 | IN | |
| 2024-12-10 06:47:53 UTC | 1369 | IN | |
| 2024-12-10 06:47:53 UTC | 1369 | IN | |
| 2024-12-10 06:47:53 UTC | 1369 | IN | |
| 2024-12-10 06:47:53 UTC | 1369 | IN | |
| 2024-12-10 06:47:53 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49726 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:47:55 UTC | 272 | OUT | |
| 2024-12-10 06:47:55 UTC | 12812 | OUT | |
| 2024-12-10 06:47:56 UTC | 1009 | IN | |
| 2024-12-10 06:47:56 UTC | 20 | IN | |
| 2024-12-10 06:47:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49733 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:47:57 UTC | 277 | OUT | |
| 2024-12-10 06:47:57 UTC | 15088 | OUT | |
| 2024-12-10 06:47:58 UTC | 1010 | IN | |
| 2024-12-10 06:47:58 UTC | 20 | IN | |
| 2024-12-10 06:47:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49739 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:48:00 UTC | 271 | OUT | |
| 2024-12-10 06:48:00 UTC | 15331 | OUT | |
| 2024-12-10 06:48:00 UTC | 4579 | OUT | |
| 2024-12-10 06:48:01 UTC | 1008 | IN | |
| 2024-12-10 06:48:01 UTC | 20 | IN | |
| 2024-12-10 06:48:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49750 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:48:03 UTC | 279 | OUT | |
| 2024-12-10 06:48:03 UTC | 1234 | OUT | |
| 2024-12-10 06:48:04 UTC | 1018 | IN | |
| 2024-12-10 06:48:04 UTC | 20 | IN | |
| 2024-12-10 06:48:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49757 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:48:06 UTC | 281 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:06 UTC | 15331 | OUT | |
| 2024-12-10 06:48:08 UTC | 1015 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49771 | 172.67.162.65 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:48:10 UTC | 261 | OUT | |
| 2024-12-10 06:48:10 UTC | 77 | OUT | |
| 2024-12-10 06:48:10 UTC | 1007 | IN | |
| 2024-12-10 06:48:10 UTC | 122 | IN | |
| 2024-12-10 06:48:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.6 | 49778 | 172.67.161.29 | 443 | 5740 | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-10 06:48:12 UTC | 195 | OUT | |
| 2024-12-10 06:48:13 UTC | 832 | IN | |
| 2024-12-10 06:48:13 UTC | 537 | IN | |
| 2024-12-10 06:48:13 UTC | 18 | IN | |
| 2024-12-10 06:48:13 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 01:47:47 |
| Start date: | 10/12/2024 |
| Path: | C:\Users\user\Desktop\SC3sPWT51E.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6a0000 |
| File size: | 1'461'248 bytes |
| MD5 hash: | 7CB559130BBD743D4CDB0891749C5643 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 01:47:47 |
| Start date: | 10/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Function 00FD99FA Relevance: 13.8, Strings: 10, Instructions: 1301COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD99FA Relevance: 13.8, Strings: 10, Instructions: 1301COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEF7BA Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEF7BA Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F85750 Relevance: .3, Instructions: 295COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|