Windows
Analysis Report
payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe (PID: 7520 cmdline:
"C:\Users\ user\Deskt op\payload -c17f7df6- cf80-43d5- 8c60-eca90 366debb.ex e" MD5: 81E3A6ECDCF4409CCFA9A5C4367F6021)
- cleanup
{
"Type": "Metasploit Connect",
"IP": "178.238.231.204",
"Port": 4444
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_96233b6b | Identifies another 64 bit API hashing function used by Metasploit. | unknown |
| |
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_96233b6b | Identifies another 64 bit API hashing function used by Metasploit. | unknown |
| |
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_96233b6b | Identifies another 64 bit API hashing function used by Metasploit. | unknown |
| |
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_96233b6b | Identifies another 64 bit API hashing function used by Metasploit. | unknown |
| |
Windows_Trojan_Metasploit_4a1c4da8 | Identifies Metasploit 64 bit reverse tcp shellcode. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 3 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_0040A430 | |
Source: | Code function: | 0_2_004048F5 |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_00480095 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00402846 | |
Source: | Code function: | 0_2_00401253 | |
Source: | Code function: | 0_2_00405E54 | |
Source: | Code function: | 0_2_00405E54 | |
Source: | Code function: | 0_2_004026FE | |
Source: | Code function: | 0_2_00403161 | |
Source: | Code function: | 0_2_004026FE | |
Source: | Code function: | 0_2_00403916 |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 2 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
87% | ReversingLabs | Win32.Backdoor.Swrort | ||
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-part-0035.t-0009.t-msedge.net | 13.107.246.63 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
178.238.231.204 | unknown | Germany | 51167 | CONTABODE | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1574583 |
Start date and time: | 2024-12-13 12:38:24 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe |
Detection: | MAL |
Classification: | mal100.troj.winEXE@1/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, SIHClient.exe, con host.exe - Excluded IPs from analysis (wh
itelisted): 13.107.246.63, 20. 12.23.50 - Excluded domains from analysis
(whitelisted): slscr.update.m icrosoft.com, otelrules.azuree dge.net, otelrules.afd.azureed ge.net, azureedge-t-prod.traff icmanager.net, fe3cr.delivery. mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: payloa
d-c17f7df6-cf80-43d5-8c60-eca9 0366debb.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s-part-0035.t-0009.t-msedge.net | Get hash | malicious | Njrat | Browse |
| |
Get hash | malicious | CobaltStrike | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CONTABODE | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
File type: | |
Entropy (8bit): | 6.31559411709811 |
TrID: |
|
File name: | payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe |
File size: | 77'898 bytes |
MD5: | 81e3a6ecdcf4409ccfa9a5c4367f6021 |
SHA1: | 69a81988bde874bbc631173a7f1805310e96dfb5 |
SHA256: | 3c7d0dcd37064458fa110cade991501ff6f499d495a8eb43a0847da41d060445 |
SHA512: | 2cdee3b9ece8389e02412846a1b7fd2697da5185f985278fd17a240f35c411392d34786677b9ca6b35e860040771a1090a96fb7c9b8bdfd1a44b3ad59d15a78b |
SSDEEP: | 1536:IjTxquYRiKSnmni/Lo4D2xMb+KR0Nc8Qstq3SwVcll:wTxquyamnWee0Nc8Qs2SqYl |
TLSH: | E573A042D5C45021D262123E27753BB9AA74F5FB3606C29A798CCD96EFD18B0933B3C6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L....B.I........... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40a580 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x49E642E8 [Wed Apr 15 20:26:16 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 481f47bbb2c9c21e108d65f52b04c448 |
Instruction |
---|
xchg eax, ecx |
std |
inc edx |
clc |
inc edx |
nop |
cdq |
clc |
inc ebx |
dec eax |
cdq |
wait |
dec eax |
aas |
xchg eax, ebx |
dec ecx |
inc ebx |
cld |
salc |
wait |
cdq |
clc |
lahf |
cmc |
dec eax |
xchg eax, ecx |
inc ecx |
inc ecx |
inc ecx |
salc |
std |
inc ebx |
cld |
dec edx |
aaa |
inc eax |
inc edx |
xchg eax, edx |
das |
clc |
cld |
dec ecx |
xchg eax, ecx |
xchg eax, ebx |
dec eax |
aaa |
aaa |
clc |
aaa |
aaa |
salc |
xchg eax, ebx |
cwde |
dec edx |
xchg eax, ebx |
wait |
aaa |
cwde |
cmc |
wait |
dec edx |
dec eax |
nop |
xchg eax, ecx |
cmc |
cmc |
cld |
dec ebx |
dec ebx |
cmc |
das |
cdq |
aaa |
inc edx |
inc ecx |
inc eax |
cdq |
dec edx |
dec ebx |
cwde |
xchg eax, ebx |
clc |
inc ecx |
jmp 00007F0F31677036h |
pop ebp |
add al, byte ptr [ebp+45C257DBh] |
cld |
xchg eax, edx |
add byte ptr [esi-74648300h], bh |
xor byte ptr [eax+edi], cl |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc76c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15000 | 0x1558 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xc1e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa966 | 0xb000 | c73e97fa513ba0462914011cd86a723e | False | 0.8159623579545454 | data | 7.017916789789544 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xfe6 | 0x1000 | 09d61d811b3b9ec811bfb805026bee62 | False | 0.462646484375 | DOS executable (COM, 0x8C-variant) | 5.3180913238666525 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x705c | 0x4000 | 283b5f792323d57b9db4d2bcc46580f8 | False | 0.25634765625 | Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0 | 4.407841023203495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x15000 | 0x1558 | 0x2000 | facba160040c5783a25f6936cacda76d | False | 0.2615966796875 | data | 3.7491333459464835 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x150a0 | 0x768 | data | English | United States | 0.40189873417721517 |
RT_MANIFEST | 0x15808 | 0xd50 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.3823356807511737 |
DLL | Import |
---|---|
MSVCRT.dll | _iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp |
KERNEL32.dll | PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree |
ADVAPI32.dll | FreeSid, AllocateAndInitializeSid |
WSOCK32.dll | getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError |
WS2_32.dll | WSARecv, WSASend |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 13, 2024 12:39:17.030013084 CET | 49712 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:17.149974108 CET | 4444 | 49712 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:17.150062084 CET | 49712 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:19.357647896 CET | 4444 | 49712 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:19.357713938 CET | 49712 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:19.358184099 CET | 49712 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:19.359327078 CET | 49718 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:19.477984905 CET | 4444 | 49712 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:19.479072094 CET | 4444 | 49718 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:19.479152918 CET | 49718 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:21.686024904 CET | 4444 | 49718 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:21.686142921 CET | 49718 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:21.688791037 CET | 49718 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:21.689677954 CET | 49725 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:21.808974028 CET | 4444 | 49718 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:21.809737921 CET | 4444 | 49725 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:21.809830904 CET | 49725 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:24.014225006 CET | 4444 | 49725 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:24.014338970 CET | 49725 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:24.014844894 CET | 49725 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:24.015691996 CET | 49731 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:24.134761095 CET | 4444 | 49725 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:24.135560036 CET | 4444 | 49731 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:24.135675907 CET | 49731 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:26.342417002 CET | 4444 | 49731 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:26.342488050 CET | 49731 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:26.343811035 CET | 49731 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:26.344715118 CET | 49741 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:26.560434103 CET | 4444 | 49731 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:26.560456038 CET | 4444 | 49741 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:26.560575008 CET | 49741 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:28.765059948 CET | 4444 | 49741 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:28.765156984 CET | 49741 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:28.765602112 CET | 49741 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:28.766469002 CET | 49747 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:28.885276079 CET | 4444 | 49741 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:28.886267900 CET | 4444 | 49747 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:28.886368036 CET | 49747 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:31.093297005 CET | 4444 | 49747 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:31.093441963 CET | 49747 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:31.094021082 CET | 49747 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:31.094836950 CET | 49753 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:31.225908041 CET | 4444 | 49747 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:31.225929976 CET | 4444 | 49753 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:31.226093054 CET | 49753 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:33.438255072 CET | 4444 | 49753 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:33.438325882 CET | 49753 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:33.438914061 CET | 49753 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:33.439984083 CET | 49760 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:33.558667898 CET | 4444 | 49753 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:33.559784889 CET | 4444 | 49760 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:33.559853077 CET | 49760 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:35.765592098 CET | 4444 | 49760 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:35.765674114 CET | 49760 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:35.766057968 CET | 49760 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:35.766889095 CET | 49766 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:35.887728930 CET | 4444 | 49760 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:35.888492107 CET | 4444 | 49766 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:35.888581038 CET | 49766 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:38.093672991 CET | 4444 | 49766 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:38.093756914 CET | 49766 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:38.094186068 CET | 49766 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:38.095144987 CET | 49772 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:38.214096069 CET | 4444 | 49766 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:38.215025902 CET | 4444 | 49772 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:38.215111017 CET | 49772 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:40.422549963 CET | 4444 | 49772 | 178.238.231.204 | 192.168.2.9 |
Dec 13, 2024 12:39:40.422692060 CET | 49772 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:40.423110962 CET | 49772 | 4444 | 192.168.2.9 | 178.238.231.204 |
Dec 13, 2024 12:39:40.542953968 CET | 4444 | 49772 | 178.238.231.204 | 192.168.2.9 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 13, 2024 12:39:12.179399014 CET | 1.1.1.1 | 192.168.2.9 | 0xdfab | No error (0) | s-part-0035.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Dec 13, 2024 12:39:12.179399014 CET | 1.1.1.1 | 192.168.2.9 | 0xdfab | No error (0) | 13.107.246.63 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 06:39:16 |
Start date: | 13/12/2024 |
Path: | C:\Users\user\Desktop\payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 77'898 bytes |
MD5 hash: | 81E3A6ECDCF4409CCFA9A5C4367F6021 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 1.2% |
Dynamic/Decrypted Code Coverage: | 28.6% |
Signature Coverage: | 22.9% |
Total number of Nodes: | 35 |
Total number of Limit Nodes: | 3 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|