Windows
Analysis Report
bas.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- bas.exe (PID: 7420 cmdline:
"C:\Users\ user\Deskt op\bas.exe " MD5: D5139AE53CB10A64C9245BBF3447ED1C) - dxdiag.exe (PID: 7516 cmdline:
"C:\Window s\SysWOW64 \dxdiag.ex e" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF) - dxdiag.exe (PID: 7524 cmdline:
"C:\Window s\SysWOW64 \dxdiag.ex e" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "volcanohushe.click", "discokeyus.lat", "rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "necklacebudi.lat"], "Build id": "pqZnKP--ZnVja2luZ1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:22:09.042301+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49706 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:11.200792+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49707 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:13.656018+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49708 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:16.080339+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49709 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:18.557909+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49710 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:21.368165+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49712 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:23.820880+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49713 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:27.362380+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49714 | 104.21.71.155 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:22:09.919391+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.8 | 49706 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:11.956641+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.8 | 49707 | 104.21.71.155 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:22:09.919391+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.8 | 49706 | 104.21.71.155 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:22:11.956641+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.8 | 49707 | 104.21.71.155 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:22:22.132533+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49712 | 104.21.71.155 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Directory queried: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 3_3_02D07E51 | |
Source: | Code function: | 3_3_02D07E51 | |
Source: | Code function: | 3_3_02D07E51 | |
Source: | Code function: | 3_3_02D07E51 |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 3_3_02CDCB51 | |
Source: | Code function: | 3_3_02CDCB51 | |
Source: | Code function: | 3_3_02CDC351 | |
Source: | Code function: | 3_3_02CDC351 | |
Source: | Code function: | 3_3_02CDCB61 | |
Source: | Code function: | 3_3_02CDCB61 | |
Source: | Code function: | 3_3_02CDC361 | |
Source: | Code function: | 3_3_02CDC361 | |
Source: | Code function: | 3_3_02CDC355 | |
Source: | Code function: | 3_3_02CDC355 | |
Source: | Code function: | 3_3_02CDCB55 | |
Source: | Code function: | 3_3_02CDCB55 | |
Source: | Code function: | 3_3_02CDCB6D | |
Source: | Code function: | 3_3_02CDCB6D | |
Source: | Code function: | 3_3_02CDC36D | |
Source: | Code function: | 3_3_02CDC36D | |
Source: | Code function: | 3_3_02CDC365 | |
Source: | Code function: | 3_3_02CDC365 | |
Source: | Code function: | 3_3_02CDCB65 | |
Source: | Code function: | 3_3_02CDCB65 | |
Source: | Code function: | 3_3_02D25F89 | |
Source: | Code function: | 3_3_02D25F89 | |
Source: | Code function: | 3_3_02D02B79 | |
Source: | Code function: | 3_3_02D02B79 | |
Source: | Code function: | 3_3_02D0C8D5 | |
Source: | Code function: | 3_3_02D0C8D5 | |
Source: | Code function: | 3_3_02D02D29 | |
Source: | Code function: | 3_3_02D02D29 | |
Source: | Code function: | 3_3_02CF0CDA | |
Source: | Code function: | 3_3_02CF0CDA | |
Source: | Code function: | 3_3_02CF06F6 |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00007FF64F0D3A6C |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | Directory queried: |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 23 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | |||
31% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
volcanohushe.click | 104.21.71.155 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high | ||
true | unknown | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | unknown | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.71.155 | volcanohushe.click | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1579571 |
Start date and time: | 2024-12-23 01:21:09 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 40s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | bas.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@5/0@1/1 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 172.202.163.200
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target bas.exe, PID 7420 because there are no executed function
- Execution Graph export aborted for target dxdiag.exe, PID 7524 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryDirectoryFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
19:22:09 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Babadeda | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Babadeda | Browse |
| ||
Get hash | malicious | Babadeda | Browse |
| ||
Get hash | malicious | LummaC, DarkComet, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC, DarkComet, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
File type: | |
Entropy (8bit): | 7.752878047119261 |
TrID: |
|
File name: | bas.exe |
File size: | 13'164'032 bytes |
MD5: | d5139ae53cb10a64c9245bbf3447ed1c |
SHA1: | 727199337e080c162fd86558a697b3bcbce646e1 |
SHA256: | 8ad2dcb075a7da5785530bc805b5391a397e1c659bedcb564774b6940b7fcbed |
SHA512: | e0efdd485460975a43c6b472554df08cc3e3ea60bc7e71b7477909748ad5c0ba566fc70110ff87717f704ecc96688b13bd62b5fd116bc2719fd381ab3908bdc6 |
SSDEEP: | 393216:+v4V9WRLAsEb6hCFcXLVsasjQsIyQ+/jn7:+v4TyA/bApXhOhQ+/7 |
TLSH: | AFD6D1298A7BC9C4F06BA030E89611338B32F51857ADE5F575970642CF9A0269FDF336 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...7.hg.........."..........>......X:.........@.............................`............`........................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x140093a58 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x67680F37 [Sun Dec 22 13:08:07 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 7bb4e8cef6a9f350a8f5dc71e7b3773c |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F7F10B1E430h |
dec eax |
add esp, 28h |
jmp 00007F7F10B1E29Fh |
int3 |
int3 |
dec eax |
mov dword ptr [esp+18h], ebx |
push ebp |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 30h |
dec eax |
mov eax, dword ptr [00BA9440h] |
dec eax |
mov ebx, 2DDFA232h |
cdq |
sub eax, dword ptr [eax] |
add byte ptr [eax+3Bh], cl |
ret |
jne 00007F7F10B1E496h |
dec eax |
and dword ptr [ebp+10h], 00000000h |
dec eax |
lea ecx, dword ptr [ebp+10h] |
call dword ptr [00A5D882h] |
dec eax |
mov eax, dword ptr [ebp+10h] |
dec eax |
mov dword ptr [ebp-10h], eax |
call dword ptr [00A5D804h] |
mov eax, eax |
dec eax |
xor dword ptr [ebp-10h], eax |
call dword ptr [00A5D7F0h] |
mov eax, eax |
dec eax |
lea ecx, dword ptr [ebp+18h] |
dec eax |
xor dword ptr [ebp-10h], eax |
call dword ptr [00A5D8E8h] |
mov eax, dword ptr [ebp+18h] |
dec eax |
lea ecx, dword ptr [ebp-10h] |
dec eax |
shl eax, 20h |
dec eax |
xor eax, dword ptr [ebp+18h] |
dec eax |
xor eax, dword ptr [ebp-10h] |
dec eax |
xor eax, ecx |
dec eax |
mov ecx, FFFFFFFFh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xaf0f10 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc48000 | 0x1b4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xc40000 | 0x471c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc49000 | 0x4c018 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xa0f6d0 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa09bf0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xaf11d8 | 0x2a0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa9a1a | 0xa9c00 | 9022bf955907d19443dc9c1c05937627 | False | 0.34132944817746685 | data | 6.128686871082244 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xab000 | 0xa4aacc | 0xa4ac00 | 730c728236536961e98542e16229e1bf | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xaf6000 | 0x149770 | 0x147e00 | b6d04e54dcf0f82b4f7852477a367132 | False | 0.4186604972836447 | data | 4.676515858242816 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0xc40000 | 0x471c | 0x4800 | 3852fea8a5c524d0c39a0c9b3652a982 | False | 0.5022786458333334 | data | 5.814729003118305 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.fptable | 0xc45000 | 0x100 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xc46000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
_RDATA | 0xc47000 | 0x280 | 0x400 | 3ea74578188a1448520b30c7c6f0ef06 | False | 0.2939453125 | data | 3.191461552490851 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xc48000 | 0x1b4 | 0x200 | c7ba142499c72176de5305b1e419cf29 | False | 0.48828125 | data | 5.103911525545503 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xc49000 | 0x4c018 | 0x4c200 | a74e9f499148060928f902cd4a09957d | False | 0.01549671592775041 | data | 5.432283010808474 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0xc48058 | 0x15b | ASCII text, with CRLF line terminators | English | United States | 0.5446685878962536 |
DLL | Import |
---|---|
KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:22:09.042301+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49706 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:09.919391+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.8 | 49706 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:09.919391+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.8 | 49706 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:11.200792+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49707 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:11.956641+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.8 | 49707 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:11.956641+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.8 | 49707 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:13.656018+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49708 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:16.080339+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49709 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:18.557909+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49710 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:21.368165+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49712 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:22.132533+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.8 | 49712 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:23.820880+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49713 | 104.21.71.155 | 443 | TCP |
2024-12-23T01:22:27.362380+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49714 | 104.21.71.155 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 01:22:07.786267996 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:07.786295891 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:07.786374092 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:07.813343048 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:07.813369989 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.042177916 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.042300940 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.045408010 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.045419931 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.045803070 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.097506046 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.169915915 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.169950962 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.170368910 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.919390917 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.919524908 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.919593096 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.952070951 CET | 49706 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.952091932 CET | 443 | 49706 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.987184048 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.987253904 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:09.987355947 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.987771034 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:09.987787008 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.200716972 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.200792074 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.202291012 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.202311039 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.202662945 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.203923941 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.203962088 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.204027891 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.956080914 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.956151962 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.956202984 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.956247091 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.956288099 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.956324100 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.956325054 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.956356049 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.956397057 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.964108944 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.975404978 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.975486040 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.975585938 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.975600004 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:11.975658894 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:11.983776093 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.034120083 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.075521946 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.127986908 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.128010035 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.151559114 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.151596069 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.151637077 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.151658058 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.151691914 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.151710033 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.151736975 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.152007103 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.152023077 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.152034044 CET | 49707 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.152041912 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.443846941 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.443922997 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:12.443996906 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.444277048 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:12.444288969 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:13.655926943 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:13.656018019 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:13.685674906 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:13.685705900 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:13.686119080 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:13.687596083 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:13.687736988 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:13.687773943 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:14.647820950 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:14.647948980 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:14.648005009 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:14.648154974 CET | 49708 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:14.648170948 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:14.868871927 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:14.868927002 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:14.868999958 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:14.869292974 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:14.869307995 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:16.080223083 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:16.080338955 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:16.165110111 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:16.165133953 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:16.165489912 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:16.166778088 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:16.167012930 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:16.167048931 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:16.167108059 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:16.211332083 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:17.094990969 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:17.095073938 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:17.095141888 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:17.095429897 CET | 49709 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:17.095451117 CET | 443 | 49709 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:17.342883110 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:17.342941999 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:17.343018055 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:17.343334913 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:17.343348980 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:18.557842016 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:18.557909012 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:18.559669971 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:18.559691906 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:18.559979916 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:18.561207056 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:18.561471939 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:18.561506033 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:18.561561108 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:18.561572075 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:19.779421091 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:19.779527903 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:19.779575109 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:19.779656887 CET | 49710 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:19.779670954 CET | 443 | 49710 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:20.154040098 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:20.154103041 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:20.154181004 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:20.154495955 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:20.154515028 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:21.368055105 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:21.368165016 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:21.375226021 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:21.375257969 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:21.375581026 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:21.376799107 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:21.376871109 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:21.376883984 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:22.132544994 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:22.132642031 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:22.132688046 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:22.132805109 CET | 49712 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:22.132824898 CET | 443 | 49712 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:22.605139017 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:22.605197906 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:22.605274916 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:22.605590105 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:22.605606079 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.820775986 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.820879936 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.822276115 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.822293043 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.822544098 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.842402935 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.843194008 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.843238115 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.843355894 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.843389988 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.843779087 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.843825102 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.844002008 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.844042063 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.844189882 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.844229937 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.844369888 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.844398975 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.844407082 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.844427109 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.844538927 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.844563961 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.844583035 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.844696999 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.844728947 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.891345978 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.891947985 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.891994953 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.892015934 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.892035007 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.892055035 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.892066956 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:23.892117977 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:23.892131090 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:26.304934025 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:26.305187941 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:26.305248976 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:26.305393934 CET | 49713 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:26.305412054 CET | 443 | 49713 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:26.359004974 CET | 49714 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:26.359050989 CET | 443 | 49714 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:26.359138966 CET | 49714 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:26.359428883 CET | 49714 | 443 | 192.168.2.8 | 104.21.71.155 |
Dec 23, 2024 01:22:26.359438896 CET | 443 | 49714 | 104.21.71.155 | 192.168.2.8 |
Dec 23, 2024 01:22:27.362380028 CET | 49714 | 443 | 192.168.2.8 | 104.21.71.155 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 01:22:07.442678928 CET | 58813 | 53 | 192.168.2.8 | 1.1.1.1 |
Dec 23, 2024 01:22:07.781054020 CET | 53 | 58813 | 1.1.1.1 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 23, 2024 01:22:07.442678928 CET | 192.168.2.8 | 1.1.1.1 | 0x711f | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 23, 2024 01:22:07.781054020 CET | 1.1.1.1 | 192.168.2.8 | 0x711f | No error (0) | 104.21.71.155 | A (IP address) | IN (0x0001) | false | ||
Dec 23, 2024 01:22:07.781054020 CET | 1.1.1.1 | 192.168.2.8 | 0x711f | No error (0) | 172.67.145.201 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49706 | 104.21.71.155 | 443 | 7524 | C:\Windows\SysWOW64\dxdiag.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:22:09 UTC | 265 | OUT | |
2024-12-23 00:22:09 UTC | 8 | OUT | |
2024-12-23 00:22:09 UTC | 1137 | IN | |
2024-12-23 00:22:09 UTC | 7 | IN | |
2024-12-23 00:22:09 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.8 | 49707 | 104.21.71.155 | 443 | 7524 | C:\Windows\SysWOW64\dxdiag.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:22:11 UTC | 266 | OUT | |
2024-12-23 00:22:11 UTC | 52 | OUT | |
2024-12-23 00:22:11 UTC | 1127 | IN | |
2024-12-23 00:22:11 UTC | 242 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN | |
2024-12-23 00:22:11 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.8 | 49708 | 104.21.71.155 | 443 | 7524 | C:\Windows\SysWOW64\dxdiag.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:22:13 UTC | 284 | OUT | |
2024-12-23 00:22:13 UTC | 12851 | OUT | |
2024-12-23 00:22:14 UTC | 1130 | IN | |
2024-12-23 00:22:14 UTC | 20 | IN | |
2024-12-23 00:22:14 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.8 | 49709 | 104.21.71.155 | 443 | 7524 | C:\Windows\SysWOW64\dxdiag.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:22:16 UTC | 278 | OUT | |
2024-12-23 00:22:16 UTC | 15044 | OUT | |
2024-12-23 00:22:17 UTC | 1130 | IN | |
2024-12-23 00:22:17 UTC | 20 | IN | |
2024-12-23 00:22:17 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.8 | 49710 | 104.21.71.155 | 443 | 7524 | C:\Windows\SysWOW64\dxdiag.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:22:18 UTC | 280 | OUT | |
2024-12-23 00:22:18 UTC | 15331 | OUT | |
2024-12-23 00:22:18 UTC | 4892 | OUT | |
2024-12-23 00:22:19 UTC | 1130 | IN | |
2024-12-23 00:22:19 UTC | 20 | IN | |
2024-12-23 00:22:19 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.8 | 49712 | 104.21.71.155 | 443 | 7524 | C:\Windows\SysWOW64\dxdiag.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:22:21 UTC | 277 | OUT | |
2024-12-23 00:22:21 UTC | 1208 | OUT | |
2024-12-23 00:22:22 UTC | 1126 | IN | |
2024-12-23 00:22:22 UTC | 20 | IN | |
2024-12-23 00:22:22 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.8 | 49713 | 104.21.71.155 | 443 | 7524 | C:\Windows\SysWOW64\dxdiag.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:22:23 UTC | 278 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:23 UTC | 15331 | OUT | |
2024-12-23 00:22:26 UTC | 1135 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 19:22:02 |
Start date: | 22/12/2024 |
Path: | C:\Users\user\Desktop\bas.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff64f040000 |
File size: | 13'164'032 bytes |
MD5 hash: | D5139AE53CB10A64C9245BBF3447ED1C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 19:22:06 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\dxdiag.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x70000 |
File size: | 222'720 bytes |
MD5 hash: | 24D3F0DB6CCF0C341EA4F6B206DF2EDF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 3 |
Start time: | 19:22:06 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\dxdiag.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x70000 |
File size: | 222'720 bytes |
MD5 hash: | 24D3F0DB6CCF0C341EA4F6B206DF2EDF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Function 00007FF64F0D3A6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02D07E51 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|