Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 6956 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: D41882715738E10A16D164DA8514AA5A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["awake-weaves.cyou", "debonairnukk.xyz", "effecterectz.xyz", "diffuculttan.xyz", "deafeninggeh.biz", "sordid-snaked.cyou", "hypothesizys.click", "immureprech.biz", "wrathful-jammy.cyou"], "Build id": "VisOTZ--tester"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 7 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T14:28:02.082617+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:04.136873+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:06.625353+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:08.953034+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:11.426844+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:14.259015+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:16.716616+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:20.522470+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49740 | 104.21.95.235 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T14:28:02.901923+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:04.994718+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.95.235 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T14:28:02.901923+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.95.235 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T14:28:04.994718+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.95.235 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T14:28:15.017424+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49735 | 104.21.95.235 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_3_01A36806 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_3_01A1A7BD | |
Source: | Code function: | 0_3_01A1C39D | |
Source: | Code function: | 0_3_01A4C171 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Boot Survival |
---|
Source: | Window searched: | Jump to behavior | ||
Source: | Window searched: | Jump to behavior | ||
Source: | Window searched: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior | ||
Source: | System information queried: | Jump to behavior |
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: |
Source: | File opened: | Jump to behavior |
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | System information queried: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Anti Debugging |
---|
Source: | Thread information set: | Jump to behavior |
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 33 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 641 Security Software Discovery | Remote Services | 1 Credential API Hooking | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | 1 Credential API Hooking | 33 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Software Packing | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 123 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
66% | ReversingLabs | Win32.Trojan.Lumma | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
hypothesizys.click | 104.21.95.235 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high | ||
false | high | ||
true | unknown | ||
true | unknown | ||
false | high | ||
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | unknown | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.95.235 | hypothesizys.click | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1579894 |
Start date and time: | 2024-12-23 14:27:07 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 6956 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: file.exe
Time | Type | Description |
---|---|---|
08:28:02 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Stealc | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Stealc | Browse |
|
File type: | |
Entropy (8bit): | 7.873161625297609 |
TrID: |
|
File name: | file.exe |
File size: | 5'784'576 bytes |
MD5: | d41882715738e10a16d164da8514aa5a |
SHA1: | 3d4a8721cc0d10f276cd462447a579901a42c0f4 |
SHA256: | 7a7868522449e85d36886dd0e2108bb4652f71addc7b28d0a0cec2c1c5eaa2a8 |
SHA512: | 030fb9dd5fbcff633a2be8a7b7d730374f56748c4083a0ebd101dcd4f1b68e4b7d46f3467ae946c0b1b92758deed445156a5ddc107dc0815099cb867a8ab0f84 |
SSDEEP: | 98304:YKs/TcBpRunOXHRuXVOU2XJmwYsR8S9+OEDpqqQm/fgBDDqC+kjF9j9SRVLxcnIV:YhrcdunOXHRQm6O3HOov+ohYVLxwlQ |
TLSH: | 7A462386A9C203B0E5B557B463A2F83D7A393C758B30CCCF64AA7649AC772455732B13 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.....................p......i.............@..........................0.......hX...@........................................ |
Icon Hash: | 121c5a5ad8d85b1e |
Entrypoint: | 0xc9dc69 |
Entrypoint Section: | .vmp |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 0823da187b10a80c7472d0ab7e5f5b95 |
Instruction |
---|
push esi |
pushfd |
mov esi, 3B00681Eh |
call 00007F2C654A8FECh |
push D00F30ABh |
call 00007F2C654A7EDEh |
add ebp, 00000002h |
call 00007F2C654A62BFh |
mov ecx, F4867A1Eh |
jmp 00007F2C65460601h |
mov dword ptr [esp+eax-0000898Ah], eax |
neg cl |
xor word ptr [esp+eax-00008988h], dx |
mov dword ptr [esp+edx-33AA890Ah], edx |
or dword ptr [esp+eax-0000898Ah], eax |
adc cl, FFFFFF9Eh |
mul dx |
sbb edx, 4D1828AAh |
shr edx, 64h |
ror cl, 1 |
xor bl, cl |
rol byte ptr [esp+edx*2-1CD2441Dh], 00000025h |
mul word ptr [esp+edx*2-1CD2441Dh] |
neg dword ptr [esp+edx-0E692627h] |
mov dword ptr [esp+edx*2-1CD24C4Eh], esi |
ror dl, FFFFFFA3h |
push ebx |
adc edx, edx |
mul eax |
call 00007F2C65429AACh |
mov dword ptr [edi+00h], eax |
lea esp, dword ptr [esp+10h] |
jmp 00007F2C65557E74h |
mov edx, 50FFF195h |
leave |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8ffdd0 | 0xa0 | .vmp |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x988000 | 0x4a3c2 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x983000 | 0x4214 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x839000 | 0x1d4 | .vmp |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
0x1000 | 0x3eb36 | 0x20c00 | 069e57f0971e32bb6e32f18d690252af | False | 0.9988519799618321 | data | 7.976313830582199 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | |
0x40000 | 0x2097 | 0xe00 | 7a0d90d4d96aa4010d21aa66d44031c6 | False | 0.9963727678571429 | data | 7.887970092560811 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0x43000 | 0xe1e4 | 0x3000 | e62c43f5d17b3d123d7685837c574125 | False | 0.9742024739583334 | data | 7.887990741002275 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
0x52000 | 0x5d0 | 0x600 | cde6188a7d622da30e60a16a8cf9568e | False | 1.0071614583333333 | data | 7.741263846996405 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | |
0x53000 | 0x3888 | 0x2200 | da939aac5143a3526139112c1e0ca8b4 | False | 0.9789751838235294 | data | 7.892930629560054 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
.vmp | 0x57000 | 0x6c32a | 0x6c400 | cf231f93f11fb79990faac8d1d65442f | False | 0.9861815278579676 | data | 7.971623593122607 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0xc4000 | 0x1000 | 0x200 | 593c06e005b608d840b8feef7f910b95 | False | 0.615234375 | data | 4.81673112860289 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.themida | 0xc5000 | 0x41a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.boot | 0x4df000 | 0x222a00 | 0x222a00 | 32be3bab1eb7da4cb7a23977afae46ce | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.vmp | 0x702000 | 0x1369f4 | 0x136a00 | 4f392048d64c60e39b0d8d553f1893cf | False | 0.9031737298792757 | data | 7.78426522776504 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.vmp | 0x839000 | 0x378 | 0x400 | da95cf89b655794571a1b1794450098f | False | 0.431640625 | data | 3.094037777083467 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.vmp | 0x83a000 | 0x148710 | 0x148800 | 7abf4dd0e5966445a9c1cea6781332b4 | False | 0.966277379423516 | data | 7.883575468586369 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x983000 | 0x4214 | 0x4400 | 9a57772549da8f381c699227b2555a61 | False | 0.35920266544117646 | data | 6.122357000297735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x988000 | 0x4a3c2 | 0x4a400 | 68da23bf4a176b1878bf0d14994a914c | False | 0.5728541929713805 | data | 6.406270839476479 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
MUI | 0x9882cc | 0x58b5 | InnoSetup messages, version 5.5.3, 221 messages (UTF-16), &About Setup... | 0.1815579726099784 | ||
RT_ICON | 0x98db84 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | 0.6425891181988743 | ||
RT_ICON | 0x98ec2c | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | 0.4661667453944261 | ||
RT_ICON | 0x992e54 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | 0.3631403052170827 | ||
RT_ICON | 0x9a367c | 0xdf61 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9968698085162193 | ||
RT_ICON | 0x9b15e0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States | 0.6271106941838649 |
RT_ICON | 0x9b2688 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | English | United States | 0.4517595654227681 |
RT_ICON | 0x9b68b0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States | 0.3177570093457944 |
RT_ICON | 0x9c70d8 | 0xaddb | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9969218325207271 |
RT_GROUP_ICON | 0x9d1eb4 | 0x3e | data | 0.8225806451612904 | ||
RT_GROUP_ICON | 0x9d1ef4 | 0x3e | data | English | United States | 0.8709677419354839 |
RT_MANIFEST | 0x9d1f34 | 0x48e | XML 1.0 document, ASCII text | 0.43310463121783876 |
DLL | Import |
---|---|
kernel32.dll | GetModuleHandleA |
SHELL32.dll | SHEmptyRecycleBinW |
USER32.dll | CloseClipboard |
GDI32.dll | BitBlt |
ole32.dll | CoCreateInstance |
OLEAUT32.dll | SysAllocString |
kernel32.dll | GetSystemTimeAsFileTime, CreateEventA, GetModuleHandleA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, LoadLibraryA, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, HeapAlloc, HeapFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, MultiByteToWideChar, GetModuleHandleW, LoadResource, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, GetCommandLineA, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, FlushFileBuffers, VirtualQuery |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T14:28:02.082617+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:02.901923+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:02.901923+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:04.136873+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:04.994718+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:04.994718+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:06.625353+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:08.953034+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:11.426844+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:14.259015+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:15.017424+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49735 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:16.716616+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 104.21.95.235 | 443 | TCP |
2024-12-23T14:28:20.522470+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49740 | 104.21.95.235 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 14:28:00.863284111 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:00.863353968 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:00.863476038 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:00.866189957 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:00.866209030 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.082542896 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.082617044 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.087527037 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.087553024 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.087754011 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.131419897 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.173983097 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.174009085 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.174071074 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.901895046 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.901962996 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.902137041 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.904069901 CET | 49730 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.904094934 CET | 443 | 49730 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.921546936 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.921572924 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:02.921658039 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.922013998 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:02.922025919 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.136774063 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.136873007 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.143419027 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.143424988 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.143621922 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.193969011 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.242264032 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.242305040 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.242336035 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.994651079 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.994688988 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.994718075 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.994745016 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.994752884 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.994764090 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.994802952 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.994807959 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:04.994853973 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:04.994859934 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.002624989 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.002707958 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.002715111 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.011357069 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.011424065 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.011430025 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.053473949 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.053478956 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.100317955 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.114340067 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.162796021 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.186235905 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.189989090 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.190064907 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.190202951 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.190202951 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.190349102 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.190357924 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.190381050 CET | 49731 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.190386057 CET | 443 | 49731 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.406461954 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.406487942 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:05.406569958 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.406970978 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:05.406985044 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:06.625241995 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:06.625353098 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:06.635178089 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:06.635186911 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:06.635519028 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:06.636468887 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:06.636590958 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:06.636624098 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:06.636693954 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:06.636701107 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:07.639169931 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:07.639297009 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:07.639354944 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:07.639549017 CET | 49732 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:07.639568090 CET | 443 | 49732 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:07.738724947 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:07.738816023 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:07.738925934 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:07.739248037 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:07.739284992 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:08.952924013 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:08.953033924 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:08.954411983 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:08.954442978 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:08.954751968 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:08.956022978 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:08.956197977 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:08.956240892 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:09.759119034 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:09.759206057 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:09.759299040 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:09.764965057 CET | 49733 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:09.765019894 CET | 443 | 49733 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:10.213009119 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:10.213051081 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:10.213130951 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:10.213466883 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:10.213480949 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:11.426712036 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:11.426843882 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:11.440001011 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:11.440015078 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:11.440222025 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:11.441392899 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:11.441577911 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:11.441610098 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:11.441674948 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:11.441684008 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:12.391514063 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:12.391592979 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:12.391746998 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:12.391977072 CET | 49734 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:12.391993046 CET | 443 | 49734 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:13.027781010 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:13.027827978 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:13.027914047 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:13.028371096 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:13.028405905 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:14.258872986 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:14.259015083 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:14.260593891 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:14.260618925 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:14.260833979 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:14.262417078 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:14.262594938 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:14.262609005 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:15.017405033 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:15.017476082 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:15.017550945 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:15.017702103 CET | 49735 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:15.017740965 CET | 443 | 49735 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:15.501384974 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:15.501445055 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:15.501533985 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:15.501873970 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:15.501913071 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.716425896 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.716615915 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.721549988 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.721569061 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.721786022 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.723782063 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.723782063 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.723836899 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.724654913 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.724700928 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.726686001 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.726738930 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.727634907 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.727685928 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.727900982 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.727955103 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.728183031 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.728225946 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.728247881 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.728285074 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.728460073 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.728498936 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.728539944 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.728735924 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.728806019 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.771373987 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.771599054 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.771622896 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.771650076 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.771673918 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.771702051 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.771718979 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:16.771752119 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:16.771771908 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:19.391200066 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:19.391300917 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:19.391387939 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:19.391542912 CET | 49736 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:19.391592979 CET | 443 | 49736 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:19.474822998 CET | 49740 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:19.474863052 CET | 443 | 49740 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:19.474941969 CET | 49740 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:19.475379944 CET | 49740 | 443 | 192.168.2.4 | 104.21.95.235 |
Dec 23, 2024 14:28:19.475394011 CET | 443 | 49740 | 104.21.95.235 | 192.168.2.4 |
Dec 23, 2024 14:28:20.522469997 CET | 49740 | 443 | 192.168.2.4 | 104.21.95.235 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 14:28:00.542002916 CET | 49690 | 53 | 192.168.2.4 | 1.1.1.1 |
Dec 23, 2024 14:28:00.856664896 CET | 53 | 49690 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 23, 2024 14:28:00.542002916 CET | 192.168.2.4 | 1.1.1.1 | 0x8819 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 23, 2024 14:28:00.856664896 CET | 1.1.1.1 | 192.168.2.4 | 0x8819 | No error (0) | 104.21.95.235 | A (IP address) | IN (0x0001) | false | ||
Dec 23, 2024 14:28:00.856664896 CET | 1.1.1.1 | 192.168.2.4 | 0x8819 | No error (0) | 172.67.149.159 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 104.21.95.235 | 443 | 6956 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 13:28:02 UTC | 265 | OUT | |
2024-12-23 13:28:02 UTC | 8 | OUT | |
2024-12-23 13:28:02 UTC | 1141 | IN | |
2024-12-23 13:28:02 UTC | 7 | IN | |
2024-12-23 13:28:02 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 104.21.95.235 | 443 | 6956 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 13:28:04 UTC | 266 | OUT | |
2024-12-23 13:28:04 UTC | 48 | OUT | |
2024-12-23 13:28:04 UTC | 1131 | IN | |
2024-12-23 13:28:04 UTC | 238 | IN | |
2024-12-23 13:28:04 UTC | 1369 | IN | |
2024-12-23 13:28:04 UTC | 1369 | IN | |
2024-12-23 13:28:04 UTC | 1369 | IN | |
2024-12-23 13:28:04 UTC | 1369 | IN | |
2024-12-23 13:28:04 UTC | 1369 | IN | |
2024-12-23 13:28:04 UTC | 1369 | IN | |
2024-12-23 13:28:04 UTC | 1369 | IN | |
2024-12-23 13:28:05 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49732 | 104.21.95.235 | 443 | 6956 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 13:28:06 UTC | 280 | OUT | |
2024-12-23 13:28:06 UTC | 15331 | OUT | |
2024-12-23 13:28:06 UTC | 2809 | OUT | |
2024-12-23 13:28:07 UTC | 1132 | IN | |
2024-12-23 13:28:07 UTC | 20 | IN | |
2024-12-23 13:28:07 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49733 | 104.21.95.235 | 443 | 6956 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 13:28:08 UTC | 273 | OUT | |
2024-12-23 13:28:08 UTC | 8725 | OUT | |
2024-12-23 13:28:09 UTC | 1127 | IN | |
2024-12-23 13:28:09 UTC | 20 | IN | |
2024-12-23 13:28:09 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49734 | 104.21.95.235 | 443 | 6956 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 13:28:11 UTC | 279 | OUT | |
2024-12-23 13:28:11 UTC | 15331 | OUT | |
2024-12-23 13:28:11 UTC | 5077 | OUT | |
2024-12-23 13:28:12 UTC | 1137 | IN | |
2024-12-23 13:28:12 UTC | 20 | IN | |
2024-12-23 13:28:12 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.4 | 49735 | 104.21.95.235 | 443 | 6956 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 13:28:14 UTC | 273 | OUT | |
2024-12-23 13:28:14 UTC | 1203 | OUT | |
2024-12-23 13:28:15 UTC | 1126 | IN | |
2024-12-23 13:28:15 UTC | 20 | IN | |
2024-12-23 13:28:15 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.4 | 49736 | 104.21.95.235 | 443 | 6956 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 13:28:16 UTC | 276 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:16 UTC | 15331 | OUT | |
2024-12-23 13:28:19 UTC | 1141 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 08:27:58 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa30000 |
File size: | 5'784'576 bytes |
MD5 hash: | D41882715738E10A16D164DA8514AA5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Function 01A36806 Relevance: 1.9, Instructions: 1851COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|