Edit tour
Windows
Analysis Report
gfehgfwveg.exe
Overview
General Information
| Sample name: | gfehgfwveg.exe |
| Analysis ID: | 1580519 |
| MD5: | 43ec2649e1b173b6e8b3800e18cceeb4 |
| SHA1: | e864b2d11a7c9c7497b22af930b31db1e2061244 |
| SHA256: | 4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183 |
| Tags: | exeuser-SquiblydooBlog |
| Infos: |  |
 | |
Detection
DanaBot
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
AI detected suspicious sample
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Classification
- System is w10x64
gfehgfwveg.exe (PID: 3948 cmdline: "C:\Users\ user\Deskt op\gfehgfw veg.exe" MD5: 43EC2649E1B173B6E8B3800E18CCEEB4) 
cmd.exe (PID: 5908 cmdline: cmd.exe /C wmic disk drive wher e "DeviceI D=\'c:\'" get Serial Number /va lue MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 6520 cmdline: wmic diskd rive where "DeviceID =\'c:\'" g et SerialN umber /val ue MD5: E2DE6500DE1148C7F6027AD50AC8B891)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DanaBot | Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T20:58:13.887150+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49830 | 34.34.145.103 | 443 | TCP |
| 2024-12-24T20:58:14.953488+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49831 | 34.169.99.17 | 443 | TCP |
| 2024-12-24T20:58:16.044840+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49835 | 34.83.67.185 | 443 | TCP |
| 2024-12-24T20:58:17.119157+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49838 | 35.195.45.98 | 443 | TCP |
| 2024-12-24T20:59:18.664291+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49981 | 34.34.145.103 | 443 | TCP |
| 2024-12-24T20:59:20.009982+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49985 | 34.169.99.17 | 443 | TCP |
| 2024-12-24T20:59:21.083789+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49988 | 34.83.67.185 | 443 | TCP |
| 2024-12-24T20:59:22.135469+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49991 | 35.195.45.98 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0302E190 | |
| Source: | Code function: | 0_2_0302DBC4 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_034E525C | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_034E525C | |
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Binary or memory string: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_0302E190 | |
| Source: | Code function: | 0_2_0302DBC4 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-2563 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_034E525C | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0302E2C8 | |
| Source: | Code function: | 0_2_0302D768 | |
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_034E583C | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 12 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 12 Process Injection | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Multi-hop Proxy | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | 1 Proxy | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 2 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 153 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | ReversingLabs | Win32.Trojan.Danabot | ||
| 100% | Avira | TR/ATRAPS.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 35.195.45.98 | unknown | United States | 15169 | GOOGLEUS | false | |
| 34.83.67.185 | unknown | United States | 15169 | GOOGLEUS | false | |
| 34.34.145.103 | unknown | United States | 2686 | ATGS-MMD-ASUS | true | |
| 34.169.99.17 | unknown | United States | 2686 | ATGS-MMD-ASUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1580519 |
| Start date and time: | 2024-12-24 20:56:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 5s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | gfehgfwveg.exe |
| Detection: | MAL |
| Classification: | mal88.troj.evad.winEXE@6/0@0/4 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: gfehgfwveg.exe
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ATGS-MMD-ASUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| ATGS-MMD-ASUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.797143844212164 |
| TrID: |
|
| File name: | gfehgfwveg.exe |
| File size: | 4'276'224 bytes |
| MD5: | 43ec2649e1b173b6e8b3800e18cceeb4 |
| SHA1: | e864b2d11a7c9c7497b22af930b31db1e2061244 |
| SHA256: | 4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183 |
| SHA512: | 83ec8f330986807a7b927c47f6becf26fd926bbfac096b9160c36e30c3a30fd7e05ebdef2556dc1aab3c61bf01e1f633ab6e9535440d95bdfcfa418bf139f086 |
| SSDEEP: | 98304:nNLjlVuxN0obg4MLp6bsYOYQyLmZwPoyAkDnZ:n5lVuxNvglisVyLZPJDnZ |
| TLSH: | 9F16F122F64C667ED4AF0E395877B594583F77A1B99ADC1B47E0098CCE35880363A24F |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x7eee00 |
| Entrypoint Section: | .itext |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | |
| Time Stamp: | 0x676AEC85 [Tue Dec 24 17:16:53 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 29e05b1fea10173c5bcc5ba6150988ec |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFE4h |
| xor eax, eax |
| mov dword ptr [ebp-1Ch], eax |
| mov dword ptr [ebp-18h], eax |
| mov eax, 007E9C9Ch |
| call 00007F2C2822CD6Dh |
| xor eax, eax |
| push ebp |
| push 007EEF1Dh |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| call 00007F2C286058AAh |
| cmp eax, 000000FAh |
| jnl 00007F2C2860B762h |
| call 00007F2C286058F6h |
| cmp eax, 78h |
| jnl 00007F2C2860B754h |
| mov dword ptr [007FCFA0h], 00000001h |
| mov dword ptr [007FCF9Ch], 001DBCD7h |
| mov eax, dword ptr [007FCF9Ch] |
| mov dword ptr [007FCFA4h], eax |
| mov eax, dword ptr [007FCF9Ch] |
| test eax, eax |
| jl 00007F2C2860B6BEh |
| inc eax |
| mov dword ptr [ebp-14h], eax |
| mov dword ptr [007FCF98h], 00000000h |
| inc dword ptr [007FCFA0h] |
| dec dword ptr [007FCFA4h] |
| push 00000000h |
| call 00007F2C28244D69h |
| inc dword ptr [007FCF98h] |
| dec dword ptr [ebp-14h] |
| jne 00007F2C2860B674h |
| cmp dword ptr [007FCFA4h], FFFFFFFFh |
| jne 00007F2C2860B6F4h |
| lea edx, dword ptr [ebp-18h] |
| mov ax, 0063h |
| call 00007F2C28605BD1h |
| mov eax, dword ptr [ebp-18h] |
| mov edx, 007EEF38h |
| call 00007F2C2822729Ch |
| je 00007F2C2860B6D9h |
| call 00007F2C28605E11h |
| cmp eax, 0Ah |
| jbe 00007F2C2860B6CFh |
| call 00007F2C28615E27h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x400000 | 0x96 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3fd000 | 0x16c6 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x41d000 | 0x3600 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x403000 | 0x191c0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x402000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3fd4cc | 0x364 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x3ff000 | 0x278 | .didata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3ec544 | 0x3ec600 | d7aefb5d6e6de984e994dc7c45754b87 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x3ee000 | 0xf50 | 0x1000 | aada5a4a7410fe967643c3d004a17c32 | False | 0.558349609375 | data | 6.162614752272672 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x3ef000 | 0x7d68 | 0x7e00 | 72410db874b473bfd55dbb3785831cd6 | False | 0.5638950892857143 | data | 6.356179507417859 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x3f7000 | 0x5fac | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x3fd000 | 0x16c6 | 0x1800 | f83dfbc7a8d8169726b5b3aba8787951 | False | 0.3240559895833333 | data | 4.895786587173563 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didata | 0x3ff000 | 0x278 | 0x400 | 7a0cace727c21d6b42ac476919254aa3 | False | 0.26953125 | firmware 100 v0 (revision 2733719296) X\361? , version 54304.16640.10270 (region 2297446144), 0 bytes or less, UNKNOWN1 0x88f03f00, at 0 0 bytes , at 0 0 bytes , at 0x60524000 3629203456 bytes | 2.7239518130953684 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x400000 | 0x96 | 0x200 | 09704f1006f905baccdf053cd9af9689 | False | 0.248046875 | data | 1.738190464085354 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x401000 | 0x20 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x402000 | 0x5c | 0x200 | 610e9cb9d596ddf3f8481c9e9885e5fe | False | 0.1875 | data | 1.343433641850296 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x403000 | 0x191c0 | 0x19200 | 2d0a440ed47b481783a33f1e4c0e5378 | False | 0.5856071206467661 | data | 6.706934385109459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x41d000 | 0x3600 | 0x3600 | d77787dd189e78a674c960d21fa4face | False | 0.2931857638888889 | data | 3.7312727777990213 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_STRING | 0x41d368 | 0x4e0 | data | 0.3333333333333333 | ||
| RT_STRING | 0x41d848 | 0x310 | data | 0.35331632653061223 | ||
| RT_STRING | 0x41db58 | 0x330 | data | 0.39215686274509803 | ||
| RT_STRING | 0x41de88 | 0x4c4 | data | 0.3983606557377049 | ||
| RT_STRING | 0x41e34c | 0x4ac | data | 0.32274247491638797 | ||
| RT_STRING | 0x41e7f8 | 0x3b4 | data | 0.3628691983122363 | ||
| RT_STRING | 0x41ebac | 0x440 | data | 0.38235294117647056 | ||
| RT_STRING | 0x41efec | 0x21c | data | 0.40555555555555556 | ||
| RT_STRING | 0x41f208 | 0xbc | data | 0.6542553191489362 | ||
| RT_STRING | 0x41f2c4 | 0x100 | data | 0.62890625 | ||
| RT_STRING | 0x41f3c4 | 0x338 | data | 0.4223300970873786 | ||
| RT_STRING | 0x41f6fc | 0x478 | data | 0.29895104895104896 | ||
| RT_STRING | 0x41fb74 | 0x354 | data | 0.4107981220657277 | ||
| RT_STRING | 0x41fec8 | 0x2b8 | data | 0.4367816091954023 | ||
| RT_RCDATA | 0x420180 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x420190 | 0x3ec | data | 0.6125498007968128 |
| DLL | Import |
|---|---|
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
| user32.dll | CharNextW, LoadStringW |
| kernel32.dll | Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle |
| kernel32.dll | GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary |
| user32.dll | CreateWindowExW, UpdateWindow, TranslateMessage, SystemParametersInfoW, ShowWindow, RegisterClassW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, GetMessageW, EndPaint, DispatchMessageW, DefWindowProcW, CharUpperBuffW, CharUpperW, CharLowerBuffW, BeginPaint |
| gdi32.dll | SetBkColor, Rectangle |
| version.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
| kernel32.dll | WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, SwitchToThread, SuspendThread, Sleep, SetThreadPriority, SetLastError, SetFileTime, SetFilePointer, SetEvent, SetEndOfFile, ResumeThread, ResetEvent, ReleaseSemaphore, ReadFile, RaiseException, QueryDosDeviceW, IsDebuggerPresent, MapViewOfFile, LocalFree, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GetVolumeInformationW, GetVersionExW, GetTimeZoneInformation, GetTickCount64, GetTickCount, GetThreadPriority, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeLibrary, FormatMessageW, FlushInstructionCache, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateSemaphoreA, CreateProcessW, CreatePipe, CreateFileMappingW, CreateFileW, CreateEventA, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle |
| kernel32.dll | Sleep |
| netapi32.dll | NetApiBufferFree, NetWkstaGetInfo |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit |
| oleaut32.dll | GetErrorInfo, SysFreeString |
| ole32.dll | CoCreateInstance, CoUninitialize, CoInitialize |
| msvcrt.dll | memset, memmove, memcpy |
| msvcrt.dll | _beginthreadex |
| winmm.dll | waveOutGetVolume |
| Name | Ordinal | Address |
|---|---|---|
| TMethodImplementationIntercept | 3 | 0x7824b4 |
| __dbk_fcall_wrapper | 2 | 0x4103c4 |
| dbkFCallWrapperAddr | 1 | 0x7fa630 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T20:58:13.887150+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49830 | 34.34.145.103 | 443 | TCP |
| 2024-12-24T20:58:14.953488+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49831 | 34.169.99.17 | 443 | TCP |
| 2024-12-24T20:58:16.044840+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49835 | 34.83.67.185 | 443 | TCP |
| 2024-12-24T20:58:17.119157+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49838 | 35.195.45.98 | 443 | TCP |
| 2024-12-24T20:59:18.664291+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49981 | 34.34.145.103 | 443 | TCP |
| 2024-12-24T20:59:20.009982+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49985 | 34.169.99.17 | 443 | TCP |
| 2024-12-24T20:59:21.083789+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49988 | 34.83.67.185 | 443 | TCP |
| 2024-12-24T20:59:22.135469+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.5 | 49991 | 35.195.45.98 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 24, 2024 20:57:08.524483919 CET | 49704 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:57:08.524509907 CET | 443 | 49704 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:57:08.524571896 CET | 49704 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:57:08.591147900 CET | 49704 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:57:08.591160059 CET | 443 | 49704 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:57:08.591238976 CET | 443 | 49704 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:57:08.591245890 CET | 49704 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:57:08.591264963 CET | 443 | 49704 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:57:09.609468937 CET | 49705 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:57:09.609519958 CET | 443 | 49705 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:57:09.609601021 CET | 49705 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:57:09.671768904 CET | 49705 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:57:09.671787977 CET | 443 | 49705 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:57:09.671844006 CET | 443 | 49705 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:57:09.671849012 CET | 49705 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:57:09.671858072 CET | 443 | 49705 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:57:10.685132027 CET | 49706 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:57:10.685167074 CET | 443 | 49706 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:57:10.685261011 CET | 49706 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:57:10.752799988 CET | 49706 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:57:10.752824068 CET | 443 | 49706 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:57:10.752871037 CET | 49706 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:57:10.752876997 CET | 443 | 49706 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:57:10.752924919 CET | 443 | 49706 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:57:11.767685890 CET | 49707 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:57:11.767725945 CET | 443 | 49707 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:57:11.767807961 CET | 49707 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:57:11.849766016 CET | 49707 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:57:11.849787951 CET | 443 | 49707 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:57:11.849853039 CET | 49707 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:57:11.849859953 CET | 443 | 49707 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:57:11.849894047 CET | 443 | 49707 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:13.825732946 CET | 49830 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:13.825747967 CET | 443 | 49830 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:13.825817108 CET | 49830 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:13.887150049 CET | 49830 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:13.887166023 CET | 443 | 49830 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:13.887217999 CET | 49830 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:13.887223005 CET | 443 | 49830 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:13.887274027 CET | 443 | 49830 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:14.903908014 CET | 49831 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:58:14.904010057 CET | 443 | 49831 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:58:14.904104948 CET | 49831 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:58:14.953488111 CET | 49831 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:58:14.953528881 CET | 443 | 49831 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:58:14.953632116 CET | 443 | 49831 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:58:15.966931105 CET | 49835 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:15.967015982 CET | 443 | 49835 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:15.967107058 CET | 49835 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:16.044840097 CET | 49835 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:16.044878960 CET | 443 | 49835 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:16.044960976 CET | 49835 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:16.044972897 CET | 443 | 49835 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:16.045011044 CET | 443 | 49835 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.060699940 CET | 49838 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.060801983 CET | 443 | 49838 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.060910940 CET | 49838 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.119157076 CET | 49838 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.119189024 CET | 443 | 49838 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.119256020 CET | 49838 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.119261980 CET | 443 | 49838 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.119304895 CET | 443 | 49838 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.126014948 CET | 49839 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:17.126044035 CET | 443 | 49839 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.126133919 CET | 49839 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:17.195209026 CET | 49839 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:17.195223093 CET | 443 | 49839 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.195280075 CET | 49839 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:58:17.195283890 CET | 443 | 49839 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.195362091 CET | 443 | 49839 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.205153942 CET | 49840 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:58:17.205177069 CET | 443 | 49840 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.205307961 CET | 49840 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:58:17.286787987 CET | 49840 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:58:17.286798954 CET | 443 | 49840 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.286865950 CET | 49840 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:58:17.286870956 CET | 443 | 49840 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.287019968 CET | 443 | 49840 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.295407057 CET | 49841 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:17.295507908 CET | 443 | 49841 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.295614958 CET | 49841 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:17.402021885 CET | 49841 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:17.402095079 CET | 443 | 49841 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.402153015 CET | 443 | 49841 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.402184963 CET | 49841 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:58:17.402259111 CET | 443 | 49841 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.411962032 CET | 49843 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.412045956 CET | 443 | 49843 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.412153006 CET | 49843 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.476381063 CET | 49843 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.476433992 CET | 443 | 49843 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.476486921 CET | 443 | 49843 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:58:17.476515055 CET | 49843 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:58:17.476553917 CET | 443 | 49843 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:59:18.607034922 CET | 49981 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:59:18.607055902 CET | 443 | 49981 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:59:18.607127905 CET | 49981 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:59:18.664290905 CET | 49981 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:59:18.664305925 CET | 443 | 49981 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:59:18.664355993 CET | 49981 | 443 | 192.168.2.5 | 34.34.145.103 |
| Dec 24, 2024 20:59:18.664396048 CET | 443 | 49981 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:59:18.664480925 CET | 443 | 49981 | 34.34.145.103 | 192.168.2.5 |
| Dec 24, 2024 20:59:19.927069902 CET | 49985 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:59:19.927100897 CET | 443 | 49985 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:59:19.927150011 CET | 49985 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:59:20.009982109 CET | 49985 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:59:20.009995937 CET | 443 | 49985 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:59:20.010052919 CET | 49985 | 443 | 192.168.2.5 | 34.169.99.17 |
| Dec 24, 2024 20:59:20.010062933 CET | 443 | 49985 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:59:20.010066986 CET | 443 | 49985 | 34.169.99.17 | 192.168.2.5 |
| Dec 24, 2024 20:59:21.029668093 CET | 49988 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:59:21.029717922 CET | 443 | 49988 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:59:21.029848099 CET | 49988 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:59:21.083789110 CET | 49988 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:59:21.083818913 CET | 443 | 49988 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:59:21.083883047 CET | 49988 | 443 | 192.168.2.5 | 34.83.67.185 |
| Dec 24, 2024 20:59:21.083923101 CET | 443 | 49988 | 34.83.67.185 | 192.168.2.5 |
| Dec 24, 2024 20:59:22.091464996 CET | 49991 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:59:22.091528893 CET | 443 | 49991 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:59:22.091618061 CET | 49991 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:59:22.135468960 CET | 49991 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:59:22.135502100 CET | 443 | 49991 | 35.195.45.98 | 192.168.2.5 |
| Dec 24, 2024 20:59:22.135580063 CET | 49991 | 443 | 192.168.2.5 | 35.195.45.98 |
| Dec 24, 2024 20:59:22.135622978 CET | 443 | 49991 | 35.195.45.98 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:57:01 |
| Start date: | 24/12/2024 |
| Path: | C:\Users\user\Desktop\gfehgfwveg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 4'276'224 bytes |
| MD5 hash: | 43EC2649E1B173B6E8B3800E18CCEEB4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 14:57:04 |
| Start date: | 24/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:57:04 |
| Start date: | 24/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 14:57:04 |
| Start date: | 24/12/2024 |
| Path: | C:\Windows\SysWOW64\wbem\WMIC.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2c0000 |
| File size: | 427'008 bytes |
| MD5 hash: | E2DE6500DE1148C7F6027AD50AC8B891 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 17.2% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 6.8% |
| Total number of Nodes: | 571 |
| Total number of Limit Nodes: | 16 |
Graph
Function 034E525C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302E2C8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302E190 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302DDB4 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03025D58 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03025F50 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030259D4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031CBDBC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302E394 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302E4B8 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03509144 Relevance: 3.0, APIs: 2, Instructions: 12networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03029D58 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302D244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030256B8 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302DBC4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 034E583C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302D768 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031CC6CC Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 112libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030287A8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030317B0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03029AF4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031CC654 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 10libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0302D964 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|