Edit tour
Windows
Analysis Report
TeikwYB2tm.exe
Overview
General Information
| Sample name: | TeikwYB2tm.exerenamed because original name is a hash value |
| Original sample name: | 72b6b07175ef611ce7daa959a1248aae.exe |
| Analysis ID: | 1581418 |
| MD5: | 72b6b07175ef611ce7daa959a1248aae |
| SHA1: | bee9d33d83c98a7c2c3c9d0eb671fa1d53328378 |
| SHA256: | 8e6ae3b356d2205296fec0761daa461a311190e50e0e611699ebb4aad6e6cd77 |
| Tags: | DanaBotexeuser-abuse_ch |
| Infos: |  |
 | |
Detection
DanaBot
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
AI detected suspicious sample
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Classification
- System is w10x64
TeikwYB2tm.exe (PID: 3180 cmdline: "C:\Users\ user\Deskt op\TeikwYB 2tm.exe" MD5: 72B6B07175EF611CE7DAA959A1248AAE) 
cmd.exe (PID: 3652 cmdline: cmd.exe /C wmic disk drive wher e "DeviceI D=\'c:\'" get Serial Number /va lue MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 6036 cmdline: wmic diskd rive where "DeviceID =\'c:\'" g et SerialN umber /val ue MD5: E2DE6500DE1148C7F6027AD50AC8B891)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DanaBot | Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T15:20:07.246361+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49772 | 188.132.183.159 | 443 | TCP |
| 2024-12-27T15:20:08.319027+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49773 | 206.206.125.221 | 443 | TCP |
| 2024-12-27T15:20:09.414745+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49779 | 94.131.118.216 | 443 | TCP |
| 2024-12-27T15:20:10.510034+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49780 | 188.132.183.159 | 443 | TCP |
| 2024-12-27T15:21:12.075984+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49917 | 188.132.183.159 | 443 | TCP |
| 2024-12-27T15:21:13.334248+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49921 | 206.206.125.221 | 443 | TCP |
| 2024-12-27T15:21:14.422566+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49922 | 94.131.118.216 | 443 | TCP |
| 2024-12-27T15:21:15.511492+0100 | 2034465 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49928 | 188.132.183.159 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0303E190 | |
| Source: | Code function: | 0_2_0303DBC4 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_034F5340 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_034F5340 | |
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Binary or memory string: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_0303E190 | |
| Source: | Code function: | 0_2_0303DBC4 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-2790 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_034F5340 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0303E2C8 | |
| Source: | Code function: | 0_2_0303D768 | |
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_034F5920 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 12 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 12 Process Injection | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Multi-hop Proxy | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | 1 Proxy | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 153 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 71% | ReversingLabs | Win32.Trojan.Danabot | ||
| 100% | Avira | TR/ATRAPS.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.132.183.159 | unknown | Turkey | 42910 | PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR | true | |
| 206.206.125.221 | unknown | United States | 13332 | HYPEENT-SJUS | true | |
| 94.131.118.216 | unknown | Ukraine | 29632 | NASSIST-ASGI | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1581418 |
| Start date and time: | 2024-12-27 15:18:03 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 7s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | TeikwYB2tm.exerenamed because original name is a hash value |
| Original Sample Name: | 72b6b07175ef611ce7daa959a1248aae.exe |
| Detection: | MAL |
| Classification: | mal88.troj.evad.winEXE@6/0@0/3 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: TeikwYB2tm.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.132.183.159 | Get hash | malicious | DanaBot | Browse | ||
| Get hash | malicious | DanaBot | Browse | |||
| 206.206.125.221 | Get hash | malicious | DanaBot | Browse | ||
| Get hash | malicious | DanaBot | Browse | |||
| 94.131.118.216 | Get hash | malicious | DanaBot | Browse | ||
| Get hash | malicious | DanaBot | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| NASSIST-ASGI | Get hash | malicious | DanaBot | Browse |
| |
| Get hash | malicious | DanaBot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| HYPEENT-SJUS | Get hash | malicious | DanaBot | Browse |
| |
| Get hash | malicious | DanaBot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | RDPWrap Tool, Ducktail | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR | Get hash | malicious | DanaBot | Browse |
| |
| Get hash | malicious | DanaBot | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.796835542143392 |
| TrID: |
|
| File name: | TeikwYB2tm.exe |
| File size: | 4'277'248 bytes |
| MD5: | 72b6b07175ef611ce7daa959a1248aae |
| SHA1: | bee9d33d83c98a7c2c3c9d0eb671fa1d53328378 |
| SHA256: | 8e6ae3b356d2205296fec0761daa461a311190e50e0e611699ebb4aad6e6cd77 |
| SHA512: | 56f0ee5ba99a55f05bfea0252b544d6dcac6cc22dbf430e228babd1520a14ea76429fcc8f67bcc0425f8d573211a1d1b47ba6164c136d8c2a85a26030cae9f52 |
| SSDEEP: | 98304:h+Dc6yHfpXZa1ZUVTZ2zsFi840WiRoYIUF4ZxStM3bQR:w9ylZIUVt2zd8rnH4jStM3bg |
| TLSH: | C016F122F64C667EE19F0E3A5477B590993F77A2A996DC1B47F00848CF358C0263A64F |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x7eee00 |
| Entrypoint Section: | .itext |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | |
| Time Stamp: | 0x676939AA [Mon Dec 23 10:21:30 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 29e05b1fea10173c5bcc5ba6150988ec |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFE4h |
| xor eax, eax |
| mov dword ptr [ebp-1Ch], eax |
| mov dword ptr [ebp-18h], eax |
| mov eax, 007EA0C0h |
| call 00007FC330B4FECDh |
| xor eax, eax |
| push ebp |
| push 007EEF1Dh |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| call 00007FC330F28E2Eh |
| cmp eax, 000000FAh |
| jnl 00007FC330F2E8C2h |
| call 00007FC330F28E7Ah |
| cmp eax, 78h |
| jnl 00007FC330F2E8B4h |
| mov dword ptr [007FCFA0h], 00000001h |
| mov dword ptr [007FCF9Ch], 001DBCD7h |
| mov eax, dword ptr [007FCF9Ch] |
| mov dword ptr [007FCFA4h], eax |
| mov eax, dword ptr [007FCF9Ch] |
| test eax, eax |
| jl 00007FC330F2E81Eh |
| inc eax |
| mov dword ptr [ebp-14h], eax |
| mov dword ptr [007FCF98h], 00000000h |
| inc dword ptr [007FCFA0h] |
| dec dword ptr [007FCFA4h] |
| push 00000000h |
| call 00007FC330B67EC9h |
| inc dword ptr [007FCF98h] |
| dec dword ptr [ebp-14h] |
| jne 00007FC330F2E7D4h |
| cmp dword ptr [007FCFA4h], FFFFFFFFh |
| jne 00007FC330F2E854h |
| lea edx, dword ptr [ebp-18h] |
| mov ax, 0063h |
| call 00007FC330F29155h |
| mov eax, dword ptr [ebp-18h] |
| mov edx, 007EEF38h |
| call 00007FC330B4A3FCh |
| je 00007FC330F2E839h |
| call 00007FC330F29395h |
| cmp eax, 0Ah |
| jbe 00007FC330F2E82Fh |
| call 00007FC330F393ABh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x400000 | 0x9a | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3fd000 | 0x16c6 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x41d000 | 0x3600 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x403000 | 0x191bc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x402000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3fd4cc | 0x364 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x3ff000 | 0x278 | .didata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3ec91c | 0x3eca00 | 8a51d5ea5128862e1a11e09561809d2b | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x3ee000 | 0xf50 | 0x1000 | 3ff4032e721470ab7fd9881c45fc2fa7 | False | 0.55859375 | data | 6.1659912557301615 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x3ef000 | 0x7d68 | 0x7e00 | 76a1a3204a87221df8dd865bb47ca72b | False | 0.5639880952380952 | data | 6.352731899166621 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x3f7000 | 0x5fac | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x3fd000 | 0x16c6 | 0x1800 | f83dfbc7a8d8169726b5b3aba8787951 | False | 0.3240559895833333 | data | 4.895786587173563 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didata | 0x3ff000 | 0x278 | 0x400 | 7a0cace727c21d6b42ac476919254aa3 | False | 0.26953125 | firmware 100 v0 (revision 2733719296) X\361? , version 54304.16640.10270 (region 2297446144), 0 bytes or less, UNKNOWN1 0x88f03f00, at 0 0 bytes , at 0 0 bytes , at 0x60524000 3629203456 bytes | 2.7239518130953684 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x400000 | 0x9a | 0x200 | a0c88ba38b9aab7813e23cf8cd967014 | False | 0.251953125 | data | 1.7841898411372727 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x401000 | 0x20 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x402000 | 0x5c | 0x200 | 610e9cb9d596ddf3f8481c9e9885e5fe | False | 0.1875 | data | 1.343433641850296 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x403000 | 0x191bc | 0x19200 | d5512eb7671fdcd3f815b8d69f577e2c | False | 0.5867828824626866 | data | 6.708593676418638 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x41d000 | 0x3600 | 0x3600 | 4125734278c336b919f44073caff1eb1 | False | 0.2890625 | data | 3.700113224189507 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_STRING | 0x41d368 | 0x4e0 | data | 0.3333333333333333 | ||
| RT_STRING | 0x41d848 | 0x310 | data | 0.35331632653061223 | ||
| RT_STRING | 0x41db58 | 0x330 | data | 0.39215686274509803 | ||
| RT_STRING | 0x41de88 | 0x4c4 | data | 0.3983606557377049 | ||
| RT_STRING | 0x41e34c | 0x4ac | data | 0.32274247491638797 | ||
| RT_STRING | 0x41e7f8 | 0x3b4 | data | 0.3628691983122363 | ||
| RT_STRING | 0x41ebac | 0x440 | data | 0.38235294117647056 | ||
| RT_STRING | 0x41efec | 0x21c | data | 0.40555555555555556 | ||
| RT_STRING | 0x41f208 | 0xbc | data | 0.6542553191489362 | ||
| RT_STRING | 0x41f2c4 | 0x100 | data | 0.62890625 | ||
| RT_STRING | 0x41f3c4 | 0x338 | data | 0.4223300970873786 | ||
| RT_STRING | 0x41f6fc | 0x478 | data | 0.29895104895104896 | ||
| RT_STRING | 0x41fb74 | 0x354 | data | 0.4107981220657277 | ||
| RT_STRING | 0x41fec8 | 0x2b8 | data | 0.4367816091954023 | ||
| RT_RCDATA | 0x420180 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x420190 | 0x3a4 | data | 0.6030042918454935 |
| DLL | Import |
|---|---|
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
| user32.dll | CharNextW, LoadStringW |
| kernel32.dll | Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle |
| kernel32.dll | GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary |
| user32.dll | CreateWindowExW, UpdateWindow, TranslateMessage, SystemParametersInfoW, ShowWindow, RegisterClassW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, GetMessageW, EndPaint, DispatchMessageW, DefWindowProcW, CharUpperBuffW, CharUpperW, CharLowerBuffW, BeginPaint |
| gdi32.dll | SetBkColor, Rectangle |
| version.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
| kernel32.dll | WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, SwitchToThread, SuspendThread, Sleep, SetThreadPriority, SetLastError, SetFileTime, SetFilePointer, SetEvent, SetEndOfFile, ResumeThread, ResetEvent, ReleaseSemaphore, ReadFile, RaiseException, QueryDosDeviceW, IsDebuggerPresent, MapViewOfFile, LocalFree, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GetVolumeInformationW, GetVersionExW, GetTimeZoneInformation, GetTickCount64, GetTickCount, GetThreadPriority, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeLibrary, FormatMessageW, FlushInstructionCache, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateSemaphoreA, CreateProcessW, CreatePipe, CreateFileMappingW, CreateFileW, CreateEventA, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle |
| kernel32.dll | Sleep |
| netapi32.dll | NetApiBufferFree, NetWkstaGetInfo |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit |
| oleaut32.dll | GetErrorInfo, SysFreeString |
| ole32.dll | CoCreateInstance, CoUninitialize, CoInitialize |
| msvcrt.dll | memset, memmove, memcpy |
| msvcrt.dll | _beginthreadex |
| winmm.dll | waveOutGetVolume |
| Name | Ordinal | Address |
|---|---|---|
| TMethodImplementationIntercept | 3 | 0x782574 |
| __dbk_fcall_wrapper | 2 | 0x4103c4 |
| dbkFCallWrapperAddr | 1 | 0x7fa630 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T15:20:07.246361+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49772 | 188.132.183.159 | 443 | TCP |
| 2024-12-27T15:20:08.319027+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49773 | 206.206.125.221 | 443 | TCP |
| 2024-12-27T15:20:09.414745+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49779 | 94.131.118.216 | 443 | TCP |
| 2024-12-27T15:20:10.510034+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49780 | 188.132.183.159 | 443 | TCP |
| 2024-12-27T15:21:12.075984+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49917 | 188.132.183.159 | 443 | TCP |
| 2024-12-27T15:21:13.334248+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49921 | 206.206.125.221 | 443 | TCP |
| 2024-12-27T15:21:14.422566+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49922 | 94.131.118.216 | 443 | TCP |
| 2024-12-27T15:21:15.511492+0100 | 2034465 | ET MALWARE Danabot Key Exchange Request | 1 | 192.168.2.4 | 49928 | 188.132.183.159 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 15:19:01.670161963 CET | 49730 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:19:01.670274973 CET | 443 | 49730 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:19:01.670485020 CET | 49730 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:19:01.736696005 CET | 49730 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:19:01.736759901 CET | 443 | 49730 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:19:01.736819983 CET | 443 | 49730 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:19:02.810554981 CET | 49731 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:19:02.810623884 CET | 443 | 49731 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:19:02.810708046 CET | 49731 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:19:02.975316048 CET | 49731 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:19:02.975367069 CET | 443 | 49731 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:19:02.975428104 CET | 443 | 49731 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:19:03.989809036 CET | 49732 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:19:03.989857912 CET | 443 | 49732 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:19:03.990012884 CET | 49732 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:19:04.091602087 CET | 49732 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:19:04.091662884 CET | 443 | 49732 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:19:04.091726065 CET | 443 | 49732 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:19:04.091730118 CET | 49732 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:19:04.091753960 CET | 443 | 49732 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:19:05.114425898 CET | 49733 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:19:05.114494085 CET | 443 | 49733 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:19:05.114821911 CET | 49733 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:19:05.197654963 CET | 49733 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:19:05.197684050 CET | 443 | 49733 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:19:05.197695971 CET | 49733 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:19:05.197701931 CET | 443 | 49733 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:19:05.197741032 CET | 443 | 49733 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:07.161627054 CET | 49772 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:07.161649942 CET | 443 | 49772 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:07.161746025 CET | 49772 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:07.246361017 CET | 49772 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:07.246372938 CET | 443 | 49772 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:07.246433020 CET | 443 | 49772 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:07.246447086 CET | 49772 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:07.246455908 CET | 443 | 49772 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:08.255049944 CET | 49773 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:08.255094051 CET | 443 | 49773 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:08.255153894 CET | 49773 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:08.319026947 CET | 49773 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:08.319046974 CET | 443 | 49773 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:08.319078922 CET | 443 | 49773 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:08.319099903 CET | 49773 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:08.319113016 CET | 443 | 49773 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:09.333028078 CET | 49779 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:20:09.333066940 CET | 443 | 49779 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:20:09.333142996 CET | 49779 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:20:09.414745092 CET | 49779 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:20:09.414782047 CET | 443 | 49779 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:20:09.414809942 CET | 443 | 49779 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:20:09.414854050 CET | 49779 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:20:09.414869070 CET | 443 | 49779 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.432426929 CET | 49780 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.432481050 CET | 443 | 49780 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.432576895 CET | 49780 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.510034084 CET | 49780 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.510054111 CET | 443 | 49780 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.510092020 CET | 443 | 49780 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.520472050 CET | 49781 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.520482063 CET | 443 | 49781 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.520555973 CET | 49781 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.591244936 CET | 49781 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.591262102 CET | 443 | 49781 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.591280937 CET | 49781 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.591284990 CET | 443 | 49781 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.591290951 CET | 443 | 49781 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.599145889 CET | 49782 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:10.599186897 CET | 443 | 49782 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.599262953 CET | 49782 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:10.658435106 CET | 49782 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:10.658447027 CET | 443 | 49782 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.658463955 CET | 49782 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:20:10.658473015 CET | 443 | 49782 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.658485889 CET | 443 | 49782 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.666424036 CET | 49783 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:20:10.666440964 CET | 443 | 49783 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.666517973 CET | 49783 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:20:10.728101015 CET | 49783 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:20:10.728112936 CET | 443 | 49783 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.728143930 CET | 443 | 49783 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.736293077 CET | 49784 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.736304045 CET | 443 | 49784 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.736387014 CET | 49784 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.799280882 CET | 49784 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.799289942 CET | 443 | 49784 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.799320936 CET | 443 | 49784 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:20:10.799324989 CET | 49784 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:20:10.799331903 CET | 443 | 49784 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:21:11.992747068 CET | 49917 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:21:11.992775917 CET | 443 | 49917 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:21:11.992924929 CET | 49917 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:21:12.075984001 CET | 49917 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:21:12.076003075 CET | 443 | 49917 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:21:12.076041937 CET | 443 | 49917 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:21:12.076062918 CET | 49917 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:21:12.076075077 CET | 443 | 49917 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:21:13.286688089 CET | 49921 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:21:13.286724091 CET | 443 | 49921 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:21:13.286814928 CET | 49921 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:21:13.334248066 CET | 49921 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:21:13.334269047 CET | 443 | 49921 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:21:13.334311962 CET | 443 | 49921 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:21:13.334351063 CET | 49921 | 443 | 192.168.2.4 | 206.206.125.221 |
| Dec 27, 2024 15:21:13.334366083 CET | 443 | 49921 | 206.206.125.221 | 192.168.2.4 |
| Dec 27, 2024 15:21:14.349611044 CET | 49922 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:21:14.349648952 CET | 443 | 49922 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:21:14.349725962 CET | 49922 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:21:14.422565937 CET | 49922 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:21:14.422584057 CET | 443 | 49922 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:21:14.422637939 CET | 443 | 49922 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:21:14.422647953 CET | 49922 | 443 | 192.168.2.4 | 94.131.118.216 |
| Dec 27, 2024 15:21:14.422660112 CET | 443 | 49922 | 94.131.118.216 | 192.168.2.4 |
| Dec 27, 2024 15:21:15.442734003 CET | 49928 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:21:15.442764044 CET | 443 | 49928 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:21:15.442874908 CET | 49928 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:21:15.511492014 CET | 49928 | 443 | 192.168.2.4 | 188.132.183.159 |
| Dec 27, 2024 15:21:15.511502981 CET | 443 | 49928 | 188.132.183.159 | 192.168.2.4 |
| Dec 27, 2024 15:21:15.511553049 CET | 443 | 49928 | 188.132.183.159 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:18:53 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\TeikwYB2tm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 4'277'248 bytes |
| MD5 hash: | 72B6B07175EF611CE7DAA959A1248AAE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 09:18:57 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 09:18:57 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 09:18:57 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\SysWOW64\wbem\WMIC.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x650000 |
| File size: | 427'008 bytes |
| MD5 hash: | E2DE6500DE1148C7F6027AD50AC8B891 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 17.1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 6.8% |
| Total number of Nodes: | 570 |
| Total number of Limit Nodes: | 17 |
Graph
Function 034F5340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303E2C8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303E190 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303DDB4 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03035D58 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03035F50 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030359D4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031DBF68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303E394 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303E4B8 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03519234 Relevance: 3.0, APIs: 2, Instructions: 12networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03039D58 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303D244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030356B8 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303DBC4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 034F5920 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303D768 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031DC878 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 112libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030387A8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030417B0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03039AF4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031DC800 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 10libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0303D964 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|