Windows
Analysis Report
stk.dll
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
loaddll64.exe (PID: 2984 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\stk .dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) conhost.exe (PID: 1524 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 3816 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\stk .dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) rundll32.exe (PID: 4448 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\stk. dll",#1 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 6016 cmdline:
c:\windows \system32\ rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\PTO AuthEx.dll ",Init hmc ,7295 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 2092 cmdline:
rundll32.e xe C:\User s\user\Des ktop\stk.d ll,Init MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 3808 cmdline:
c:\windows \system32\ rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\PTO AuthEx.dll ",Init hmc ,6138 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 3796 cmdline:
c:\windows \system32\ rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\PTO AuthEx.dll ",Init hmc ,5329 MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-17T02:49:48.761319+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.16 | 49703 | 172.67.69.236 | 443 | TCP |
2025-03-17T02:49:51.725612+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.16 | 49705 | 172.67.69.236 | 443 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Special instruction interceptor: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Anti Debugging |
---|
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior |
Source: | Handle closed: | ||
Source: | Handle closed: | ||
Source: | Handle closed: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior |
Source: | NtSetInformationThread: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtSetInformationThread: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtClose: | |||
Source: | NtSetInformationProcess: | Jump to behavior | ||
Source: | NtQueryInformationProcess: | Jump to behavior | ||
Source: | NtQueryInformationProcess: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtQueryInformationProcess: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 111 Process Injection | 12 Virtualization/Sandbox Evasion | 1 Credential API Hooking | 311 Security Software Discovery | Remote Services | 1 Credential API Hooking | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Abuse Elevation Control Mechanism | 111 Process Injection | LSASS Memory | 12 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 111 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Rundll32 | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
42% | Virustotal | Browse | ||
22% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
auth.patched.to | 172.67.69.236 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.69.236 | auth.patched.to | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1640273 |
Start date and time: | 2025-03-17 02:47:48 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 24s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | stk.dll |
Detection: | MAL |
Classification: | mal88.evad.winDLL@14/1@1/1 |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, S IHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhos t.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.109.210.53, 23. 199.214.10, 20.190.159.131, 2. 19.122.30 - Excluded domains from analysis
(whitelisted): www.bing.com, fs.microsoft.com, slscr.update .microsoft.com, login.live.com , ctldl.windowsupdate.com, c.p ki.goog, fe3cr.delivery.mp.mic rosoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
21:49:48 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
172.67.69.236 | Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
auth.patched.to | Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Latrodectus, LummaC Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | CobaltStrike | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
|
Process: | C:\Windows\System32\rundll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 923136 |
Entropy (8bit): | 7.914890739598155 |
Encrypted: | false |
SSDEEP: | 24576:YorBV6NfBR73yzmt9hao0OvQ1Y6uInOyY:5ifB1yGaMQXnO |
MD5: | CAE32DD0E5196AD1BBF0B3C49691EF28 |
SHA1: | 6258071DDC5583B2CA96B3AFC04EF6F2148181F5 |
SHA-256: | E1D01ACA1736C2B469A92EBDBF1ED000169A357D83A7E1B9AADDA03E990C7BF7 |
SHA-512: | 71B7029CFE7ECC5AE57C365565AFB4EAC8359E4BAE26C722E9CB18613E305A6E999F9D1E3E6544252CDBF1BA8CC60D1339CCA1F4731BCDC0424BE3CCDEFD5506 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.869288162468326 |
TrID: |
|
File name: | stk.dll |
File size: | 5'388'288 bytes |
MD5: | 14e800e2bd120aa901d6ad64d4cb2e0d |
SHA1: | 1c0e573414c9203d21ffaaf0f0e1f7e1ac2c2ef1 |
SHA256: | fdb66a946c59598ecc3cb143c16582b442ec3642b0df1bb025d9eda304ca2236 |
SHA512: | 81f6f28c1856a35ebae86ccf268ece3abc6a41386f363d919cee1b101af31bdf5a769975652d82d9d2df0e70494d2d1b6086b7341fe62e04476792b382377592 |
SSDEEP: | 98304:P4BletPVjYYoBSOsxglL0vDtqZpFJrQe/lZbJquCKSY/j3bq2tAG5D8B+ZnPF:GOjUsx6L0vJqZL9QeLJqILqI5x |
TLSH: | F04623CB18BBC2F5CC834964D65E1D449EE4D47CC3A9793830CA280BA5BBDA581CE776 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....,g.........." ...)..............x...................................................`................................ |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x1807885b0 |
Entrypoint Section: | .pzT |
Digitally signed: | false |
Imagebase: | 0x180000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x672CBB9A [Thu Nov 7 13:07:38 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 9e5b39b8c7d85940f81712ccd1ea65c6 |
Instruction |
---|
call 00007FC800C72A5Bh |
clc |
call 00007FC7D434FAFBh |
cmpsd |
hlt |
retf |
pop eax |
jmp 00007FC800DCD638h |
les ecx, ebx |
pop eax |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x3e2248 | 0x3f | .pzT |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6904f8 | 0x50 | .pzT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x8f4b70 | 0x5418 | .pzT |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8fa000 | 0x58 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x8f4a30 | 0x140 | .pzT |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3d6000 | 0x30 | .>O" |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2e174 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x30000 | 0xf2058 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x123000 | 0x2d38 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x126000 | 0x2b98 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.IP3 | 0x129000 | 0x2acfd8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.>O" | 0x3d6000 | 0x60 | 0x200 | 277e2cdb6f7b886b62331f45d26d79b9 | False | 0.05078125 | data | 0.1833387916558982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pzT | 0x3d7000 | 0x522f88 | 0x523000 | 547958910b75896f701a7c2178b33358 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x8fa000 | 0x58 | 0x200 | 93a71c14cf058bb3d6cffb82726743fc | False | 0.16796875 | data | 0.9708175080753592 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
KERNEL32.dll | WriteFile |
SHLWAPI.dll | PathMatchSpecW |
ntdll.dll | RtlCaptureContext |
Name | Ordinal | Address |
---|---|---|
Init | 1 | 0x18000dc00 |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-17T02:49:48.761319+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.16 | 49703 | 172.67.69.236 | 443 | TCP |
2025-03-17T02:49:51.725612+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.16 | 49705 | 172.67.69.236 | 443 | TCP |
- Total Packets: 21
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2025 02:49:47.590724945 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:47.590764999 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:47.590852976 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.291430950 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.291462898 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.761219025 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.761318922 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.796641111 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.796662092 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.796854973 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.798948050 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.798974991 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.798979044 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.919038057 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.919095993 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.919153929 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.919399023 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.919408083 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:48.919420004 CET | 49703 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:48.919425011 CET | 443 | 49703 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.248087883 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.248122931 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.248234034 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.250375032 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.250391960 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.725400925 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.725611925 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.775381088 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.775394917 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.775588036 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.777138948 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.777153969 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.777158976 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.912969112 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.913029909 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.913121939 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.915046930 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.915062904 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Mar 17, 2025 02:49:51.915111065 CET | 49705 | 443 | 192.168.2.16 | 172.67.69.236 |
Mar 17, 2025 02:49:51.915119886 CET | 443 | 49705 | 172.67.69.236 | 192.168.2.16 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2025 02:49:47.577632904 CET | 58485 | 53 | 192.168.2.16 | 1.1.1.1 |
Mar 17, 2025 02:49:47.586819887 CET | 53 | 58485 | 1.1.1.1 | 192.168.2.16 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 17, 2025 02:49:47.577632904 CET | 192.168.2.16 | 1.1.1.1 | 0x62cb | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 17, 2025 02:49:47.586819887 CET | 1.1.1.1 | 192.168.2.16 | 0x62cb | No error (0) | 172.67.69.236 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 02:49:47.586819887 CET | 1.1.1.1 | 192.168.2.16 | 0x62cb | No error (0) | 104.26.14.16 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2025 02:49:47.586819887 CET | 1.1.1.1 | 192.168.2.16 | 0x62cb | No error (0) | 104.26.15.16 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.16 | 49703 | 172.67.69.236 | 443 | 3796 | C:\Windows\System32\rundll32.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-17 01:49:48 UTC | 176 | OUT | |
2025-03-17 01:49:48 UTC | 304 | OUT | |
2025-03-17 01:49:48 UTC | 1038 | IN | |
2025-03-17 01:49:48 UTC | 16 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.16 | 49705 | 172.67.69.236 | 443 | 6016 | C:\Windows\System32\rundll32.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-17 01:49:51 UTC | 179 | OUT | |
2025-03-17 01:49:51 UTC | 304 | OUT | |
2025-03-17 01:49:51 UTC | 1050 | IN | |
2025-03-17 01:49:51 UTC | 16 | IN |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 21:48:19 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\loaddll64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff76a5d0000 |
File size: | 165'888 bytes |
MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 1 |
Start time: | 21:48:19 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6aa7d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 2 |
Start time: | 21:48:19 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7d5190000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 3 |
Start time: | 21:48:19 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619460000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 4 |
Start time: | 21:48:19 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619460000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 5 |
Start time: | 21:48:20 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619460000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 6 |
Start time: | 21:48:20 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619460000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 7 |
Start time: | 21:48:22 |
Start date: | 16/03/2025 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619460000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |