Windows
Analysis Report
btoawpdtjhjawd.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
btoawpdtjhjawd.exe (PID: 6760 cmdline:
"C:\Users\ user\Deskt op\btoawpd tjhjawd.ex e" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
btoawpdtjhjawd.exe (PID: 4716 cmdline:
"C:\Users\ user\AppDa ta\Roaming \btoawpdtj hjawd.exe" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
btoawpdtjhjawd.exe (PID: 7144 cmdline:
"C:\Users\ user\AppDa ta\Roaming \btoawpdtj hjawd.exe" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
btoawpdtjhjawd.exe (PID: 2840 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\bto awpdtjhjaw d.exe" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{
"C2 url": [
"questions-when.gl.at.ply.gg"
],
"Port": 31732,
"Aes key": "<123456789>",
"SPL": "<Neptune>",
"Install file": "USB.exe"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v2 | Finds XWorm v2 samples based on characteristic strings | Sekoia.io |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v2 | Finds XWorm v2 samples based on characteristic strings | Sekoia.io |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v2 | Finds XWorm v2 samples based on characteristic strings | Sekoia.io |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v2 | Finds XWorm v2 samples based on characteristic strings | Sekoia.io |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v2 | Finds XWorm v2 samples based on characteristic strings | Sekoia.io |
| |
Click to see the 10 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 121 Registry Run Keys / Startup Folder | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 121 Registry Run Keys / Startup Folder | 1 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 12 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | 13 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
63% | Virustotal | Browse | ||
75% | ReversingLabs | Win32.Trojan.Jalapeno | ||
100% | Avira | TR/Dropper.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Dropper.Gen | ||
100% | Avira | TR/Dropper.Gen | ||
75% | ReversingLabs | Win32.Trojan.Jalapeno | ||
75% | ReversingLabs | Win32.Trojan.Jalapeno |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | phishing |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
abolhb.com | 185.172.175.125 | true | false | high | |
questions-when.gl.at.ply.gg | 147.185.221.25 | true | true | unknown | |
raw.githubusercontent.com | 185.199.108.133 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.199.108.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false | |
147.185.221.25 | questions-when.gl.at.ply.gg | United States | 12087 | SALSGIVERUS | true | |
185.172.175.125 | abolhb.com | Lithuania | 25780 | HUGESERVER-NETWORKSUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1643456 |
Start date and time: | 2025-03-19 20:32:39 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 30s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | btoawpdtjhjawd.exe |
Detection: | MAL |
Classification: | mal100.troj.adwa.evad.winEXE@4/5@3/3 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, sppsvc.exe, SIHCli ent.exe, SgrmBroker.exe, conho st.exe, TextInputHost.exe, svc host.exe - Excluded IPs from analysis (wh
itelisted): 52.149.20.212, 23. 204.23.20 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , otelrules.svc.static.microso ft, ctldl.windowsupdate.com, c .pki.goog, fe3cr.delivery.mp.m icrosoft.com - Execution Graph export aborted
for target btoawpdtjhjawd.exe , PID 2840 because it is empty - Execution Graph export aborted
for target btoawpdtjhjawd.exe , PID 4716 because it is empty - Execution Graph export aborted
for target btoawpdtjhjawd.exe , PID 6760 because it is empty - Execution Graph export aborted
for target btoawpdtjhjawd.exe , PID 7144 because it is empty - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - Some HTTPS proxied raw data pa
ckets have been limited to 10 per session. Please view the P CAPs for the complete data.
Time | Type | Description |
---|---|---|
20:33:38 | Autostart | |
20:33:46 | Autostart | |
20:33:54 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.199.108.133 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
147.185.221.25 | Get hash | malicious | XWorm | Browse | ||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | DCRat, SheetRat | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | Salat Stealer, XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
185.172.175.125 | Get hash | malicious | XWorm | Browse | ||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | AsyncRAT, BitCoin Miner, XWorm, Xmrig | Browse | |||
Get hash | malicious | Njrat, XWorm | Browse | |||
Get hash | malicious | Njrat | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
raw.githubusercontent.com | Get hash | malicious | NovaSentinel | Browse |
| |
Get hash | malicious | NovaSentinel | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
abolhb.com | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, BitCoin Miner, XWorm, Xmrig | Browse |
| ||
Get hash | malicious | Njrat, XWorm | Browse |
| ||
Get hash | malicious | Njrat | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SALSGIVERUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Python Stealer, Exela Stealer, Njrat | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm, zgRAT | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber, Umbral Stealer, XWorm | Browse |
| ||
HUGESERVER-NETWORKSUS | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | LummaC Stealer, PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, BitCoin Miner, XWorm, Xmrig | Browse |
| ||
Get hash | malicious | Amadey, SystemBC | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Njrat, XWorm | Browse |
| ||
FASTLYUS | Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Quasar | Browse |
| |
Get hash | malicious | Meduza Stealer, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
Process: | C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.380476433908377 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT |
MD5: | 30E4BDFC34907D0E4D11152CAEBE27FA |
SHA1: | 825402D6B151041BA01C5117387228EC9B7168BF |
SHA-256: | A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63 |
SHA-512: | 89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\btoawpdtjhjawd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43008 |
Entropy (8bit): | 5.537126868090147 |
Encrypted: | false |
SSDEEP: | 768:RL3Ug+dm8Mlbov04ypZhvfsQhJOgRXQr:RIgH8M/7bOgXQr |
MD5: | 2FB952BB97197CCBEFAB03689724ABF4 |
SHA1: | 113FB94EDB9B11363C4C1390EDA86176767EC76F |
SHA-256: | 4CD99A0C6B436EE6423A6E366F67A60FB41D1BB23943B19F354DE8D9D0E4BE0E |
SHA-512: | DD82C9583C4B92A56F129DE0D585CE4FB95CA9A3B07E8FBBDF36B7F63288DAF2C77740BD4836D5056D49CD53332D632A6B4F6D85AC31537273058547020ACF82 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\btoawpdtjhjawd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\btoawpdtjhjawd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43008 |
Entropy (8bit): | 5.537126868090147 |
Encrypted: | false |
SSDEEP: | 768:RL3Ug+dm8Mlbov04ypZhvfsQhJOgRXQr:RIgH8M/7bOgXQr |
MD5: | 2FB952BB97197CCBEFAB03689724ABF4 |
SHA1: | 113FB94EDB9B11363C4C1390EDA86176767EC76F |
SHA-256: | 4CD99A0C6B436EE6423A6E366F67A60FB41D1BB23943B19F354DE8D9D0E4BE0E |
SHA-512: | DD82C9583C4B92A56F129DE0D585CE4FB95CA9A3B07E8FBBDF36B7F63288DAF2C77740BD4836D5056D49CD53332D632A6B4F6D85AC31537273058547020ACF82 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\btoawpdtjhjawd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 5.537126868090147 |
TrID: |
|
File name: | btoawpdtjhjawd.exe |
File size: | 43'008 bytes |
MD5: | 2fb952bb97197ccbefab03689724abf4 |
SHA1: | 113fb94edb9b11363c4c1390eda86176767ec76f |
SHA256: | 4cd99a0c6b436ee6423a6e366f67a60fb41d1bb23943b19f354de8d9d0e4be0e |
SHA512: | dd82c9583c4b92a56f129de0d585ce4fb95ca9a3b07e8fbbdf36b7f63288daf2c77740bd4836d5056d49cd53332d632a6b4f6d85ac31537273058547020acf82 |
SSDEEP: | 768:RL3Ug+dm8Mlbov04ypZhvfsQhJOgRXQr:RIgH8M/7bOgXQr |
TLSH: | 9E1319C927D84105C7FD7BF16DB7964202B1DAA30D6BE7DE08C545CB2B67B918A00AE3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g................................. ........@.. ....................................@................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40bc9e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67D83AA1 [Mon Mar 17 15:07:13 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xbc4c | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc000 | 0x4e8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xe000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x9ca4 | 0x9e00 | 6fca5ce38d3284cf55146c72361f7f30 | False | 0.4299347310126582 | data | 5.643904854237853 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xc000 | 0x4e8 | 0x600 | 62719f3ac3c1df93131e6a843ae4f0e1 | False | 0.3776041666666667 | data | 3.7448249742341515 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xe000 | 0xc | 0x200 | a20f5402e8839ffaa92afd27d9615b45 | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0xc0a0 | 0x254 | data | 0.46812080536912754 | ||
RT_MANIFEST | 0xc2f8 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5469387755102041 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
FileDescription | |
FileVersion | 1.0.0.0 |
InternalName | MasonClient.exe |
LegalCopyright | |
OriginalFilename | MasonClient.exe |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Download Network PCAP: filtered – full
- Total Packets: 74
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 19, 2025 20:33:41.524853945 CET | 49692 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:33:42.210135937 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.210180998 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.210339069 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.238147974 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.238167048 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.432277918 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.432385921 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.436582088 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.436609030 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.436882973 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.489336014 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.495527983 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.520606995 CET | 49692 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:33:42.536325932 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.619465113 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.619544029 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.619633913 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.619703054 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.619723082 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.619807959 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.622297049 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.625241041 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.625274897 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.625376940 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.625399113 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.625482082 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.628371954 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.631169081 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.631268024 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.631282091 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.634861946 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.634922028 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.634932041 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.637485981 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.637590885 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.637602091 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.640382051 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.640453100 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.640460968 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.647041082 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.647079945 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.647119999 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.647129059 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.647178888 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.651416063 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.654334068 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.654376984 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.654391050 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.654411077 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.654454947 CET | 443 | 49693 | 185.199.108.133 | 192.168.2.8 |
Mar 19, 2025 20:33:42.654464960 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.654501915 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:42.687639952 CET | 49693 | 443 | 192.168.2.8 | 185.199.108.133 |
Mar 19, 2025 20:33:44.520571947 CET | 49692 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:33:48.520556927 CET | 49692 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:33:48.816066027 CET | 49694 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:33:49.817500114 CET | 49694 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:33:51.817560911 CET | 49694 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:33:55.817441940 CET | 49694 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:33:56.520720959 CET | 49692 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:03.833112955 CET | 49694 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:06.803570032 CET | 49700 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:07.801867962 CET | 49700 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:09.801870108 CET | 49700 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:11.460272074 CET | 49703 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:12.473761082 CET | 49703 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:13.801954985 CET | 49700 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:14.473731995 CET | 49703 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:18.473738909 CET | 49703 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:21.802222967 CET | 49700 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:26.473849058 CET | 49703 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:30.616316080 CET | 49797 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:31.630009890 CET | 49797 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:33.630048037 CET | 49797 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:35.006577969 CET | 49835 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:36.020674944 CET | 49835 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:37.645648956 CET | 49797 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:38.020783901 CET | 49835 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:42.036290884 CET | 49835 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:45.661273956 CET | 49797 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:50.051939964 CET | 49835 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:34:54.741426945 CET | 49959 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:55.755059004 CET | 49959 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:34:57.755100965 CET | 49959 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:00.928666115 CET | 49960 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:01.770690918 CET | 49959 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:01.927041054 CET | 49960 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:03.926908016 CET | 49960 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:07.927084923 CET | 49960 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:09.770638943 CET | 49959 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:15.927015066 CET | 49960 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:19.459734917 CET | 49961 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:20.458251953 CET | 49961 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:22.473799944 CET | 49961 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:26.472847939 CET | 49962 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:26.473856926 CET | 49961 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:27.473829031 CET | 49962 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:29.473834038 CET | 49962 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:33.473817110 CET | 49962 | 505 | 192.168.2.8 | 185.172.175.125 |
Mar 19, 2025 20:35:34.473787069 CET | 49961 | 31732 | 192.168.2.8 | 147.185.221.25 |
Mar 19, 2025 20:35:41.473934889 CET | 49962 | 505 | 192.168.2.8 | 185.172.175.125 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 19, 2025 20:33:41.249505997 CET | 65352 | 53 | 192.168.2.8 | 1.1.1.1 |
Mar 19, 2025 20:33:41.518312931 CET | 53 | 65352 | 1.1.1.1 | 192.168.2.8 |
Mar 19, 2025 20:33:42.112526894 CET | 60322 | 53 | 192.168.2.8 | 1.1.1.1 |
Mar 19, 2025 20:33:42.204415083 CET | 53 | 60322 | 1.1.1.1 | 192.168.2.8 |
Mar 19, 2025 20:33:48.709896088 CET | 60102 | 53 | 192.168.2.8 | 1.1.1.1 |
Mar 19, 2025 20:33:48.815407038 CET | 53 | 60102 | 1.1.1.1 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 19, 2025 20:33:41.249505997 CET | 192.168.2.8 | 1.1.1.1 | 0xa4c1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 19, 2025 20:33:42.112526894 CET | 192.168.2.8 | 1.1.1.1 | 0x7591 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 19, 2025 20:33:48.709896088 CET | 192.168.2.8 | 1.1.1.1 | 0xac59 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 19, 2025 20:33:41.518312931 CET | 1.1.1.1 | 192.168.2.8 | 0xa4c1 | No error (0) | 147.185.221.25 | A (IP address) | IN (0x0001) | false | ||
Mar 19, 2025 20:33:42.204415083 CET | 1.1.1.1 | 192.168.2.8 | 0x7591 | No error (0) | 185.199.108.133 | A (IP address) | IN (0x0001) | false | ||
Mar 19, 2025 20:33:42.204415083 CET | 1.1.1.1 | 192.168.2.8 | 0x7591 | No error (0) | 185.199.110.133 | A (IP address) | IN (0x0001) | false | ||
Mar 19, 2025 20:33:42.204415083 CET | 1.1.1.1 | 192.168.2.8 | 0x7591 | No error (0) | 185.199.109.133 | A (IP address) | IN (0x0001) | false | ||
Mar 19, 2025 20:33:42.204415083 CET | 1.1.1.1 | 192.168.2.8 | 0x7591 | No error (0) | 185.199.111.133 | A (IP address) | IN (0x0001) | false | ||
Mar 19, 2025 20:33:48.815407038 CET | 1.1.1.1 | 192.168.2.8 | 0xac59 | No error (0) | 185.172.175.125 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49693 | 185.199.108.133 | 443 | 6760 | C:\Users\user\Desktop\btoawpdtjhjawd.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-19 19:33:42 UTC | 101 | OUT | |
2025-03-19 19:33:42 UTC | 877 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN | |
2025-03-19 19:33:42 UTC | 1378 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 15:33:34 |
Start date: | 19/03/2025 |
Path: | C:\Users\user\Desktop\btoawpdtjhjawd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 43'008 bytes |
MD5 hash: | 2FB952BB97197CCBEFAB03689724ABF4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 2 |
Start time: | 15:33:46 |
Start date: | 19/03/2025 |
Path: | C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x8c0000 |
File size: | 43'008 bytes |
MD5 hash: | 2FB952BB97197CCBEFAB03689724ABF4 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 15:33:54 |
Start date: | 19/03/2025 |
Path: | C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xd10000 |
File size: | 43'008 bytes |
MD5 hash: | 2FB952BB97197CCBEFAB03689724ABF4 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 6 |
Start time: | 15:34:02 |
Start date: | 19/03/2025 |
Path: | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xe10000 |
File size: | 43'008 bytes |
MD5 hash: | 2FB952BB97197CCBEFAB03689724ABF4 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|