Windows
Analysis Report
ZJat0NjKFO.exe
Overview
General Information
Sample name: | ZJat0NjKFO.exerenamed because original name is a hash value |
Original sample name: | 4ed421dcc07555bea823811932cd1b1d.exe |
Analysis ID: | 1646262 |
MD5: | 4ed421dcc07555bea823811932cd1b1d |
SHA1: | f4eb41c4fda51e598ac85d11a3d1bb9120844352 |
SHA256: | d99e56b65c148eb34afdaf489f8cd99a683e368dbb9c0e139b46a00299062599 |
Tags: | DanaBotexeuser-abuse_ch |
Infos: | |
Detection
Score: | 96 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
ZJat0NjKFO.exe (PID: 8876 cmdline:
"C:\Users\ user\Deskt op\ZJat0Nj KFO.exe" MD5: 4ED421DCC07555BEA823811932CD1B1D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DanaBot | Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll | Yara detected DanaBot stealer dll | Joe Security | ||
Click to see the 4 entries |
- • AV Detection
- • Compliance
- • Spreading
- • Networking
- • E-Banking Fraud
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Integrated Neural Analysis Model: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_00BE50C9 | |
Source: | Code function: | 0_2_00BE9A9B | |
Source: | Code function: | 0_2_00BD2399 | |
Source: | Code function: | 0_2_00BDB376 | |
Source: | Code function: | 0_2_00BC860B |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Binary or memory string: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00BC1763 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 131 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Multi-hop Proxy | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 131 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Software Packing | NTDS | 2 System Owner/User Discovery | Distributed Component Object Model | Input Capture | 1 Proxy | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 53 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
70% | Virustotal | Browse | ||
72% | ReversingLabs | Win32.Trojan.Danabot | ||
100% | Avira | TR/Dropper.Gen |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
62.60.226.159 | unknown | Iran (ISLAMIC Republic Of) | 18013 | ASLINE-AS-APASLINELIMITEDHK | false | |
62.60.226.158 | unknown | Iran (ISLAMIC Republic Of) | 18013 | ASLINE-AS-APASLINELIMITEDHK | false | |
196.251.87.252 | unknown | Seychelles | 37417 | SONIC-WirelessZA | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1646262 |
Start date and time: | 2025-03-23 19:28:42 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 17s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | ZJat0NjKFO.exerenamed because original name is a hash value |
Original Sample Name: | 4ed421dcc07555bea823811932cd1b1d.exe |
Detection: | MAL |
Classification: | mal96.troj.spyw.evad.winEXE@1/10@0/3 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, B ackgroundTransferHost.exe, WMI ADAP.exe, SIHClient.exe, backg roundTaskHost.exe, conhost.exe - Excluded IPs from analysis (wh
itelisted): 184.31.69.3, 4.175 .87.197, 20.223.35.26, 150.171 .27.10 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, g.b ing.com, prod.fs.microsoft.com .akadns.net, fs-wildcard.micro soft.com.edgekey.net, fs-wildc ard.microsoft.com.edgekey.net. globalredir.akadns.net, e16604 .dscf.akamaiedge.net, arc.msn. com, fe3cr.delivery.mp.microso ft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtEnumerateKey calls f ound. - Report size getting too big, t
oo many NtEnumerateValueKey ca lls found. - Report size getting too big, t
oo many NtOpenFile calls found . - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
62.60.226.159 | Get hash | malicious | DanaBot | Browse | ||
62.60.226.158 | Get hash | malicious | DanaBot | Browse | ||
196.251.87.252 | Get hash | malicious | DanaBot | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ASLINE-AS-APASLINELIMITEDHK | Get hash | malicious | DanaBot | Browse |
| |
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Meduza Stealer, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
ASLINE-AS-APASLINELIMITEDHK | Get hash | malicious | DanaBot | Browse |
| |
Get hash | malicious | Okiru | Browse |
| ||
Get hash | malicious | Meduza Stealer, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
SONIC-WirelessZA | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | DanaBot | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 139264 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 79BFD1D69B2829B17AE13B80A6B48489 |
SHA1: | A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A |
SHA-256: | CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15 |
SHA-512: | 075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 139264 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 79BFD1D69B2829B17AE13B80A6B48489 |
SHA1: | A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A |
SHA-256: | CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15 |
SHA-512: | 075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40960 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | AB893875D697A3145AF5EED5309BEE26 |
SHA1: | C90116149196CBF74FFB453ECB3B12945372EBFA |
SHA-256: | 02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA |
SHA-512: | 6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 196608 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | EF2E0D18474B2151EF5876B1E89C2F1D |
SHA1: | AEF9802FCF76C67D695BC77322BAE5400D3BBE82 |
SHA-256: | 3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E |
SHA-512: | E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | DAA100DF6E6711906B61C9AB5AA16032 |
SHA1: | 963FF6C2D517D188014D2EF3682C4797888E6D26 |
SHA-256: | CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6 |
SHA-512: | 548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 98304 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 0A9156C4E3C48EF827980639C4D1E263 |
SHA1: | 9F13A523321C66208E90D45F87FA0CD9B370E111 |
SHA-256: | 3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4 |
SHA-512: | 8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.017262956703125623 |
Encrypted: | false |
SSDEEP: | 3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX |
MD5: | B7C14EC6110FA820CA6B65F5AEC85911 |
SHA1: | 608EEB7488042453C9CA40F7E1398FC1A270F3F4 |
SHA-256: | FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB |
SHA-512: | D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 139264 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 79BFD1D69B2829B17AE13B80A6B48489 |
SHA1: | A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A |
SHA-256: | CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15 |
SHA-512: | 075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51200 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF235F22DF3E004EDE21041978C24F2E |
SHA1: | 7188972F71AEE4C62669330FF7776E48094B4D9D |
SHA-256: | 16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9 |
SHA-512: | E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
File Type: | |
Category: | modified |
Size (bytes): | 24576 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 91FF0DAC5DF86E798BFEF5E573536B08 |
SHA1: | EBDD38B69CD5B9F2D00D273C981E16960FBBB4F7 |
SHA-256: | DE676BAE28A480011D3D012DB14BEF539324E62A841A9627863C689BEA168AF3 |
SHA-512: | F9C2CBDA26D1C3E32F54625B5488F7D51DBE59F6CB742CE98B5F9E9CED089E65327FC381284F7F287B513C1B860B6898A53CA46DF3CC4926BA0EB339F3C29BD3 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.17677538525722 |
TrID: |
|
File name: | ZJat0NjKFO.exe |
File size: | 5'784'064 bytes |
MD5: | 4ed421dcc07555bea823811932cd1b1d |
SHA1: | f4eb41c4fda51e598ac85d11a3d1bb9120844352 |
SHA256: | d99e56b65c148eb34afdaf489f8cd99a683e368dbb9c0e139b46a00299062599 |
SHA512: | 3c256998c9afc6ee40289509eaa392f3561fdf1f26e26083d01c590cb9129735a5072edbb2a9e82596525fe685ec00fc10de5bc890e9153f6585e3edaf665d55 |
SSDEEP: | 98304:qmDVhyY8fQ81aEb2v5vHCdkq7DpTWrJyERLV9L+Kg2jjm8:TqYsFvw5vak4p6r9V9SK/m |
TLSH: | 2A469F21F2C0A23FD0771A36C93A96A4697F77703A159C1F26E41D4C8F79A807A3635B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...A...9...9...9...F...9...F...9..Rich.9..........................PE..L......g...............$.8X..........FX.... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x984600 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67DC18B1 [Thu Mar 20 13:31:29 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | f797b427b11cf4700dcf1255251beadb |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 2Ch |
mov dword ptr [ebp-10h], 00401000h |
push 00000040h |
push 00001000h |
mov eax, dword ptr [00986000h] |
push eax |
push 00000000h |
call dword ptr [00985000h] |
mov dword ptr [ebp-08h], eax |
mov dword ptr [ebp-04h], 00000000h |
jmp 00007F40EC82A90Bh |
mov ecx, dword ptr [ebp-04h] |
add ecx, 01h |
mov dword ptr [ebp-04h], ecx |
mov edx, dword ptr [ebp-04h] |
cmp edx, dword ptr [00986000h] |
jnl 00007F40EC82A914h |
mov eax, dword ptr [ebp-08h] |
add eax, dword ptr [ebp-04h] |
mov ecx, dword ptr [ebp-10h] |
add ecx, dword ptr [ebp-04h] |
mov dl, byte ptr [ecx] |
mov byte ptr [eax], dl |
jmp 00007F40EC82A8DCh |
call dword ptr [ebp-08h] |
push 00000000h |
push 00000000h |
push 00000000h |
lea eax, dword ptr [ebp-2Ch] |
push eax |
call dword ptr [00985010h] |
mov dword ptr [ebp-0Ch], eax |
cmp dword ptr [ebp-0Ch], 00000000h |
je 00007F40EC82A920h |
cmp dword ptr [ebp-0Ch], FFFFFFFFh |
jne 00007F40EC82A904h |
jmp 00007F40EC82A916h |
lea ecx, dword ptr [ebp-2Ch] |
push ecx |
call dword ptr [00985008h] |
lea edx, dword ptr [ebp-2Ch] |
push edx |
call dword ptr [0098500Ch] |
jmp 00007F40EC82A8CBh |
xor eax, eax |
mov esp, ebp |
pop ebp |
ret |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x585120 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x587000 | 0x18 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x585018 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x585000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x583694 | 0x583800 | c2d9f0be08509633fcce1a4b010b4f82 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x585000 | 0x1d4 | 0x200 | 55afb148d4a7c105cdef639dc04524a2 | False | 0.525390625 | data | 3.8381525004666255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x586000 | 0x4 | 0x200 | eb70eb902d33687ea54b86d60a93a695 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x587000 | 0x18 | 0x200 | 84e41215f5f986fed9ece38cdf7ed37a | False | 0.068359375 | data | 0.30754410475965943 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
KERNEL32.dll | VirtualAlloc |
USER32.dll | TranslateMessage, DispatchMessageA, GetMessageA |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 23, 2025 19:30:52.507710934 CET | 49728 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:30:52.507738113 CET | 443 | 49728 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:30:52.507955074 CET | 49728 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:30:52.573579073 CET | 49728 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:30:52.573606968 CET | 443 | 49728 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:30:52.573659897 CET | 443 | 49728 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:30:53.593333960 CET | 49730 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:30:53.593365908 CET | 443 | 49730 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:30:53.593431950 CET | 49730 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:30:53.659715891 CET | 49730 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:30:53.659739017 CET | 443 | 49730 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:30:53.659811974 CET | 443 | 49730 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:30:54.687438011 CET | 49731 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:30:54.687547922 CET | 443 | 49731 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:30:54.687637091 CET | 49731 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:30:55.114198923 CET | 49731 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:30:55.114276886 CET | 443 | 49731 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:30:55.114336967 CET | 443 | 49731 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:30:55.114439964 CET | 49731 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:30:55.114485979 CET | 443 | 49731 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:30:56.172137022 CET | 49732 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:30:56.172180891 CET | 443 | 49732 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:30:56.172240019 CET | 49732 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:30:56.379261971 CET | 49732 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:30:56.379297972 CET | 443 | 49732 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:30:56.379352093 CET | 443 | 49732 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:30:56.379389048 CET | 49732 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:30:56.379410982 CET | 443 | 49732 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:31:57.780994892 CET | 49733 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:31:57.781094074 CET | 443 | 49733 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:31:57.781244993 CET | 49733 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:31:57.837171078 CET | 49733 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:31:57.837236881 CET | 443 | 49733 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:31:57.837337017 CET | 443 | 49733 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:31:57.837342024 CET | 49733 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:31:57.837378025 CET | 443 | 49733 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:31:59.162463903 CET | 49734 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:31:59.162496090 CET | 443 | 49734 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:31:59.162750959 CET | 49734 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:32:00.248761892 CET | 49734 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:32:00.248797894 CET | 443 | 49734 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:32:00.248879910 CET | 49734 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:32:00.248923063 CET | 443 | 49734 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:32:01.265261889 CET | 49735 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:01.265357971 CET | 443 | 49735 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:01.265448093 CET | 49735 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:01.318782091 CET | 49735 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:01.318809032 CET | 443 | 49735 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:01.318897963 CET | 443 | 49735 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:01.318902016 CET | 49735 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:01.318931103 CET | 443 | 49735 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:02.350670099 CET | 49736 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:02.350769043 CET | 443 | 49736 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:02.350929022 CET | 49736 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:02.929245949 CET | 49736 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:02.929318905 CET | 443 | 49736 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:02.929419041 CET | 443 | 49736 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:02.929446936 CET | 49736 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:02.929491043 CET | 443 | 49736 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.111742973 CET | 49737 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.111789942 CET | 443 | 49737 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.111923933 CET | 49737 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.215607882 CET | 49737 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.215631962 CET | 443 | 49737 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.215717077 CET | 49737 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.215718031 CET | 443 | 49737 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.215739965 CET | 443 | 49737 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.257010937 CET | 49738 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:32:03.257101059 CET | 443 | 49738 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:32:03.257179022 CET | 49738 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:32:03.469305038 CET | 49738 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:32:03.469386101 CET | 443 | 49738 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:32:03.469454050 CET | 443 | 49738 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:32:03.469496965 CET | 49738 | 443 | 192.168.2.5 | 62.60.226.158 |
Mar 23, 2025 19:32:03.469542980 CET | 443 | 49738 | 62.60.226.158 | 192.168.2.5 |
Mar 23, 2025 19:32:03.590898037 CET | 49739 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:03.590990067 CET | 443 | 49739 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:03.591079950 CET | 49739 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:03.662050009 CET | 49739 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:03.662147999 CET | 443 | 49739 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:03.662236929 CET | 443 | 49739 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:03.662259102 CET | 49739 | 443 | 192.168.2.5 | 62.60.226.159 |
Mar 23, 2025 19:32:03.662309885 CET | 443 | 49739 | 62.60.226.159 | 192.168.2.5 |
Mar 23, 2025 19:32:03.673981905 CET | 49740 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.674086094 CET | 443 | 49740 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.674161911 CET | 49740 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.736532927 CET | 49740 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.736618042 CET | 443 | 49740 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.736677885 CET | 443 | 49740 | 196.251.87.252 | 192.168.2.5 |
Mar 23, 2025 19:32:03.736685991 CET | 49740 | 443 | 192.168.2.5 | 196.251.87.252 |
Mar 23, 2025 19:32:03.736721039 CET | 443 | 49740 | 196.251.87.252 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 14:29:35 |
Start date: | 23/03/2025 |
Path: | C:\Users\user\Desktop\ZJat0NjKFO.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbc0000 |
File size: | 5'784'064 bytes |
MD5 hash: | 4ED421DCC07555BEA823811932CD1B1D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 0.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 21.4% |
Total number of Nodes: | 14 |
Total number of Limit Nodes: | 1 |
Graph
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|