Windows
Analysis Report
SZf8I0IvEg.exe
Overview
General Information
Sample name: | SZf8I0IvEg.exerenamed because original name is a hash value |
Original sample name: | ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33.exe |
Analysis ID: | 1650930 |
MD5: | c7c64687ae709d71b1440fd99a62f0f6 |
SHA1: | 10e8a15dcf18d8752eced5ab22650cdc8e1e7309 |
SHA256: | ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33 |
Tags: | exegoodsvibes-dynuddns-netuser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
SZf8I0IvEg.exe (PID: 7604 cmdline:
"C:\Users\ user\Deskt op\SZf8I0I vEg.exe" MD5: C7C64687AE709D71B1440FD99A62F0F6)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{
"Server": "goodsvibes.dynuddns.net",
"Port": "9852",
"Version": " 1.0.7",
"MutexName": "DcRatMutex_qGo",
"Autorun": "false",
"Group": "Marzo17-25"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
rat_win_dcrat_qwqdanchun | Find DcRAT samples (qwqdanchun) based on specific strings | Sekoia.io |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
JoeSecurity_DcRat_2 | Yara detected DcRat | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
rat_win_dcrat_qwqdanchun | Find DcRAT samples (qwqdanchun) based on specific strings | Sekoia.io |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
Click to see the 1 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T08:36:33.468392+0100 | 2034847 | 1 | Domain Observed Used for C2 Detected | 176.65.134.105 | 9852 | 192.168.2.4 | 49712 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T08:36:33.468392+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 176.65.134.105 | 9852 | 192.168.2.4 | 49712 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T08:36:33.468392+0100 | 2848048 | 1 | Domain Observed Used for C2 Detected | 176.65.134.105 | 9852 | 192.168.2.4 | 49712 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Data Obfuscation
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Neural Call Log Analysis: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FFC3DDB90F2 | |
Source: | Code function: | 0_2_00007FFC3DDB308D | |
Source: | Code function: | 0_2_00007FFC3DDB8346 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FFC3DDB00C1 |
Boot Survival |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: | Jump to behavior | ||
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 Scheduled Task/Job | 1 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 31 Virtualization/Sandbox Evasion | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 111 Obfuscated Files or Information | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 21 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
79% | Virustotal | Browse | ||
81% | ReversingLabs | ByteCode-MSIL.Backdoor.AsyncRAT | ||
100% | Avira | HEUR/AGEN.1307404 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.90.172 | true | false | high | |
goodsvibes.dynuddns.net | 176.65.134.105 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
176.65.134.105 | goodsvibes.dynuddns.net | Germany | 56325 | DIOGELO-ASGB | true |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1650930 |
Start date and time: | 2025-03-28 08:35:30 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SZf8I0IvEg.exerenamed because original name is a hash value |
Original Sample Name: | ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/2@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, S IHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 199.232.90.172, 23 .204.23.20, 172.202.163.200 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, ocsp.digicert.com, slscr.u pdate.microsoft.com, ctldl.win dowsupdate.com.delivery.micros oft.com, ctldl.windowsupdate.c om, c.pki.goog, wu-b-net.traff icmanager.net, fe3cr.delivery. mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found.
Time | Type | Description |
---|---|---|
03:36:33 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
bg.microsoft.map.fastly.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | Orcus | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AsyncRAT, KeyLogger, Quasar, XWorm | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
DIOGELO-ASGB | Get hash | malicious | RHADAMANTHYS | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\SZf8I0IvEg.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73305 |
Entropy (8bit): | 7.996028107841645 |
Encrypted: | true |
SSDEEP: | 1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/ |
MD5: | 83142242E97B8953C386F988AA694E4A |
SHA1: | 833ED12FC15B356136DCDD27C61A50F59C5C7D50 |
SHA-256: | D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755 |
SHA-512: | BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\SZf8I0IvEg.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 3.2810756866948085 |
Encrypted: | false |
SSDEEP: | 6:kKW+El/ImcQRnSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:xEl/ImfZkPlE99SNxAhUeq8S |
MD5: | 0F6CF03C07D6738256627A2511FD0F7B |
SHA1: | 790CB09C170863837FEBD739484EF915228B69A4 |
SHA-256: | 12E60DD2143D3102B0CD1F6DBE3B7CBDCEDD028B3C41F655D71F27191174AC85 |
SHA-512: | C1C6ACBC950BF6255F841ED10DD63712B6C5F5CDDF5BBB09C7E3B7AFA8280368E5F8ABD91A89D4B58313B7846E369C0C0A1EE18F3B99537E66142BDBD4C73CED |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.615977367376357 |
TrID: |
|
File name: | SZf8I0IvEg.exe |
File size: | 48'640 bytes |
MD5: | c7c64687ae709d71b1440fd99a62f0f6 |
SHA1: | 10e8a15dcf18d8752eced5ab22650cdc8e1e7309 |
SHA256: | ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33 |
SHA512: | a87b0bafac6ffbd3da6f9ac141b4d5f931921eb0e0874d1e45577c5466c906ea9cec4fe9eee5020639a19dae39c691b3ee9491d51aaa331c3b608c2a58678b1b |
SSDEEP: | 768:F6T3ILNCKi+DiW0jd3gLqRp8AoPiIjYb6geRBMcC4vEgK/JTZVc6KN:F6YmWGaPAKMbtkGV4nkJTZVclN |
TLSH: | D9235D0037D8C536E2BD4BB4A9F3A245867AD65B1903CB5D6CC811EA2B13BC597036FE |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y................................. ........@.. ....................... ............@................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40cb8e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x59E0C03F [Fri Oct 13 13:31:43 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xcb40 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe000 | 0xdf7 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x10000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xab94 | 0xac00 | 13b6fd928adbbf17905f9445ffffbb7f | False | 0.5020666787790697 | data | 5.6411055835076525 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xe000 | 0xdf7 | 0xe00 | 2083376922615c09cdda9acfd9305376 | False | 0.4017857142857143 | data | 5.110607648061562 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0xc | 0x200 | d2892f5e6b6d9366633263ebc642dea3 | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0xe0a0 | 0x2d4 | data | 0.4350828729281768 | ||
RT_MANIFEST | 0xe374 | 0xa83 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.40245261984392416 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
Comments | |
CompanyName | |
FileDescription | |
FileVersion | 1.0.7.0 |
InternalName | Client.exe |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | Client.exe |
ProductName | |
ProductVersion | 1.0.7.0 |
Assembly Version | 1.0.7.0 |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T08:36:33.468392+0100 | 2842478 | ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) | 1 | 176.65.134.105 | 9852 | 192.168.2.4 | 49712 | TCP |
2025-03-28T08:36:33.468392+0100 | 2034847 | ET MALWARE Observed Malicious SSL Cert (AsyncRAT) | 1 | 176.65.134.105 | 9852 | 192.168.2.4 | 49712 | TCP |
2025-03-28T08:36:33.468392+0100 | 2848048 | ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) | 1 | 176.65.134.105 | 9852 | 192.168.2.4 | 49712 | TCP |
- Total Packets: 61
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 28, 2025 08:36:32.782290936 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:32.999496937 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:32.999584913 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:33.023610115 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:33.241775036 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:33.249274015 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:33.468391895 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:33.514615059 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:35.279212952 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:35.550524950 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:35.550596952 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:35.813688040 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:43.492635965 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:43.549308062 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:43.766552925 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:43.811594963 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:49.611891985 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:49.878794909 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:49.878895044 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:50.097817898 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:50.139758110 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:50.356828928 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:50.359478951 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:50.627507925 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:36:50.627720118 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:36:50.897155046 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:03.953352928 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:04.225284100 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:04.225465059 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:04.444715023 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:04.499382019 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:04.716440916 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:04.719259977 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:04.990417957 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:04.990528107 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:05.259885073 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:13.503560066 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:13.546361923 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:13.763428926 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:13.812110901 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:18.296783924 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:18.555951118 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:18.556046009 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:18.774236917 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:18.827574968 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:19.044760942 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:19.046873093 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:19.304815054 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:19.304935932 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:19.574788094 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:32.640603065 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:32.903593063 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:32.903737068 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:33.122117996 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:33.171549082 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:33.388748884 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:33.390563965 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:33.652355909 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:33.652503967 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:33.922261000 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:43.500463009 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:43.546610117 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:43.763645887 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:43.812284946 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:46.984745026 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:47.248507023 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:47.248599052 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:47.466850042 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:47.515454054 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:47.733261108 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:47.735548973 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:47.997478008 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:37:47.997658014 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:37:48.267261982 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:01.328677893 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:01.592648983 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:01.592799902 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:01.810553074 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:01.859275103 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:02.076349020 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:02.080697060 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:02.341337919 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:02.341411114 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:02.611247063 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:13.544761896 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:13.593789101 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:13.810815096 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:13.859358072 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:15.672322035 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:15.929752111 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:15.929893970 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:16.148021936 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:16.203219891 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:16.420456886 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:16.424508095 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:16.685946941 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:16.686058044 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:16.956486940 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:30.016247034 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:30.276899099 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:30.276984930 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:30.495111942 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:30.547096968 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:30.764434099 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:30.766429901 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:31.032849073 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:31.032951117 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:31.303227901 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:34.766093969 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:35.031045914 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:35.031119108 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:35.248857021 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:35.297032118 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:35.514193058 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:35.514837980 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:35.780775070 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Mar 28, 2025 08:38:35.780853033 CET | 49712 | 9852 | 192.168.2.4 | 176.65.134.105 |
Mar 28, 2025 08:38:36.049657106 CET | 9852 | 49712 | 176.65.134.105 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 28, 2025 08:36:32.629650116 CET | 60095 | 53 | 192.168.2.4 | 1.1.1.1 |
Mar 28, 2025 08:36:32.776674032 CET | 53 | 60095 | 1.1.1.1 | 192.168.2.4 |
Mar 28, 2025 08:37:10.880825996 CET | 53 | 60395 | 162.159.36.2 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 28, 2025 08:36:32.629650116 CET | 192.168.2.4 | 1.1.1.1 | 0xff9e | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 28, 2025 08:36:32.776674032 CET | 1.1.1.1 | 192.168.2.4 | 0xff9e | No error (0) | 176.65.134.105 | A (IP address) | IN (0x0001) | false | ||
Mar 28, 2025 08:36:33.674793005 CET | 1.1.1.1 | 192.168.2.4 | 0xdb10 | No error (0) | 199.232.90.172 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 03:36:28 |
Start date: | 28/03/2025 |
Path: | C:\Users\user\Desktop\SZf8I0IvEg.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xe20000 |
File size: | 48'640 bytes |
MD5 hash: | C7C64687AE709D71B1440FD99A62F0F6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 18.9% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 9 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|