Edit tour

Windows Analysis Report
lumber.exe

Overview

General Information

Sample name:lumber.exe
Analysis ID:1655016
MD5:8c12ef792bb6e0bf3c7fd1a3cd46642a
SHA1:c0967e182486840452ba2b1b291af68d28596f4b
SHA256:823c771434d6b1e8dd4092094c1ea44bda8cccf7f864214fa8a89dffa71f25cb
Infos:

Detection

Metasploit
Score:92
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • lumber.exe (PID: 6080 cmdline: "C:\Users\user\Desktop\lumber.exe" MD5: 8C12EF792BB6E0BF3C7FD1A3CD46642A)
  • cleanup
{
  "Type": "Shell Reverse Http",
  "URL": "http://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqkHcOXW2GC3IVnOreL1LJ36bDtSCPFtK_2_byVOZkZqWrsqvyFf837ZYjEmyn6ni2BWxst55Y5nmdfA8mMvlYE98sHjuB8cPmCC"
}
SourceRuleDescriptionAuthorStrings
lumber.exeJoeSecurity_MetasploitPayloadYara detected Metasploit PayloadJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_24338919Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).unknown
      • 0xe7:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07

      System Summary

      barindex
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 54.158.34.216, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\lumber.exe, Initiated: true, ProcessId: 6080, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49681
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-02T21:39:43.793309+020020287653Unknown Traffic192.168.2.74968154.158.34.2168080TCP
      2025-04-02T21:39:50.180004+020020287653Unknown Traffic192.168.2.74968354.158.34.2168080TCP
      2025-04-02T21:39:55.402329+020020287653Unknown Traffic192.168.2.74968454.158.34.2168080TCP
      2025-04-02T21:40:00.881414+020020287653Unknown Traffic192.168.2.74968754.158.34.2168080TCP
      2025-04-02T21:40:06.175633+020020287653Unknown Traffic192.168.2.74969154.158.34.2168080TCP
      2025-04-02T21:40:11.700788+020020287653Unknown Traffic192.168.2.74969254.158.34.2168080TCP
      2025-04-02T21:40:16.918243+020020287653Unknown Traffic192.168.2.74969654.158.34.2168080TCP
      2025-04-02T21:40:22.860811+020020287653Unknown Traffic192.168.2.74969954.158.34.2168080TCP
      2025-04-02T21:40:28.078443+020020287653Unknown Traffic192.168.2.74970054.158.34.2168080TCP
      2025-04-02T21:40:33.525928+020020287653Unknown Traffic192.168.2.74970154.158.34.2168080TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: lumber.exeAvira: detected
      Source: 00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Shell Reverse Http", "URL": "http://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqkHcOXW2GC3IVnOreL1LJ36bDtSCPFtK_2_byVOZkZqWrsqvyFf837ZYjEmyn6ni2BWxst55Y5nmdfA8mMvlYE98sHjuB8cPmCC"}
      Source: lumber.exeVirustotal: Detection: 86%Perma Link
      Source: lumber.exeReversingLabs: Detection: 83%
      Source: lumber.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: lumber.exe

      Networking

      barindex
      Source: Malware configuration extractorURLs: http://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqkHcOXW2GC3IVnOreL1LJ36bDtSCPFtK_2_byVOZkZqWrsqvyFf837ZYjEmyn6ni2BWxst55Y5nmdfA8mMvlYE98sHjuB8cPmCC
      Source: global trafficTCP traffic: 192.168.2.7:49681 -> 54.158.34.216:8080
      Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49684 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49681 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49683 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49687 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49700 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49696 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49701 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49692 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49691 -> 54.158.34.216:8080
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49699 -> 54.158.34.216:8080
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: unknownTCP traffic detected without corresponding DNS query: 54.158.34.216
      Source: lumber.exe, 00000000.00000003.1079841513.000000000049B000.00000004.00000020.00020000.00000000.sdmp, lumber.exe, 00000000.00000003.919245761.000000000049B000.00000004.00000020.00020000.00000000.sdmp, lumber.exe, 00000000.00000002.1456156758.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: lumber.exe, 00000000.00000002.1456156758.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8ff59318a7e53
      Source: lumber.exe, 00000000.00000003.1079841513.000000000049B000.00000004.00000020.00020000.00000000.sdmp, lumber.exe, 00000000.00000003.1079905349.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, lumber.exe, 00000000.00000003.919245761.000000000049B000.00000004.00000020.00020000.00000000.sdmp, lumber.exe, 00000000.00000002.1456156758.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabI
      Source: lumber.exeString found in binary or memory: http://www.apache.org/
      Source: lumber.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: lumber.exeString found in binary or memory: http://www.zeustech.net/
      Source: lumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://54.158.34.216/
      Source: lumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://54.158.34.216/Qh
      Source: lumber.exe, 00000000.00000002.1456325886.00000000004F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://54.158.34.216:8080/
      Source: lumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqk

      System Summary

      barindex
      Source: 00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
      Source: lumber.exe, 00000000.00000000.905254411.0000000000415000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameab.exeF vs lumber.exe
      Source: lumber.exeBinary or memory string: OriginalFilenameab.exeF vs lumber.exe
      Source: lumber.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
      Source: lumber.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal92.troj.winEXE@1/2@0/1
      Source: lumber.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\lumber.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: lumber.exeVirustotal: Detection: 86%
      Source: lumber.exeReversingLabs: Detection: 83%
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\lumber.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: lumber.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: lumber.exe
      Source: lumber.exeStatic PE information: section name: .text entropy: 7.044762434727162
      Source: C:\Users\user\Desktop\lumber.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
      Source: lumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmp, lumber.exe, 00000000.00000002.1456156758.000000000042E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: lumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWssRF
      Source: C:\Users\user\Desktop\lumber.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: lumber.exe, type: SAMPLE
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      1
      DLL Side-Loading
      2
      Software Packing
      OS Credential Dumping1
      Query Registry
      Remote ServicesData from Local System1
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      DLL Side-Loading
      LSASS Memory1
      Security Software Discovery
      Remote Desktop ProtocolData from Removable Media1
      Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information
      Security Account Manager2
      System Information Discovery
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1655016 Sample: lumber.exe Startdate: 02/04/2025 Architecture: WINDOWS Score: 92 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 3 other signatures 2->16 5 lumber.exe 2->5         started        process3 dnsIp4 8 54.158.34.216, 49681, 49683, 49684 AMAZON-AESUS United States 5->8

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      lumber.exe86%VirustotalBrowse
      lumber.exe83%ReversingLabsWin32.Trojan.CryptZMarte
      lumber.exe100%AviraTR/Patched.Gen2
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      https://54.158.34.216/0%Avira URL Cloudsafe
      https://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqk0%Avira URL Cloudsafe
      https://54.158.34.216/Qh0%Avira URL Cloudsafe
      http://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqkHcOXW2GC3IVnOreL1LJ36bDtSCPFtK_2_byVOZkZqWrsqvyFf837ZYjEmyn6ni2BWxst55Y5nmdfA8mMvlYE98sHjuB8cPmCC0%Avira URL Cloudsafe
      http://www.zeustech.net/0%Avira URL Cloudsafe
      https://54.158.34.216:8080/0%Avira URL Cloudsafe

      Download Network PCAP: filteredfull

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      199.232.210.172
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        http://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqkHcOXW2GC3IVnOreL1LJ36bDtSCPFtK_2_byVOZkZqWrsqvyFf837ZYjEmyn6ni2BWxst55Y5nmdfA8mMvlYE98sHjuB8cPmCCtrue
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0lumber.exefalse
          high
          https://54.158.34.216/lumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://54.158.34.216:8080/7Hsk2YaixMw38DbxUNIOiAZX-9aPyK-zT_U2iSasJx9jV9QpI3bF4FGfb_6gogRwb_I5htpqklumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://54.158.34.216/Qhlumber.exe, 00000000.00000002.1456156758.000000000047A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.apache.org/lumber.exefalse
            high
            http://www.zeustech.net/lumber.exefalse
            • Avira URL Cloud: safe
            unknown
            https://54.158.34.216:8080/lumber.exe, 00000000.00000002.1456325886.00000000004F2000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            54.158.34.216
            unknownUnited States
            14618AMAZON-AESUStrue
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1655016
            Start date and time:2025-04-02 21:38:45 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 3m 48s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:11
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:lumber.exe
            Detection:MAL
            Classification:mal92.troj.winEXE@1/2@0/1
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 199.232.210.172, 4.245.163.56, 184.31.69.3
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            No simulations
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            bg.microsoft.map.fastly.nethttp://john.mason@e-hazard.comGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            http://xtgcpapxpm.ruGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            Inv2025_Overdue_Integr8PDF.jsGet hashmaliciousAgentTeslaBrowse
            • 199.232.214.172
            https://targetbp.org/wp-content/uploads/2017/03/2025_TBPDataCollectionWorksheet.pdfGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            https://targetbp.org/wp-content/uploads/2017/03/2025_TBPDataCollectionWorksheet.pdfGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            Statement 02-03-2025.xlsxGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            BIGIPEdgeClient (2) 1.exeGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            Statement 02-03-2025.xlsxGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            BIGIPEdgeClient (2) 1.exeGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            Schikkingsovereenkomst-Definitief1137373790..pdfGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            AMAZON-AESUSna.elfGet hashmaliciousPrometeiBrowse
            • 34.229.166.50
            na.elfGet hashmaliciousPrometeiBrowse
            • 34.229.166.50
            http://belastingdiensrt.nl.services.cartoriomoreirafeitosa.com.br//#mclear@securustechnologies.comGet hashmaliciousHTMLPhisherBrowse
            • 54.161.194.228
            https://sprayfoamsys.comGet hashmaliciousUnknownBrowse
            • 100.29.2.83
            https://sprayfoamsys.comGet hashmaliciousUnknownBrowse
            • 100.29.2.83
            na.elfGet hashmaliciousPrometeiBrowse
            • 34.229.166.50
            http://john.mason@e-hazard.comGet hashmaliciousUnknownBrowse
            • 54.208.129.98
            na.elfGet hashmaliciousPrometeiBrowse
            • 34.229.166.50
            na.elfGet hashmaliciousPrometeiBrowse
            • 34.229.166.50
            na.elfGet hashmaliciousPrometeiBrowse
            • 34.229.166.50
            No context
            No context
            Process:C:\Users\user\Desktop\lumber.exe
            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
            Category:dropped
            Size (bytes):73305
            Entropy (8bit):7.996028107841645
            Encrypted:true
            SSDEEP:1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
            MD5:83142242E97B8953C386F988AA694E4A
            SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
            SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
            SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....
            Process:C:\Users\user\Desktop\lumber.exe
            File Type:data
            Category:modified
            Size (bytes):330
            Entropy (8bit):3.2717236675215347
            Encrypted:false
            SSDEEP:6:kK3emcQRnSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:2mfZkPlE99SNxAhUeq8S
            MD5:BC694E94452E397534984606BCA4F326
            SHA1:9967EA9614B36143649D883763D395FB9F4B9093
            SHA-256:E5AA190B6FE14CB23488C568FDF5529529D72BB778510F397A48E861753968B7
            SHA-512:AF2CBAC47E3A2FB47835661BDA7D1427DEFCCC006616F017E8B510C29BBCBD0E28DB13623F211402722B22C185189E223CF7194BDC205BEB373E8B6D182A6651
            Malicious:false
            Reputation:low
            Preview:p...... ........t.F.....(....................................................... ..................(....c*.....Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...
            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.342676669183681
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:lumber.exe
            File size:73'802 bytes
            MD5:8c12ef792bb6e0bf3c7fd1a3cd46642a
            SHA1:c0967e182486840452ba2b1b291af68d28596f4b
            SHA256:823c771434d6b1e8dd4092094c1ea44bda8cccf7f864214fa8a89dffa71f25cb
            SHA512:dc0c37e843f58d447189f179d46f16198d4aa39785ea99aadcb379421ffd85fd6d2b16e54b7ae092eaa92a1a455abbe3334e51e554ab7ef6e0ac2d5173cbf286
            SSDEEP:768:Ij//2bgdYTpCBQVCayn9KDJpi9ALXwdYZAQ/SJaejzPCHSckzCScx4qXfb+KRBau:Ib/OtC0yMGEwdNJaKMb+KR0Nc8QsJq39
            TLSH:3073CF42E9C41435C1A212BD33B53ABAAD75F1B53611C19A3A8CCDE9EBD18F092793C6
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...K..I...........
            Icon Hash:90cececece8e8eb0
            Entrypoint:0x401049
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:
            Time Stamp:0x49E4C14B [Tue Apr 14 17:00:59 2009 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:481f47bbb2c9c21e108d65f52b04c448
            Instruction
            aas
            xchg eax, edx
            inc ecx
            clc
            aaa
            wait
            inc edx
            daa
            std
            cmc
            cwde
            daa
            stc
            dec eax
            cwde
            dec edx
            cld
            das
            das
            inc eax
            cdq
            nop
            stc
            lahf
            cwde
            dec eax
            inc ebx
            std
            inc ebx
            dec eax
            clc
            wait
            nop
            std
            xchg eax, ebx
            wait
            inc ecx
            nop
            std
            stc
            inc edx
            cwde
            std
            nop
            daa
            inc ebx
            das
            inc ebx
            aaa
            inc ebx
            dec ebx
            cmc
            das
            daa
            clc
            dec ebx
            cdq
            wait
            inc ebx
            dec ebx
            wait
            cmc
            aaa
            std
            xchg eax, ebx
            salc
            inc eax
            nop
            inc ebx
            cld
            wait
            cld
            inc ecx
            cdq
            inc ebx
            dec ecx
            inc edx
            inc eax
            inc edx
            stc
            salc
            lahf
            clc
            dec eax
            dec eax
            cdq
            dec edx
            inc ebx
            clc
            aas
            cdq
            xchg eax, ecx
            das
            dec ebx
            std
            xchg eax, ecx
            cwde
            das
            cmc
            daa
            cwde
            inc ebx
            stc
            dec eax
            salc
            inc ecx
            cwde
            inc ebx
            cld
            stc
            inc ecx
            inc edx
            das
            lahf
            salc
            das
            xchg eax, ebx
            inc ecx
            cld
            cld
            xchg eax, edx
            inc ebx
            lahf
            dec ebx
            aaa
            dec edx
            inc ecx
            std
            inc edx
            inc ecx
            salc
            aas
            dec ecx
            wait
            inc edx
            aaa
            inc edx
            clc
            lahf
            salc
            salc
            xchg eax, ecx
            lahf
            inc edx
            lahf
            aas
            dec edx
            dec ecx
            dec ebx
            stc
            daa
            stc
            xchg eax, edx
            xchg eax, ebx
            cdq
            xchg eax, ecx
            dec ebx
            inc ecx
            lahf
            cmc
            salc
            xchg eax, ebx
            cmc
            xchg eax, ebx
            nop
            nop
            das
            dec ecx
            das
            xchg eax, ebx
            cmc
            cdq
            aas
            inc edx
            xchg eax, ecx
            stc
            stc
            inc eax
            dec ebx
            lahf
            cdq
            daa
            clc
            salc
            lahf
            das
            cmc
            das
            dec eax
            cdq
            xchg eax, ecx
            clc
            xchg eax, ebx
            dec edx
            clc
            aaa
            salc
            cwde
            inc eax
            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc76c0x78.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000x7c8.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0xc1e00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0xc0000x1e0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000xa9660xb0007c4058d6be6263651462bec56380567aFalse0.8211558948863636data7.044762434727162IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0xc0000xfe60x100025d7ceee3aa85bb3e8c5174736f6f830False0.46142578125DOS executable (COM, 0x8C-variant)5.318390353744998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xd0000x705c0x4000283b5f792323d57b9db4d2bcc46580f8False0.25634765625Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 04.407841023203495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x150000x7c80x1000c13a9413aea7291b6fc85d75bfcde381False0.197998046875data1.958296025171192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x150600x768dataEnglishUnited States0.40189873417721517
            DLLImport
            MSVCRT.dll_iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp
            KERNEL32.dllPeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree
            ADVAPI32.dllFreeSid, AllocateAndInitializeSid
            WSOCK32.dllgetsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError
            WS2_32.dllWSARecv, WSASend
            DescriptionData
            CommentsLicensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License athttp://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
            CompanyNameApache Software Foundation
            FileDescriptionApacheBench command line utility
            FileVersion2.2.14
            InternalNameab.exe
            LegalCopyrightCopyright 2009 The Apache Software Foundation.
            OriginalFilenameab.exe
            ProductNameApache HTTP Server
            ProductVersion2.2.14
            Translation0x0409 0x04b0
            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Download Network PCAP: filteredfull

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2025-04-02T21:39:43.793309+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74968154.158.34.2168080TCP
            2025-04-02T21:39:50.180004+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74968354.158.34.2168080TCP
            2025-04-02T21:39:55.402329+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74968454.158.34.2168080TCP
            2025-04-02T21:40:00.881414+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74968754.158.34.2168080TCP
            2025-04-02T21:40:06.175633+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74969154.158.34.2168080TCP
            2025-04-02T21:40:11.700788+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74969254.158.34.2168080TCP
            2025-04-02T21:40:16.918243+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74969654.158.34.2168080TCP
            2025-04-02T21:40:22.860811+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74969954.158.34.2168080TCP
            2025-04-02T21:40:28.078443+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74970054.158.34.2168080TCP
            2025-04-02T21:40:33.525928+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.74970154.158.34.2168080TCP
            TimestampSource PortDest PortSource IPDest IP
            Apr 2, 2025 21:39:43.566637039 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:43.668281078 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:43.668406010 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:43.688610077 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:43.792187929 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:43.793186903 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:43.793211937 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:43.793308973 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:43.793492079 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:44.552838087 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:44.656918049 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:44.657295942 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:44.661500931 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:44.803436995 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:44.832655907 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:44.832765102 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:44.833082914 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:44.833142996 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:44.858633995 CEST496818080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:44.957412958 CEST80804968154.158.34.216192.168.2.7
            Apr 2, 2025 21:39:49.979975939 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:50.078746080 CEST80804968354.158.34.216192.168.2.7
            Apr 2, 2025 21:39:50.078928947 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:50.079237938 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:50.179336071 CEST80804968354.158.34.216192.168.2.7
            Apr 2, 2025 21:39:50.179928064 CEST80804968354.158.34.216192.168.2.7
            Apr 2, 2025 21:39:50.180003881 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:50.180484056 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:50.181730032 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:50.321347952 CEST80804968354.158.34.216192.168.2.7
            Apr 2, 2025 21:39:50.439879894 CEST80804968354.158.34.216192.168.2.7
            Apr 2, 2025 21:39:50.439907074 CEST80804968354.158.34.216192.168.2.7
            Apr 2, 2025 21:39:50.440099955 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:50.440099955 CEST496838080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.198278904 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.299441099 CEST80804968454.158.34.216192.168.2.7
            Apr 2, 2025 21:39:55.299599886 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.300049067 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.402189970 CEST80804968454.158.34.216192.168.2.7
            Apr 2, 2025 21:39:55.402273893 CEST80804968454.158.34.216192.168.2.7
            Apr 2, 2025 21:39:55.402328968 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.402751923 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.403887033 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.554202080 CEST80804968454.158.34.216192.168.2.7
            Apr 2, 2025 21:39:55.653177977 CEST80804968454.158.34.216192.168.2.7
            Apr 2, 2025 21:39:55.653291941 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.653359890 CEST80804968454.158.34.216192.168.2.7
            Apr 2, 2025 21:39:55.653460026 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.653516054 CEST496848080192.168.2.754.158.34.216
            Apr 2, 2025 21:39:55.756753922 CEST80804968454.158.34.216192.168.2.7
            Apr 2, 2025 21:40:00.673671007 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:00.777513027 CEST80804968754.158.34.216192.168.2.7
            Apr 2, 2025 21:40:00.777614117 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:00.778048038 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:00.880672932 CEST80804968754.158.34.216192.168.2.7
            Apr 2, 2025 21:40:00.881114960 CEST80804968754.158.34.216192.168.2.7
            Apr 2, 2025 21:40:00.881413937 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:00.881695986 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:00.944691896 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:01.033560038 CEST80804968754.158.34.216192.168.2.7
            Apr 2, 2025 21:40:01.064107895 CEST80804968754.158.34.216192.168.2.7
            Apr 2, 2025 21:40:01.064124107 CEST80804968754.158.34.216192.168.2.7
            Apr 2, 2025 21:40:01.064218044 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:01.064218044 CEST496878080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:05.964898109 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.068643093 CEST80804969154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:06.072462082 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.072819948 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.175081968 CEST80804969154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:06.175182104 CEST80804969154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:06.175632954 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.175632954 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.181740999 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.321985960 CEST80804969154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:06.476851940 CEST80804969154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:06.476874113 CEST80804969154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:06.477056980 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.479820967 CEST496918080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:06.585298061 CEST80804969154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:11.495292902 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:11.597223043 CEST80804969254.158.34.216192.168.2.7
            Apr 2, 2025 21:40:11.597310066 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:11.597620964 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:11.700642109 CEST80804969254.158.34.216192.168.2.7
            Apr 2, 2025 21:40:11.700723886 CEST80804969254.158.34.216192.168.2.7
            Apr 2, 2025 21:40:11.700788021 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:11.701160908 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:11.702286005 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:11.854276896 CEST80804969254.158.34.216192.168.2.7
            Apr 2, 2025 21:40:11.886255980 CEST80804969254.158.34.216192.168.2.7
            Apr 2, 2025 21:40:11.886303902 CEST80804969254.158.34.216192.168.2.7
            Apr 2, 2025 21:40:11.886318922 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:11.886352062 CEST496928080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:16.714274883 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:16.815717936 CEST80804969654.158.34.216192.168.2.7
            Apr 2, 2025 21:40:16.815912962 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:16.816629887 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:16.917682886 CEST80804969654.158.34.216192.168.2.7
            Apr 2, 2025 21:40:16.918176889 CEST80804969654.158.34.216192.168.2.7
            Apr 2, 2025 21:40:16.918242931 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:16.918704033 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:16.920557022 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:17.064388037 CEST80804969654.158.34.216192.168.2.7
            Apr 2, 2025 21:40:17.316081047 CEST80804969654.158.34.216192.168.2.7
            Apr 2, 2025 21:40:17.316183090 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:17.639075994 CEST80804969654.158.34.216192.168.2.7
            Apr 2, 2025 21:40:17.639221907 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:17.640063047 CEST496968080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:17.742832899 CEST80804969654.158.34.216192.168.2.7
            Apr 2, 2025 21:40:22.651530027 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:22.755593061 CEST80804969954.158.34.216192.168.2.7
            Apr 2, 2025 21:40:22.756669044 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:22.757035017 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:22.860635042 CEST80804969954.158.34.216192.168.2.7
            Apr 2, 2025 21:40:22.860738993 CEST80804969954.158.34.216192.168.2.7
            Apr 2, 2025 21:40:22.860810995 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:22.861290932 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:22.862540007 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:23.002326965 CEST80804969954.158.34.216192.168.2.7
            Apr 2, 2025 21:40:23.103511095 CEST80804969954.158.34.216192.168.2.7
            Apr 2, 2025 21:40:23.103667974 CEST80804969954.158.34.216192.168.2.7
            Apr 2, 2025 21:40:23.103705883 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:23.103763103 CEST496998080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:27.870213032 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:27.973982096 CEST80804970054.158.34.216192.168.2.7
            Apr 2, 2025 21:40:27.974077940 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:27.974440098 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:28.077821970 CEST80804970054.158.34.216192.168.2.7
            Apr 2, 2025 21:40:28.078376055 CEST80804970054.158.34.216192.168.2.7
            Apr 2, 2025 21:40:28.078443050 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:28.078968048 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:28.080245972 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:28.221559048 CEST80804970054.158.34.216192.168.2.7
            Apr 2, 2025 21:40:28.313633919 CEST80804970054.158.34.216192.168.2.7
            Apr 2, 2025 21:40:28.313673973 CEST80804970054.158.34.216192.168.2.7
            Apr 2, 2025 21:40:28.313729048 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:28.313769102 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:28.313966036 CEST497008080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:28.416023016 CEST80804970054.158.34.216192.168.2.7
            Apr 2, 2025 21:40:33.323522091 CEST497018080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:33.422422886 CEST80804970154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:33.422518969 CEST497018080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:33.422949076 CEST497018080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:33.525815010 CEST80804970154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:33.525861025 CEST80804970154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:33.525928020 CEST497018080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:33.529690981 CEST497018080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:33.531250954 CEST497018080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:33.671627998 CEST80804970154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:33.723664045 CEST80804970154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:33.723689079 CEST80804970154.158.34.216192.168.2.7
            Apr 2, 2025 21:40:33.723790884 CEST497018080192.168.2.754.158.34.216
            Apr 2, 2025 21:40:33.723820925 CEST497018080192.168.2.754.158.34.216
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Apr 2, 2025 21:39:44.011322021 CEST1.1.1.1192.168.2.70x7582No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
            Apr 2, 2025 21:39:44.011322021 CEST1.1.1.1192.168.2.70x7582No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
            050100s020406080100

            Click to jump to process

            050100s0.0051015MB

            Click to jump to process

            Target ID:0
            Start time:15:39:42
            Start date:02/04/2025
            Path:C:\Users\user\Desktop\lumber.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\lumber.exe"
            Imagebase:0x400000
            File size:73'802 bytes
            MD5 hash:8C12EF792BB6E0BF3C7FD1A3CD46642A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000000.00000002.1456445373.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            No disassembly