Analysis Report Quotation #01521.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RevengeRAT | Yara detected RevengeRAT | Joe Security | ||
JoeSecurity_RevengeRAT | Yara detected RevengeRAT | Joe Security | ||
RevengeRAT_Sep17 | Detects RevengeRAT malware | Florian Roth |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_RevengeRAT | Yara detected RevengeRAT | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Yara detected RevengeRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_0182EFE0 | |
Source: | Code function: | 0_2_059ECE38 | |
Source: | Code function: | 0_2_059E444D | |
Source: | Code function: | 0_2_059EB1D0 | |
Source: | Code function: | 0_2_059E6C84 | |
Source: | Code function: | 0_2_059E4C50 | |
Source: | Code function: | 0_2_059E4C50 | |
Source: | Code function: | 0_2_059E4C45 | |
Source: | Code function: | 0_2_059E4C45 | |
Source: | Code function: | 0_2_059E3E94 | |
Source: | Code function: | 0_2_059E5EE8 | |
Source: | Code function: | 0_2_059E5E08 | |
Source: | Code function: | 0_2_059E4930 | |
Source: | Code function: | 0_2_059E4930 | |
Source: | Code function: | 0_2_059E4924 | |
Source: | Code function: | 0_2_059E4924 | |
Source: | Code function: | 0_2_059E4B88 | |
Source: | Code function: | 0_2_059E4B7C |
Networking: |
---|
Connects to many ports of the same IP (likely port scanning) | Show sources |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
E-Banking Fraud: |
---|
Yara detected RevengeRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: |
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: |
Source: | Code function: | 0_2_0182F8E8 | |
Source: | Code function: | 0_2_01824828 | |
Source: | Code function: | 0_2_0182D839 | |
Source: | Code function: | 0_2_0182AA89 | |
Source: | Code function: | 0_2_01824200 | |
Source: | Code function: | 0_2_0182BDB0 | |
Source: | Code function: | 0_2_01827D30 | |
Source: | Code function: | 0_2_01829F90 | |
Source: | Code function: | 0_2_0182EFE0 | |
Source: | Code function: | 0_2_0182F8D8 | |
Source: | Code function: | 0_2_0182D873 | |
Source: | Code function: | 0_2_059E0408 | |
Source: | Code function: | 0_2_059E5408 | |
Source: | Code function: | 0_2_059E53F7 | |
Source: | Code function: | 0_2_059E59B8 | |
Source: | Code function: | 0_2_059E59AA | |
Source: | Code function: | 0_2_059EB880 | |
Source: | Code function: | 0_2_059EB870 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00F17719 | |
Source: | Code function: | 0_2_01825751 |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | WMI Queries: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information: |
---|
Yara detected RevengeRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected RevengeRAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation21 | Registry Run Keys / Startup Folder1 | Process Injection11 | Masquerading111 | OS Credential Dumping | Query Registry1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Registry Run Keys / Startup Folder1 | Modify Registry1 | LSASS Memory | Security Software Discovery131 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion4 | Security Account Manager | Virtualization/Sandbox Evasion4 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Disable or Modify Tools1 | NTDS | Process Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol1 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Process Injection11 | LSA Secrets | Application Window Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Deobfuscate/Decode Files or Information1 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Hidden Files and Directories1 | DCSync | File and Directory Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Obfuscated Files or Information2 | Proc Filesystem | System Information Discovery23 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
15% | ReversingLabs | |||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
15% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
chongmei33.myddns.rocks | 37.120.208.40 | true | true | unknown | |
g.msn.com | unknown | unknown | false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
37.120.208.40 | unknown | Romania | 9009 | M247GB | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 336032 |
Start date: | 05.01.2021 |
Start time: | 08:37:05 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Quotation #01521.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 37 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@10/3@2/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
08:37:58 | API Interceptor | |
08:38:00 | Autostart | |
08:38:08 | Autostart | |
08:38:48 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
37.120.208.40 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
M247GB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\Quotation #01521.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1451 |
Entropy (8bit): | 5.345862727722058 |
Encrypted: | false |
SSDEEP: | 24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm |
MD5: | 06F54CDBFEF62849AF5AE052722BD7B6 |
SHA1: | FB0250AAC2057D0B5BCE4CE130891E428F28DA05 |
SHA-256: | 4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446 |
SHA-512: | 34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\Quotation #01521.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 835584 |
Entropy (8bit): | 4.46467471127672 |
Encrypted: | false |
SSDEEP: | 6144:KS7/DxvkrhDdyquS7xY+kbB44daFa7XIEk9RC9uT0mSAQdP:b7cIqh7x78B4urLIvpT0mSAQdP |
MD5: | 73619A5F7EAB7A80E0FBBD5C8493C9B4 |
SHA1: | 84DB67126574C21EF3233518452876AD123B4AA1 |
SHA-256: | 7A538B979C2A126FB287ED7BBB18AC55687273DFBAC2C09DE85F073C9BF5E3DF |
SHA-512: | B92F4239DA62411EDCBF2378E67E28A307752F1B55D5977527E83069630A5D9894BB4F7138473DA42F183B6FC5CDCB334AFF76805ACBAE6908B35ED8716940C4 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\Quotation #01521.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.46467471127672 |
TrID: |
|
File name: | Quotation #01521.exe |
File size: | 835584 |
MD5: | 73619a5f7eab7a80e0fbbd5c8493c9b4 |
SHA1: | 84db67126574c21ef3233518452876ad123b4aa1 |
SHA256: | 7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df |
SHA512: | b92f4239da62411edcbf2378e67e28a307752f1b55d5977527e83069630a5d9894bb4f7138473da42f183b6fc5cdcb334aff76805acbae6908b35ed8716940c4 |
SSDEEP: | 6144:KS7/DxvkrhDdyquS7xY+kbB44daFa7XIEk9RC9uT0mSAQdP:b7cIqh7x78B4urLIvpT0mSAQdP |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..;................. ..........N>... ...@....@.. ....................................`................................ |
File Icon |
---|
Icon Hash: | e4e0d2d6d2d2c4dc |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4a3e4e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Time Stamp: | 0x3B950972 [Tue Sep 4 17:03:46 2001 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa3e00 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa4000 | 0x29b96 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xce000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xa1e54 | 0xa2000 | False | 0.368860315394 | data | 4.12737708702 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xa4000 | 0x29b96 | 0x29c00 | False | 0.115708037051 | data | 4.70184642753 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xce000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xa42b0 | 0x1b2f | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0xa5de0 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0xb6608 | 0x94a8 | data | ||
RT_ICON | 0xbfab0 | 0x5488 | data | ||
RT_ICON | 0xc4f38 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294901760 | ||
RT_ICON | 0xc9160 | 0x25a8 | data | ||
RT_ICON | 0xcb708 | 0x10a8 | data | ||
RT_ICON | 0xcc7b0 | 0x988 | data | ||
RT_ICON | 0xcd138 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0xcd5a0 | 0x84 | data | ||
RT_VERSION | 0xcd624 | 0x388 | data | ||
RT_MANIFEST | 0xcd9ac | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 1998 >JGJ2>:6B?FE;<?6H |
Assembly Version | 1.0.0.0 |
InternalName | mkl.exe |
FileVersion | 3.5.6.7 |
CompanyName | >JGJ2>:6B?FE;<?6H |
Comments | 9BAJGD7>EG<542F5=945AGH |
ProductName | FA6?E>AC?<7G:I=A<@CE66HF |
ProductVersion | 3.5.6.7 |
FileDescription | FA6?E>AC?<7G:I=A<@CE66HF |
OriginalFilename | mkl.exe |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 5, 2021 08:39:26.027009010 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:26.264777899 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:26.265075922 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:26.504221916 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:27.155687094 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:27.600404024 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:37.130244970 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:37.178601980 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:37.886257887 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:38.135562897 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:38.158364058 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:38.611644983 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:38.611854076 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:39.049501896 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:52.132004976 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:52.139405966 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:52.380076885 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:52.391149998 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:52.840228081 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:39:52.840440989 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:39:53.271945000 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:07.183716059 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:07.193002939 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:07.432538986 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:07.477636099 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:07.479475021 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:07.913149118 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:07.913809061 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:08.356857061 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:22.188740015 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:22.194657087 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:22.427228928 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:22.438457966 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:22.937519073 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:22.937616110 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:23.380573034 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:37.182756901 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:37.190282106 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:37.445751905 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:37.456758022 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:37.895008087 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:37.896106005 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:38.356151104 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:52.191442966 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:52.196420908 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:52.448169947 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:52.458578110 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:52.909785986 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:40:52.910044909 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:40:53.361350060 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:07.187779903 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:07.190438032 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:41:07.442552090 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:07.448909044 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:41:07.908231974 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:07.908301115 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:41:08.367944956 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:22.190506935 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:22.195743084 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:41:22.439913034 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:22.465040922 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:41:22.953972101 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
Jan 5, 2021 08:41:22.954184055 CET | 49739 | 57438 | 192.168.2.3 | 37.120.208.40 |
Jan 5, 2021 08:41:23.452014923 CET | 57438 | 49739 | 37.120.208.40 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 5, 2021 08:37:49.814743042 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:49.862793922 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:50.949738026 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:51.000473022 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:52.565772057 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:52.616492033 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:53.721333027 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:53.772260904 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:54.534734011 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:54.590909004 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:55.413758039 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:55.464778900 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:56.299575090 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:56.347615004 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:57.157831907 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:57.214122057 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:58.317035913 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:58.364936113 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:37:59.484648943 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:37:59.540815115 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:12.420068979 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:12.476290941 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:14.892173052 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:14.940196037 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:16.745394945 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:16.793289900 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:22.021966934 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:22.082416058 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:25.692018032 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:25.750015974 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:37.473880053 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:37.521739960 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:42.183382034 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:42.239847898 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:55.060189009 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:55.108089924 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:57.921255112 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:57.995484114 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:38:59.488545895 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:38:59.547683954 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:39:25.793894053 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:39:26.005244970 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:39:31.019515038 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:39:31.067576885 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:39:33.711487055 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:39:33.769594908 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:06.953296900 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:07.001265049 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:07.455620050 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:07.522232056 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:39.599446058 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:39.647557020 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:40.331362009 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:40.382041931 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:41.424005032 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:41.481679916 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:42.125303030 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:42.176090956 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:42.918059111 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:42.977232933 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:44.984572887 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:45.033242941 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:47.337440014 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:47.393894911 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:48.567800999 CET | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:48.624480963 CET | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:49.813815117 CET | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:49.869977951 CET | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Jan 5, 2021 08:40:50.708894968 CET | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 5, 2021 08:40:50.768207073 CET | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 5, 2021 08:38:57.921255112 CET | 192.168.2.3 | 8.8.8.8 | 0xe5dd | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 5, 2021 08:39:25.793894053 CET | 192.168.2.3 | 8.8.8.8 | 0xfc89 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 5, 2021 08:38:57.995484114 CET | 8.8.8.8 | 192.168.2.3 | 0xe5dd | No error (0) | g-msn-com-nsatc.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | ||
Jan 5, 2021 08:39:26.005244970 CET | 8.8.8.8 | 192.168.2.3 | 0xfc89 | No error (0) | 37.120.208.40 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 08:37:53 |
Start date: | 05/01/2021 |
Path: | C:\Users\user\Desktop\Quotation #01521.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf10000 |
File size: | 835584 bytes |
MD5 hash: | 73619A5F7EAB7A80E0FBBD5C8493C9B4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 08:37:56 |
Start date: | 05/01/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:37:56 |
Start date: | 05/01/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:37:56 |
Start date: | 05/01/2021 |
Path: | C:\Windows\SysWOW64\reg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1200000 |
File size: | 59392 bytes |
MD5 hash: | CEE2A7E57DF2A159A065A34913A055C2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:38:43 |
Start date: | 05/01/2021 |
Path: | C:\Users\user\word.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xfc0000 |
File size: | 835584 bytes |
MD5 hash: | 73619A5F7EAB7A80E0FBBD5C8493C9B4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 08:39:19 |
Start date: | 05/01/2021 |
Path: | C:\Users\user\word.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x610000 |
File size: | 835584 bytes |
MD5 hash: | 73619A5F7EAB7A80E0FBBD5C8493C9B4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 0182D839, Relevance: 6.0, Strings: 4, Instructions: 987COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182D873, Relevance: 4.1, Strings: 3, Instructions: 323COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01829F90, Relevance: 3.1, Strings: 2, Instructions: 649COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182EFE0, Relevance: 1.7, Strings: 1, Instructions: 474COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01827D30, Relevance: .9, Instructions: 894COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182BDB0, Relevance: .5, Instructions: 512COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01824200, Relevance: .5, Instructions: 511COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182AA89, Relevance: .5, Instructions: 504COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01824828, Relevance: .5, Instructions: 465COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182F8E8, Relevance: .3, Instructions: 294COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182F8D8, Relevance: .2, Instructions: 210COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059ECE38, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E6144, Relevance: 1.8, APIs: 1, Instructions: 273COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E613D, Relevance: 1.8, APIs: 1, Instructions: 267COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059ED015, Relevance: 1.8, APIs: 1, Instructions: 263COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01829CEA, Relevance: 1.7, APIs: 1, Instructions: 156fileCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182A980, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182E679, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182ECF3, Relevance: 1.6, APIs: 1, Instructions: 95fileCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182A988, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182E680, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182EE3B, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01829D24, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0182ED38, Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 059E0408, Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059EB880, Relevance: .3, Instructions: 294COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059EB870, Relevance: .3, Instructions: 293COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E5E08, Relevance: .3, Instructions: 282COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E53F7, Relevance: .3, Instructions: 271COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E5408, Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E59B8, Relevance: .2, Instructions: 244COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059EB1D0, Relevance: .1, Instructions: 134COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E6C84, Relevance: .1, Instructions: 109COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E5EE8, Relevance: .1, Instructions: 105COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E444D, Relevance: .1, Instructions: 99COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E3E94, Relevance: .1, Instructions: 97COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E59AA, Relevance: .1, Instructions: 83COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E4924, Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E4930, Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E4C45, Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E4C50, Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E4B7C, Relevance: .0, Instructions: 39COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 059E4B88, Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |