Analysis Report TNT eInvoice.exe

Source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "sent@pinaudalgasova.ca,%5YLk4Ajd(Rmail.pinaudalgasova.caorisa@pinaudalgasova.ca"}}

Multi AV Scanner detection for submitted file

Source: TNT eInvoice.exe	Virustotal: Detection: 25%			Perma Link
Source: TNT eInvoice.exe	ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: TNT eInvoice.exe

Joe Sandbox ML: detected

Source: 3.2.TNT eInvoice.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses 32bit PE files

Source: TNT eInvoice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49717 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: TNT eInvoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View	IP Address: 131.186.161.70 131.186.161.70
Source: Joe Sandbox View	IP Address: 104.21.19.200 104.21.19.200

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49717 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Cloudfl
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: TNT eInvoice.exe, 00000003.00000002.495264713.000000000140C000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot20L
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.c
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: TNT eInvoice.exe, 00000003.00000002.495264713.000000000140C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.78
Source: TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: TNT eInvoice.exe, 00000003.00000002.495973738.0000000003069000.00000004.00000001.sdmp, TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/C
Source: TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

System Summary:

.NET source code contains very large strings

Source: TNT eInvoice.exe, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 0.2.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 0.0.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 1.2.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 1.0.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 3.0.TNT eInvoice.exe.c10000.0.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776
Source: 3.2.TNT eInvoice.exe.c10000.1.unpack, Health_Point_Game/FormatterTypeStyle.cs	Long String: Length: 14776

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: TNT eInvoice.exe

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230FB20	0_2_0230FB20
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230C2B0	0_2_0230C2B0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230F73D	0_2_0230F73D
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_02309990	0_2_02309990
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1F488	3_2_05B1F488
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1EC50	3_2_05B1EC50
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B11C00	3_2_05B11C00
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B14FA0	3_2_05B14FA0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B147A0	3_2_05B147A0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B13FA0	3_2_05B13FA0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B137F0	3_2_05B137F0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B137E1	3_2_05B137E1
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B10EA8	3_2_05B10EA8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1F1F8	3_2_05B1F1F8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B17932	3_2_05B17932
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B17940	3_2_05B17940
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B10006	3_2_05B10006
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B10040	3_2_05B10040
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06732778	3_2_06732778
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06734740	3_2_06734740
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067307D8	3_2_067307D8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06730040	3_2_06730040
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06734F28	3_2_06734F28
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06730FC0	3_2_06730FC0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06732F88	3_2_06732F88
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06733770	3_2_06733770
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067317A8	3_2_067317A8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06733F58	3_2_06733F58
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06731F90	3_2_06731F90
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06730007	3_2_06730007
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06734F17	3_2_06734F17
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06733760	3_2_06733760
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06731799	3_2_06731799
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06767E68	3_2_06767E68
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06768650	3_2_06768650
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06768E38	3_2_06768E38
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06769620	3_2_06769620
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06769E08	3_2_06769E08
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06766EE8	3_2_06766EE8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067676D0	3_2_067676D0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06764760	3_2_06764760
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06764F48	3_2_06764F48
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06765730	3_2_06765730
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06765F18	3_2_06765F18
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06766700	3_2_06766700
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06762FF8	3_2_06762FF8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06763FC8	3_2_06763FC8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06763790	3_2_06763790
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676A5F0	3_2_0676A5F0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676CDD0	3_2_0676CDD0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676ADD8	3_2_0676ADD8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676B5C0	3_2_0676B5C0
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676D5B8	3_2_0676D5B8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676BDA8	3_2_0676BDA8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676C598	3_2_0676C598
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676F278	3_2_0676F278
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_0676EAC8	3_2_0676EAC8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06760040	3_2_06760040
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06766ED7	3_2_06766ED7
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067676C7	3_2_067676C7
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06762FE8	3_2_06762FE8
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06763FBB	3_2_06763FBB
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_06760007	3_2_06760007

Source: TNT eInvoice.exe	Binary or memory string: OriginalFilename vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename8MC0UDR6.exe4 vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000000.00000002.237044575.0000000005501000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000000.00000002.237907630.000000000DAB0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs TNT eInvoice.exe
Source: TNT eInvoice.exe	Binary or memory string: OriginalFilename vs TNT eInvoice.exe
Source: TNT eInvoice.exe	Binary or memory string: OriginalFilename vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000003.00000002.492445341.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename8MC0UDR6.exe4 vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000003.00000002.494362718.00000000011D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TNT eInvoice.exe
Source: TNT eInvoice.exe, 00000003.00000002.493073866.00000000010F6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TNT eInvoice.exe
Source: TNT eInvoice.exe	Binary or memory string: OriginalFilenameStreamingContextStates.exe: vs TNT eInvoice.exe

Source: TNT eInvoice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/2

Source: C:\Users\user\Desktop\TNT eInvoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT eInvoice.exe.log

Source: TNT eInvoice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: TNT eInvoice.exe	Virustotal: Detection: 25%
Source: TNT eInvoice.exe	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\TNT eInvoice.exe 'C:\Users\user\Desktop\TNT eInvoice.exe'
Source: unknown	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe
Source: unknown	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe	Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: TNT eInvoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TNT eInvoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: TNT eInvoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

.NET source code contains potential unpacker

Source: TNT eInvoice.exe, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.TNT eInvoice.exe.f0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.TNT eInvoice.exe.2a0000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.TNT eInvoice.exe.c10000.0.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.TNT eInvoice.exe.c10000.1.unpack, Health_Point_Game/FallbackBuffer.cs	.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xDE7CE35A [Tue Apr 13 20:30:18 2088 UTC]

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 0_2_0230D4FC push E8023FFEh; ret	0_2_0230D501
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_05B1BC02 push 8B000003h; iretd	3_2_05B1BC0C
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Code function: 3_2_067621CF push es; retf	3_2_067621D0

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\TNT eInvoice.exe TID: 6336	Thread sleep time: -104144s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe TID: 6360	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: TNT eInvoice.exe, 00000003.00000002.495152887.00000000013D0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Code function: 3_2_06762D50 LdrInitializeThunk,

3_2_06762D50

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Process created: C:\Users\user\Desktop\TNT eInvoice.exe C:\Users\user\Desktop\TNT eInvoice.exe			Jump to behavior

Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: TNT eInvoice.exe, 00000003.00000002.495369500.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Users\user\Desktop\TNT eInvoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Users\user\Desktop\TNT eInvoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\TNT eInvoice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\TNT eInvoice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\TNT eInvoice.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\TNT eInvoice.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000003.00000002.495973738.0000000003069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: TNT eInvoice.exe PID: 6332, type: MEMORY
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.TNT eInvoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.378c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3701500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TNT eInvoice.exe.3940fd0.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping2	Security Software Discovery11	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TNT eInvoice.exe	25%	Virustotal		Browse
TNT eInvoice.exe	15%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
TNT eInvoice.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.TNT eInvoice.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File

Domains

Source	Detection	Scanner	Link
freegeoip.app	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.org/HB	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.78	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	104.21.19.200	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.com	131.186.161.70	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/HB	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://freegeoip.app/xml/	TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false		high
http://checkip.dyndns.org	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/LoadCountryNameClipboard	TNT eInvoice.exe, 00000003.00000002.495644136.0000000003001000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	TNT eInvoice.exe, 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/84.17.52.78	TNT eInvoice.exe, 00000003.00000002.495864254.000000000304B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
131.186.161.70	unknown	United States		33517	DYNDNSUS	false
104.21.19.200	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	360251
Start date:	01.03.2021
Start time:	17:27:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TNT eInvoice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@3/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 31 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 51.103.5.186, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.132.208.181, 104.43.193.48, 104.43.139.144, 23.211.6.115, 168.61.161.212, 52.255.188.83, 23.218.208.56, 20.82.209.183, 52.155.217.156, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:28:08	API Interceptor	1x Sleep call for process: TNT eInvoice.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
131.186.161.70	YF19NagrPh.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PI.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SH1PMENT DOCUMMENTS.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ORDER0023490923.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	DHL delivery 9808765668,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	AWB 9899691012 Clearance Doc.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	DHL SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Transfer Forms.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	07766554433.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	INVOICE-0899877.jar	Get hash	malicious	Browse	checkip.dyndns.org/
	Proforma_Invoice.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Bankdaten #f6356.pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Neue Bestellung_WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order NX-LI-15-0001.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	mif000262021.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PAYMENT SWIFT USD96110_PDF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	RFQ_#2021-2-25-1.pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Purchase Order#20222502G.exe	Get hash	malicious	Browse	checkip.dyndns.org/
104.21.19.200	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse
	OemRkTcBOc.exe	Get hash	malicious	Browse
	YF19NagrPh.exe	Get hash	malicious	Browse
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse
	MWPGKxTCp3.exe	Get hash	malicious	Browse
	t_DMD5VX.doc	Get hash	malicious	Browse
	y9K4ZA3o3E.exe	Get hash	malicious	Browse
	PO0301020.exe	Get hash	malicious	Browse
	HA00-20505LF.exe	Get hash	malicious	Browse
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse
	order list for best pricing.exe	Get hash	malicious	Browse
	Purchase Order-147000015740.exe	Get hash	malicious	Browse
	Copy_Sample7864576.exe	Get hash	malicious	Browse
	Confirm new order 51119_0014288190BC9,pdf.exe	Get hash	malicious	Browse
	AkbankSubeMevduatEkstre.pdf.exe	Get hash	malicious	Browse
	SH1PMENT DOCUMMENTS.exe	Get hash	malicious	Browse
	ORDER0023490923.exe	Get hash	malicious	Browse
	ORDER009882377343.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
freegeoip.app	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	104.21.19.200
	OemRkTcBOc.exe	Get hash	malicious	Browse	104.21.19.200
	YF19NagrPh.exe	Get hash	malicious	Browse	104.21.19.200
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	172.67.188.154
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	MWPGKxTCp3.exe	Get hash	malicious	Browse	104.21.19.200
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	172.67.188.154
	t_DMD5VX.doc	Get hash	malicious	Browse	104.21.19.200
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	104.21.19.200
	PO0301020.exe	Get hash	malicious	Browse	104.21.19.200
	HA00-20505LF.exe	Get hash	malicious	Browse	104.21.19.200
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	172.67.188.154
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	172.67.188.154
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	104.21.19.200
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	172.67.188.154
	doc02933820210226090207.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	order list for best pricing.exe	Get hash	malicious	Browse	104.21.19.200
	PI.exe	Get hash	malicious	Browse	172.67.188.154
	2189110276, pdf.exe	Get hash	malicious	Browse	172.67.188.154
checkip.dyndns.com	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	216.146.43.71
	OemRkTcBOc.exe	Get hash	malicious	Browse	162.88.193.70
	YF19NagrPh.exe	Get hash	malicious	Browse	131.186.161.70
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	162.88.193.70
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	131.186.161.70
	t_DMD5VX.doc	Get hash	malicious	Browse	162.88.193.70
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	131.186.113.70
	PO0301020.exe	Get hash	malicious	Browse	216.146.43.71
	HA00-20505LF.exe	Get hash	malicious	Browse	131.186.113.70
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	216.146.43.71
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	162.88.193.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	131.186.113.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	216.146.43.70
	doc02933820210226090207.pdf.exe	Get hash	malicious	Browse	216.146.43.70
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	order list for best pricing.exe	Get hash	malicious	Browse	216.146.43.70
	PI.exe	Get hash	malicious	Browse	162.88.193.70
	2189110276, pdf.exe	Get hash	malicious	Browse	162.88.193.70
	1708 210225SEBDBDDHABAN9012598115.exe	Get hash	malicious	Browse	162.88.193.70

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	104.21.19.200
	index_2021-03-01-17_13.dll	Get hash	malicious	Browse	104.20.185.68
	Hs52qascx.dll	Get hash	malicious	Browse	104.20.184.68
	Remittance Advice.xlsx	Get hash	malicious	Browse	23.227.38.74
	OemRkTcBOc.exe	Get hash	malicious	Browse	172.67.188.154
	YF19NagrPh.exe	Get hash	malicious	Browse	104.21.19.200
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase Order 02-28-21.exe	Get hash	malicious	Browse	162.159.135.233
	DZoj4wicd0.dll	Get hash	malicious	Browse	104.20.184.68
	uwq8T3mqDx.dll	Get hash	malicious	Browse	104.20.185.68
	E2uiGA3X2v.dll	Get hash	malicious	Browse	104.20.184.68
	l3EhTHpbDB.exe	Get hash	malicious	Browse	104.23.98.190
	enquries.pdf.exe	Get hash	malicious	Browse	104.21.85.173
	RjIx2AoDBJ.dll	Get hash	malicious	Browse	104.20.185.68
	v2dw80uF0x.dll	Get hash	malicious	Browse	104.20.185.68
	c7xT0JtUU7.dll	Get hash	malicious	Browse	104.20.185.68
	vDhk0cXtAD.dll	Get hash	malicious	Browse	104.20.184.68
	my6vhJ87w0.dll	Get hash	malicious	Browse	104.20.185.68
	lcZA3NDMaU.dll	Get hash	malicious	Browse	104.20.185.68
	grtf.dll	Get hash	malicious	Browse	104.20.185.68
DYNDNSUS	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	216.146.43.71
	OemRkTcBOc.exe	Get hash	malicious	Browse	162.88.193.70
	YF19NagrPh.exe	Get hash	malicious	Browse	162.88.193.70
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	162.88.193.70
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	131.186.161.70
	t_DMD5VX.doc	Get hash	malicious	Browse	216.146.43.71
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	131.186.113.70
	PO0301020.exe	Get hash	malicious	Browse	216.146.43.71
	HA00-20505LF.exe	Get hash	malicious	Browse	131.186.113.70
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	216.146.43.71
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	162.88.193.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	131.186.113.70
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	216.146.43.70
	doc02933820210226090207.pdf.exe	Get hash	malicious	Browse	216.146.43.70
	2021Mar01_9073782913, pdf.exe	Get hash	malicious	Browse	216.146.43.70
	order list for best pricing.exe	Get hash	malicious	Browse	216.146.43.70
	PI.exe	Get hash	malicious	Browse	162.88.193.70
	2189110276, pdf.exe	Get hash	malicious	Browse	162.88.193.70
	1708 210225SEBDBDDHABAN9012598115.exe	Get hash	malicious	Browse	162.88.193.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	vEfzMET8Zt3Zio1.exe	Get hash	malicious	Browse	104.21.19.200
	prCVRHmsqJ.exe	Get hash	malicious	Browse	104.21.19.200
	oZ8ZPPDTDR.exe	Get hash	malicious	Browse	104.21.19.200
	OemRkTcBOc.exe	Get hash	malicious	Browse	104.21.19.200
	YF19NagrPh.exe	Get hash	malicious	Browse	104.21.19.200
	rnWG5Cn2YZ.exe	Get hash	malicious	Browse	104.21.19.200
	y6ZCm1WdfT.exe	Get hash	malicious	Browse	104.21.19.200
	enquries.pdf.exe	Get hash	malicious	Browse	104.21.19.200
	2021Mar01_9073782914, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	MWPGKxTCp3.exe	Get hash	malicious	Browse	104.21.19.200
	AYiodsWKVw.exe	Get hash	malicious	Browse	104.21.19.200
	Request for Quote (RFQ) No. 8889.exe	Get hash	malicious	Browse	104.21.19.200
	y9K4ZA3o3E.exe	Get hash	malicious	Browse	104.21.19.200
	PO0301020.exe	Get hash	malicious	Browse	104.21.19.200
	HA00-20505LF.exe	Get hash	malicious	Browse	104.21.19.200
	Halkbank_Ekstre_20210301_082357_541079.exe	Get hash	malicious	Browse	104.21.19.200
	HpEA19QthY.exe	Get hash	malicious	Browse	104.21.19.200
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	104.21.19.200
	ORDER01032021rfggfscan.exe	Get hash	malicious	Browse	104.21.19.200
	Enclosed_Proforma_Invoice.PDF.exe	Get hash	malicious	Browse	104.21.19.200

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT eInvoice.exe.log Download File
Process:	C:\Users\user\Desktop\TNT eInvoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.655722383425868
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	TNT eInvoice.exe
File size:	885760
MD5:	faff5ed3bcc8e818de35554887b79efe
SHA1:	93a0f3f8e7bde8694c337f577e96d24a4dec22d9
SHA256:	d714a39018e39b388029e0daa827b9aa90d018c94f0e1978f9c55bbcf43d928a
SHA512:	2628ca122c9397d8923c95e4018bbd2d92c57f40af1e9c70e17897923d9f886e50a81e462f2c7d7c4b2b411182b500f92393b1397e96bfcd3da40a071555b7e3
SSDEEP:	12288:UGkYyx0W89B8OBI1jkVCMdcDOX4kovIdEteOoda3cAIrYv:bkGNKr1j6CMuDkoQE0OoMs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.\|...............P..x............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4d978e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xDE7CE35A [Tue Apr 13 20:30:18 2088 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [ecx], eax
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd973c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x604	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd9720	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd779c	0xd7800	False	0.582917180249	data	6.66197436233	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x604	0x800	False	0.328125	data	3.42566987801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xda090	0x374	data
RT_MANIFEST	0xda414	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020 - 2021
Assembly Version	8.6.2.0
InternalName	StreamingContextStates.exe
FileVersion	8.6.2.0
CompanyName
LegalTrademarks
Comments
ProductName	Health Point
ProductVersion	8.6.2.0
FileDescription	Health Point
OriginalFilename	StreamingContextStates.exe

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 56
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2021 17:28:14.409548998 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.563157082 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.563256025 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.563922882 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.719585896 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.719619989 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.719636917 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:14.719707966 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.720700026 CET	49715	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:14.875437975 CET	80	49715	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.275897026 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.430639982 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.430742025 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.431349039 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.587390900 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.587601900 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.587619066 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:15.588038921 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.588068962 CET	49716	80	192.168.2.5	131.186.161.70
Mar 1, 2021 17:28:15.743056059 CET	80	49716	131.186.161.70	192.168.2.5
Mar 1, 2021 17:28:17.925833941 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:17.966944933 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:17.967032909 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.147953033 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.190428019 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.191282034 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.191315889 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.191401958 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.266450882 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.307481050 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.307548046 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.381371975 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.817151070 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:28:18.858263969 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.873795986 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.873826981 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:28:18.873941898 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:29:59.049171925 CET	49717	443	192.168.2.5	104.21.19.200
Mar 1, 2021 17:29:59.090426922 CET	443	49717	104.21.19.200	192.168.2.5
Mar 1, 2021 17:29:59.090620995 CET	49717	443	192.168.2.5	104.21.19.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2021 17:27:58.841237068 CET	52704	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:58.890032053 CET	53	52704	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.142966032 CET	52212	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.200284958 CET	53	52212	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.542840004 CET	54302	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.591739893 CET	53	54302	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.666749001 CET	53784	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.699393988 CET	65307	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.716206074 CET	53	53784	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.750547886 CET	53	65307	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.812355042 CET	64344	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.860981941 CET	53	64344	8.8.8.8	192.168.2.5
Mar 1, 2021 17:27:59.892585993 CET	62060	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:27:59.942372084 CET	53	62060	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:00.600442886 CET	61805	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:00.649934053 CET	53	61805	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:01.571353912 CET	54795	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:01.619919062 CET	53	54795	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:02.439647913 CET	49557	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:02.500581980 CET	53	49557	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:02.601883888 CET	61733	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:02.652117968 CET	53	61733	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:03.715758085 CET	65447	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:03.765347958 CET	53	65447	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:05.168164968 CET	52441	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:05.219537020 CET	53	52441	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:06.353423119 CET	62176	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:06.402298927 CET	53	62176	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:07.472008944 CET	59596	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:07.529249907 CET	53	59596	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:09.239150047 CET	65296	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:09.290751934 CET	53	65296	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:10.428298950 CET	63183	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:10.476856947 CET	53	63183	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:11.349174023 CET	60151	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:11.399202108 CET	53	60151	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:14.172745943 CET	56969	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:14.223536015 CET	53	56969	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:14.245565891 CET	55161	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:14.294373035 CET	53	55161	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:17.854497910 CET	54757	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:17.912378073 CET	53	54757	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:27.943186045 CET	49992	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:28.002338886 CET	53	49992	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:43.932760000 CET	60075	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:43.983275890 CET	53	60075	8.8.8.8	192.168.2.5
Mar 1, 2021 17:28:54.538389921 CET	55016	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:28:54.595875978 CET	53	55016	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:02.840285063 CET	64345	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:02.947035074 CET	53	64345	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:03.514343977 CET	57128	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:03.586496115 CET	53	57128	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:03.916486979 CET	54791	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:03.977420092 CET	53	54791	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:04.150787115 CET	50463	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:04.210445881 CET	53	50463	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:04.712178946 CET	50394	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:04.794328928 CET	53	50394	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:05.306123018 CET	58530	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:05.355093956 CET	53	58530	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:05.837084055 CET	53813	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:05.894148111 CET	53	53813	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:05.947725058 CET	63732	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:06.007632017 CET	53	63732	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:06.822909117 CET	57344	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:06.888166904 CET	53	57344	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:07.760236025 CET	54450	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:07.839015961 CET	53	54450	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:09.074717045 CET	59261	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:09.136262894 CET	53	59261	8.8.8.8	192.168.2.5
Mar 1, 2021 17:29:09.667176962 CET	57151	53	192.168.2.5	8.8.8.8
Mar 1, 2021 17:29:09.716362953 CET	53	57151	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 1, 2021 17:28:14.172745943 CET	192.168.2.5	8.8.8.8	0xcefb	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.245565891 CET	192.168.2.5	8.8.8.8	0x19d5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:17.854497910 CET	192.168.2.5	8.8.8.8	0xbd05	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.223536015 CET	8.8.8.8	192.168.2.5	0xcefb	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:14.294373035 CET	8.8.8.8	192.168.2.5	0x19d5	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:17.912378073 CET	8.8.8.8	192.168.2.5	0xbd05	No error (0)	freegeoip.app		104.21.19.200	A (IP address)	IN (0x0001)
Mar 1, 2021 17:28:17.912378073 CET	8.8.8.8	192.168.2.5	0xbd05	No error (0)	freegeoip.app		172.67.188.154	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49715	131.186.161.70	80	C:\Users\user\Desktop\TNT eInvoice.exe

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2021 17:28:14.563922882 CET	1489	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 1, 2021 17:28:14.719619989 CET	1490	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49716	131.186.161.70	80	C:\Users\user\Desktop\TNT eInvoice.exe

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2021 17:28:15.431349039 CET	1490	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 1, 2021 17:28:15.587601900 CET	1491	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 1, 2021 17:28:18.191315889 CET	104.21.19.200	443	192.168.2.5	49717	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Mar 1, 2021 17:28:18.191315889 CET	104.21.19.200	443	192.168.2.5	49717	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

CPU Usage

• TNT eInvoice.exe
• TNT eInvoice.exe
• TNT eInvoice.exe

Click to jump to process

Memory Usage

• TNT eInvoice.exe
• TNT eInvoice.exe
• TNT eInvoice.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• TNT eInvoice.exe
• TNT eInvoice.exe
• TNT eInvoice.exe

Click to jump to process

System Behavior

Analysis Process: TNT eInvoice.exe PID: 6332 Parent PID: 5724

Function Logs

General

Start time:	17:28:06
Start date:	01/03/2021
Path:	C:\Users\user\Desktop\TNT eInvoice.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TNT eInvoice.exe'
Imagebase:	0xf0000
File size:	885760 bytes
MD5 hash:	FAFF5ED3BCC8E818DE35554887B79EFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.232843003.0000000002511000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.233109671.0000000003519000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Mutex Activities

Mutex Created

Process Activities

Process Created

Process Queried

Process Information Set

Process Terminated

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Memory Activities

Memory Read

Memory Written

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

System Activities

Language or Locale ID Queried

System Information Queried

Windows UI Activities

Window Created

Message Posted to Windows UI

Process Token Activities

Token Adjusted

LPC Port Activities

Chronological Activities

Analysis Process: TNT eInvoice.exe PID: 6408 Parent PID: 6332

Function Logs

General

Start time:	17:28:09
Start date:	01/03/2021
Path:	C:\Users\user\Desktop\TNT eInvoice.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\TNT eInvoice.exe
Imagebase:	0x2a0000
File size:	885760 bytes
MD5 hash:	FAFF5ED3BCC8E818DE35554887B79EFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: TNT eInvoice.exe PID: 6444 Parent PID: 6332

Function Logs

General

Start time:	17:28:10
Start date:	01/03/2021
Path:	C:\Users\user\Desktop\TNT eInvoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\TNT eInvoice.exe
Imagebase:	0xc10000
File size:	885760 bytes
MD5 hash:	FAFF5ED3BCC8E818DE35554887B79EFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.495973738.0000000003069000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.491721334.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

File Activities

File Opened

File Created

File Deleted

File Read

File Attributes Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Mutex Activities

Mutex Created

Process Activities

Process Queried

Process Information Set

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

System Activities

Language or Locale ID Queried

System Information Queried

Timing Activities

Windows UI Activities

Window Created

Network Activities

Socket bound

Socket connected

Process Token Activities

Token Adjusted