Create Interactive TourWindows Analysis Report AWB & Shipping Documents.exe
Overview
General Information
| Sample Name: | AWB & Shipping Documents.exe |
| Analysis ID: | 437389 |
| MD5: | 7c4194af8b96aba768004cf02dc66ff2 |
| SHA1: | 0316176e546e300c41ab967ed0b671aa843e5298 |
| SHA256: | 33a82cfa5ef0f113bfa98be28c2a3d8637423f8e22be91179ee36a907ef808ca |
| Tags: | AgentTeslaexe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
|
{
"Exfil Mode": "SMTP",
"Username": "bangerlee@excetek-tw.com",
"Password": "^zC)hee7",
"Host": "smtp.excetek-tw.com"
}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 1 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | |||
| Source: | Malware Configuration Extractor: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0604CAD0 | |
| Source: | Code function: | 0_2_0604DC00 | |
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | |||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary: | |
|---|
| .NET source code contains very large array initializations | |||
| Source: | Large array initialization: | ||
| Initial sample is a PE file and has a suspicious name | |||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_06045B18 | |
| Source: | Code function: | 0_2_06043728 | |
| Source: | Code function: | 0_2_0604CF98 | |
| Source: | Code function: | 0_2_06046038 | |
| Source: | Code function: | 0_2_06040040 | |
| Source: | Code function: | 0_2_0604BCB0 | |
| Source: | Code function: | 0_2_06049CC8 | |
| Source: | Code function: | 0_2_06045215 | |
| Source: | Code function: | 0_2_06048228 | |
| Source: | Code function: | 0_2_06045230 | |
| Source: | Code function: | 0_2_06048238 | |
| Source: | Code function: | 0_2_06043250 | |
| Source: | Code function: | 0_2_06043260 | |
| Source: | Code function: | 0_2_06045B08 | |
| Source: | Code function: | 0_2_06043718 | |
| Source: | Code function: | 0_2_06044B58 | |
| Source: | Code function: | 0_2_0604A380 | |
| Source: | Code function: | 0_2_06049F89 | |
| Source: | Code function: | 0_2_0604A390 | |
| Source: | Code function: | 0_2_06049F98 | |
| Source: | Code function: | 0_2_06044BC0 | |
| Source: | Code function: | 0_2_0604001D | |
| Source: | Code function: | 0_2_0604602A | |
| Source: | Code function: | 0_2_06049CB9 | |
| Source: | Code function: | 0_2_060434E9 | |
| Source: | Code function: | 0_2_060434F8 | |
| Source: | Code function: | 0_2_0604A527 | |
| Source: | Code function: | 0_2_0604A57F | |
| Source: | Code function: | 0_2_060429E0 | |
| Source: | Code function: | 0_2_060429F0 | |
| Source: | Code function: | 3_2_00F948AC | |
| Source: | Code function: | 3_2_00F97CD8 | |
| Source: | Code function: | 3_2_00F9AED0 | |
| Source: | Code function: | 3_2_00F92698 | |
| Source: | Code function: | 3_2_00F9E97A | |
| Source: | Code function: | 3_2_02A446A0 | |
| Source: | Code function: | 3_2_02A44618 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00858ADA | |
| Source: | Code function: | 0_2_00858D58 | |
| Source: | Code function: | 0_2_00858D46 | |
| Source: | Code function: | 0_2_00858D5E | |
| Source: | Code function: | 0_2_00858DA0 | |
| Source: | Code function: | 0_2_060465E7 | |
| Source: | Code function: | 2_2_00328ADA | |
| Source: | Code function: | 2_2_00328DA0 | |
| Source: | Code function: | 2_2_00328D5E | |
| Source: | Code function: | 2_2_00328D46 | |
| Source: | Code function: | 2_2_00328D58 | |
| Source: | Code function: | 3_3_00DAB7DE | |
| Source: | Code function: | 3_3_00DAB7C2 | |
| Source: | Code function: | 3_3_00DAB762 | |
| Source: | Code function: | 3_3_00DAB77E | |
| Source: | Code function: | 3_2_00628DA0 | |
| Source: | Code function: | 3_2_00628D46 | |
| Source: | Code function: | 3_2_00628D58 | |
| Source: | Code function: | 3_2_00628D5E | |
| Source: | Code function: | 3_2_00628ADA | |
| Source: | Code function: | 3_2_02A4CD5D | |
| Source: | Static PE information: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Yara detected AntiVM3 | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | |||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | |||
| Source: | WMI Queries: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | |||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_00F92698 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | |||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | |||
| Source: | Key opened: | Jump to behavior | ||
| Tries to harvest and steal browser information (history, passwords, etc) | |||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to harvest and steal ftp login credentials | |||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Tries to steal Mail credentials (via file access) | |||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Yara detected AgentTesla | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection112 | Masquerading1 | OS Credential Dumping2 | Query Registry1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Command and Scripting Interpreter2 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | Credentials in Registry1 | Security Software Discovery211 | Remote Desktop Protocol | Archive Collected Data11 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion131 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Local System2 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection112 | NTDS | Virtualization/Sandbox Evasion131 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Deobfuscate/Decode Files or Information1 | LSA Secrets | Application Window Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information3 | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Software Packing3 | DCSync | System Information Discovery114 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
| No Antivirus matches |
|---|
| No Antivirus matches |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | 208.91.199.224 | true | false | high | |
| smtp.excetek-tw.com | unknown | unknown | true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.91.198.143 | unknown | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | true | |
| 208.91.199.224 | us2.smtp.mailhostbox.com | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
| IP |
|---|
| 192.168.2.1 |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 437389 |
| Start date: | 20.06.2021 |
| Start time: | 22:41:19 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 9m 17s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | AWB & Shipping Documents.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@5/2@4/3 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
| Time | Type | Description |
|---|---|---|
| 22:42:08 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 208.91.198.143 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 208.91.199.224 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| us2.smtp.mailhostbox.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| No context |
|---|
| No context |
|---|
| Process: | C:\Users\user\Desktop\AWB & Shipping Documents.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1314 |
| Entropy (8bit): | 5.350128552078965 |
| Encrypted: | false |
| SSDEEP: | 24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR |
| MD5: | 1DC1A2DCC9EFAA84EABF4F6D6066565B |
| SHA1: | B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9 |
| SHA-256: | 28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF |
| SHA-512: | 95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Users\user\Desktop\AWB & Shipping Documents.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 0.7006690334145785 |
| Encrypted: | false |
| SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ |
| MD5: | A7FE10DA330AD03BF22DC9AC76BBB3E4 |
| SHA1: | 1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803 |
| SHA-256: | 8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8 |
| SHA-512: | 1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.59265515440062 |
| TrID: |
|
| File name: | AWB & Shipping Documents.exe |
| File size: | 901632 |
| MD5: | 7c4194af8b96aba768004cf02dc66ff2 |
| SHA1: | 0316176e546e300c41ab967ed0b671aa843e5298 |
| SHA256: | 33a82cfa5ef0f113bfa98be28c2a3d8637423f8e22be91179ee36a907ef808ca |
| SHA512: | e2fd5179e9a86cf428ac2c1b2e02479be736e905c9a280c50989b0f7d76dd9966ec9a0284ac07cc5074d01dd9a455e6a5fff396123369b2f027c229cfc6f2c4f |
| SSDEEP: | 12288:JFehlm4S4F3M9ykYlDxvgcw6Uc85v8+C/0a607C2L8kJRdPtsthhtg/2hppp7ETF:JEW9Yl5Yc85JC8V45Vqhw/2hppKZpp |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(..`..............P......6......*.... ........@.. ....................... ............@................................ |
File Icon |
|---|
 | |
| Icon Hash: | 3ab89e9a98d0c0f0 |
General | |
|---|---|
| Entrypoint: | 0x4ba82a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x60CE9628 [Sun Jun 20 01:13:12 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xba7d8 | 0x4f | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xbc000 | 0x232e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xe0000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0xb8830 | 0xb8a00 | False | 0.865326940166 | data | 7.57479829446 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xbc000 | 0x232e8 | 0x23400 | False | 0.905966035018 | data | 7.6748287259 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xe0000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xbc260 | 0x573f | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
| RT_ICON | 0xc19b0 | 0x668 | data | ||
| RT_ICON | 0xc2028 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 136, next used block 0 | ||
| RT_ICON | 0xc2320 | 0x128 | GLS_BINARY_LSB_FIRST | ||
| RT_ICON | 0xc2458 | 0x9dd4 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
| RT_ICON | 0xcc23c | 0xea8 | data | ||
| RT_ICON | 0xcd0f4 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15330803, next used block 15461369 | ||
| RT_ICON | 0xcd9ac | 0x568 | GLS_BINARY_LSB_FIRST | ||
| RT_ICON | 0xcdf24 | 0xd288 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
| RT_ICON | 0xdb1bc | 0x25a8 | data | ||
| RT_ICON | 0xdd774 | 0x10a8 | data | ||
| RT_ICON | 0xde82c | 0x468 | GLS_BINARY_LSB_FIRST | ||
| RT_GROUP_ICON | 0xdeca4 | 0xae | data | ||
| RT_VERSION | 0xded64 | 0x384 | data | ||
| RT_MANIFEST | 0xdf0f8 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
| Description | Data |
|---|---|
| Translation | 0x0000 0x04b0 |
| LegalCopyright | Copyright 2013 |
| Assembly Version | 1.0.0.0 |
| InternalName | SiteMembershipCondition.exe |
| FileVersion | 1.0.0.0 |
| CompanyName | |
| LegalTrademarks | |
| Comments | |
| ProductName | Freeze Remote Desktop |
| ProductVersion | 1.0.0.0 |
| FileDescription | Freeze Remote Desktop |
| OriginalFilename | SiteMembershipCondition.exe |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 06/20/21-22:43:55.736758 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| 06/20/21-22:44:00.101236 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
Network Port Distribution |
|---|
- Total Packets: 73
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 20, 2021 22:43:53.931355000 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:54.107237101 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:54.107372999 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:54.637207985 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:54.637882948 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:54.816154957 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:54.816219091 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:54.818641901 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:54.996848106 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:54.997839928 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.175457001 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:55.176191092 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.353140116 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:55.353446960 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.558177948 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:55.558994055 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.735059023 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:55.736757994 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.737076998 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.738167048 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.738343000 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:55.914480925 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:55.916064024 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:56.016592026 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:56.069801092 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:57.266542912 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:57.442508936 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:57.442523956 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:57.442924976 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:57.443660975 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 |
| Jun 20, 2021 22:43:57.619621038 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 |
| Jun 20, 2021 22:43:58.298311949 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:43:58.476012945 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:58.478224993 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:43:59.027229071 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:59.027708054 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:43:59.203325987 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:59.203377008 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:59.203989983 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:43:59.380506992 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:59.381509066 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:43:59.558953047 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:59.559319973 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:43:59.735852003 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:59.736457109 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:43:59.921449900 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:43:59.921962023 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.099508047 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:44:00.101031065 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.101236105 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.101326942 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.101461887 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.101605892 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.101682901 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.101723909 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.101794958 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Jun 20, 2021 22:44:00.278266907 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:44:00.279004097 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:44:00.279047012 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:44:00.376179934 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 |
| Jun 20, 2021 22:44:00.429666996 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 20, 2021 22:42:01.159581900 CEST | 53 | 54531 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:01.270685911 CEST | 49714 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:01.321764946 CEST | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:02.253086090 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:02.303494930 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:03.614430904 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:03.665888071 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:04.542624950 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:04.597989082 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:05.751305103 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:05.801840067 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:07.036884069 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:07.105077028 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:08.130405903 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:08.189682961 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:09.448039055 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:09.507441998 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:10.886750937 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:10.937596083 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:12.625886917 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:12.682219028 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:14.096601963 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:14.152559996 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:15.190162897 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:15.248892069 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:16.315263033 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:16.377278090 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:17.844460964 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:17.896326065 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:18.930093050 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:18.980999947 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:20.026626110 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:20.077550888 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:21.150629044 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:21.201107979 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:22.718846083 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:22.777672052 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:25.387264013 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:25.453104973 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:31.446942091 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:31.527348042 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:46.327627897 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:46.463824987 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:47.122601986 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:47.245918989 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:47.260665894 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:47.316667080 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:47.984674931 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:48.046828032 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:48.493957043 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:48.555849075 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:49.122494936 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:49.195437908 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:49.844794035 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:49.915272951 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:50.430618048 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:50.494888067 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:51.306330919 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:51.368033886 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:52.268454075 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:52.330878019 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:42:53.348517895 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:42:53.412940025 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:06.463126898 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:06.498408079 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:06.531079054 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:06.557477951 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:09.557420015 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:09.635004997 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:40.410927057 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:40.486726046 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:41.805584908 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:41.864315033 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:53.539762974 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:53.732076883 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:53.766616106 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:53.825690031 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:57.770670891 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:57.961839914 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
| Jun 20, 2021 22:43:58.243540049 CEST | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 20, 2021 22:43:58.295830011 CEST | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jun 20, 2021 22:43:53.539762974 CEST | 192.168.2.4 | 8.8.8.8 | 0x917a | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jun 20, 2021 22:43:53.766616106 CEST | 192.168.2.4 | 8.8.8.8 | 0x1a5b | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jun 20, 2021 22:43:57.770670891 CEST | 192.168.2.4 | 8.8.8.8 | 0x78cb | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jun 20, 2021 22:43:58.243540049 CEST | 192.168.2.4 | 8.8.8.8 | 0x1baf | Standard query (0) | A (IP address) | IN (0x0001) |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jun 20, 2021 22:43:53.732076883 CEST | 8.8.8.8 | 192.168.2.4 | 0x917a | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.732076883 CEST | 8.8.8.8 | 192.168.2.4 | 0x917a | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.732076883 CEST | 8.8.8.8 | 192.168.2.4 | 0x917a | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.732076883 CEST | 8.8.8.8 | 192.168.2.4 | 0x917a | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.732076883 CEST | 8.8.8.8 | 192.168.2.4 | 0x917a | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.825690031 CEST | 8.8.8.8 | 192.168.2.4 | 0x1a5b | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.825690031 CEST | 8.8.8.8 | 192.168.2.4 | 0x1a5b | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.825690031 CEST | 8.8.8.8 | 192.168.2.4 | 0x1a5b | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.825690031 CEST | 8.8.8.8 | 192.168.2.4 | 0x1a5b | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:53.825690031 CEST | 8.8.8.8 | 192.168.2.4 | 0x1a5b | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:57.961839914 CEST | 8.8.8.8 | 192.168.2.4 | 0x78cb | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jun 20, 2021 22:43:57.961839914 CEST | 8.8.8.8 | 192.168.2.4 | 0x78cb | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:57.961839914 CEST | 8.8.8.8 | 192.168.2.4 | 0x78cb | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:57.961839914 CEST | 8.8.8.8 | 192.168.2.4 | 0x78cb | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:57.961839914 CEST | 8.8.8.8 | 192.168.2.4 | 0x78cb | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:58.295830011 CEST | 8.8.8.8 | 192.168.2.4 | 0x1baf | No error (0) | us2.smtp.mailhostbox.com | CNAME (Canonical name) | IN (0x0001) | ||
| Jun 20, 2021 22:43:58.295830011 CEST | 8.8.8.8 | 192.168.2.4 | 0x1baf | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:58.295830011 CEST | 8.8.8.8 | 192.168.2.4 | 0x1baf | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:58.295830011 CEST | 8.8.8.8 | 192.168.2.4 | 0x1baf | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | ||
| Jun 20, 2021 22:43:58.295830011 CEST | 8.8.8.8 | 192.168.2.4 | 0x1baf | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jun 20, 2021 22:43:54.637207985 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Jun 20, 2021 22:43:54.637882948 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 | EHLO 830021 |
| Jun 20, 2021 22:43:54.816219091 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Jun 20, 2021 22:43:54.818641901 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 | AUTH login YmFuZ2VybGVlQGV4Y2V0ZWstdHcuY29t |
| Jun 20, 2021 22:43:54.996848106 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Jun 20, 2021 22:43:55.175457001 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Jun 20, 2021 22:43:55.176191092 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 | MAIL FROM:<bangerlee@excetek-tw.com> |
| Jun 20, 2021 22:43:55.353140116 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 250 2.1.0 Ok |
| Jun 20, 2021 22:43:55.353446960 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 | RCPT TO:<bangerlee@excetek-tw.com> |
| Jun 20, 2021 22:43:55.558177948 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 250 2.1.5 Ok |
| Jun 20, 2021 22:43:55.558994055 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 | DATA |
| Jun 20, 2021 22:43:55.735059023 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Jun 20, 2021 22:43:55.738343000 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 | . |
| Jun 20, 2021 22:43:56.016592026 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 250 2.0.0 Ok: queued as 756841C1D19 |
| Jun 20, 2021 22:43:57.266542912 CEST | 49770 | 587 | 192.168.2.4 | 208.91.199.224 | QUIT |
| Jun 20, 2021 22:43:57.442508936 CEST | 587 | 49770 | 208.91.199.224 | 192.168.2.4 | 221 2.0.0 Bye |
| Jun 20, 2021 22:43:59.027229071 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
| Jun 20, 2021 22:43:59.027708054 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 | EHLO 830021 |
| Jun 20, 2021 22:43:59.203377008 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN |
| Jun 20, 2021 22:43:59.203989983 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 | AUTH login YmFuZ2VybGVlQGV4Y2V0ZWstdHcuY29t |
| Jun 20, 2021 22:43:59.380506992 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 334 UGFzc3dvcmQ6 |
| Jun 20, 2021 22:43:59.558953047 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 235 2.7.0 Authentication successful |
| Jun 20, 2021 22:43:59.559319973 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 | MAIL FROM:<bangerlee@excetek-tw.com> |
| Jun 20, 2021 22:43:59.735852003 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 250 2.1.0 Ok |
| Jun 20, 2021 22:43:59.736457109 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 | RCPT TO:<bangerlee@excetek-tw.com> |
| Jun 20, 2021 22:43:59.921449900 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 250 2.1.5 Ok |
| Jun 20, 2021 22:43:59.921962023 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 | DATA |
| Jun 20, 2021 22:44:00.099508047 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 354 End data with <CR><LF>.<CR><LF> |
| Jun 20, 2021 22:44:00.101794958 CEST | 49771 | 587 | 192.168.2.4 | 208.91.198.143 | . |
| Jun 20, 2021 22:44:00.376179934 CEST | 587 | 49771 | 208.91.198.143 | 192.168.2.4 | 250 2.0.0 Ok: queued as CE0CD183AE0 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
| Start time: | 22:42:07 |
| Start date: | 20/06/2021 |
| Path: | C:\Users\user\Desktop\AWB & Shipping Documents.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x850000 |
| File size: | 901632 bytes |
| MD5 hash: | 7C4194AF8B96ABA768004CF02DC66FF2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
Process Token Activities
LPC Port Activities
| Start time: | 22:42:10 |
| Start date: | 20/06/2021 |
| Path: | C:\Users\user\Desktop\AWB & Shipping Documents.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 901632 bytes |
| MD5 hash: | 7C4194AF8B96ABA768004CF02DC66FF2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Start time: | 22:42:11 |
| Start date: | 20/06/2021 |
| Path: | C:\Users\user\Desktop\AWB & Shipping Documents.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 901632 bytes |
| MD5 hash: | 7C4194AF8B96ABA768004CF02DC66FF2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
File Activities
Section Activities
Registry Activities
COM Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Timing Activities
Windows UI Activities
Network Activities
Process Token Activities
LPC Port Activities
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| Strings |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
