Edit tour
Windows
Analysis Report
h8jGj6Qe78.exe
Overview
General Information
Sample name: | h8jGj6Qe78.exerenamed because original name is a hash value |
Original sample name: | fd192fb05e0cd219b14c5bf345f33cfb.exe |
Analysis ID: | 1502474 |
MD5: | fd192fb05e0cd219b14c5bf345f33cfb |
SHA1: | fbadb3784b44770045f6c84f3cc2db34e1b6863a |
SHA256: | 0599250511b7b3ec63303fa14e98edef3092d61614e07106cf274bd6d43b2451 |
Tags: | exeStealc |
Infos: | |
Detection
CryptOne, SmokeLoader, Stealc, Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected CryptOne packer
Yara detected Powershell download and execute
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- h8jGj6Qe78.exe (PID: 7716 cmdline:
"C:\Users\ user\Deskt op\h8jGj6Q e78.exe" MD5: FD192FB05E0CD219B14C5BF345F33CFB) - explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - 329C.exe (PID: 7284 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\329C.ex e MD5: 09607648B95315F78A147FCAC628E63D) - cmd.exe (PID: 7396 cmdline:
"C:\Window s\System32 \cmd.exe" /k move Te ach Teach. bat & Teac h.bat & ex it MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7512 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 2504 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 4248 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 4340 cmdline:
findstr /I "avastui avgui bdse rvicehost nswscsvc s ophoshealt h" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 3684 cmdline:
cmd /c md 795933 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 1860 cmdline:
findstr /V "tagsnego tiationthr eadadobe" Literature MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7384 cmdline:
cmd /c cop y /b ..\Ch urch + ..\ Activity + ..\Yahoo + ..\Censu s + ..\Mar io + ..\Po stcards + ..\Vessel + ..\Vhs + ..\Maps + ..\Conven ience + .. \Comment + ..\Shift z MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Burn.pif (PID: 2104 cmdline:
Burn.pif z MD5: 18CE19B57F43CE0A5AF149C96AECC685) - choice.exe (PID: 4888 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4) - cmd.exe (PID: 5236 cmdline:
cmd /c sch tasks.exe /create /t n "Cheese" /tr "wscr ipt //B 'C :\Users\us er\AppData \Local\Swi ftTech Sol utions\Swi ftServe.js '" /sc min ute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7528 cmdline:
schtasks.e xe /create /tn "Chee se" /tr "w script //B 'C:\Users \user\AppD ata\Local\ SwiftTech Solutions\ SwiftServe .js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 7700 cmdline:
cmd /k ech o [Interne tShortcut] > "C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ SwiftServe .url" & ec ho URL="C: \Users\use r\AppData\ Local\Swif tTech Solu tions\Swif tServe.js" >> "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \SwiftServ e.url" & e xit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - DFA6.exe (PID: 1396 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\DFA6.ex e MD5: 17D51083CCB2B20074B1DC2CAC5BEA36) - svchost015.exe (PID: 708 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\svchost 015.exe MD5: B826DD92D78EA2526E465A34324EBEEA) - wscript.exe (PID: 5252 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\SwiftTe ch Solutio ns\SwiftSe rve.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - SwiftServe.scr (PID: 5684 cmdline:
"C:\Users\ user\AppDa ta\Local\S wiftTech S olutions\S wiftServe. scr" "C:\U sers\user\ AppData\Lo cal\SwiftT ech Soluti ons\w" MD5: 18CE19B57F43CE0A5AF149C96AECC685) - RegAsm.exe (PID: 3896 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\795933\ RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- ewggbbh (PID: 8020 cmdline:
C:\Users\u ser\AppDat a\Roaming\ ewggbbh MD5: FD192FB05E0CD219B14C5BF345F33CFB)
- wscript.exe (PID: 7444 cmdline:
C:\Windows \system32\ wscript.EX E //B "C:\ Users\user \AppData\L ocal\Swift Tech Solut ions\Swift Serve.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - SwiftServe.scr (PID: 2828 cmdline:
"C:\Users\ user\AppDa ta\Local\S wiftTech S olutions\S wiftServe. scr" "C:\U sers\user\ AppData\Lo cal\SwiftT ech Soluti ons\w" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
- ewggbbh (PID: 2208 cmdline:
C:\Users\u ser\AppDat a\Roaming\ ewggbbh MD5: FD192FB05E0CD219B14C5BF345F33CFB)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}
{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}
{"Version": 2022, "C2 list": ["http://epohe.ru/tmp/", "http://olihonols.in.net/tmp/", "http://nicetolosv.xyz/tmp/", "http://jftolsa.ws/tmp/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Stealc_1 | Yara detected Stealc | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Click to see the 19 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |
---|
Source: | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Michael Haag: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
Timestamp: | 2024-09-01T18:28:24.310806+0200 |
SID: | 2803304 |
Severity: | 3 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-09-01T18:28:03.102175+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56172 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:22.017920+0200 |
SID: | 2803304 |
Severity: | 3 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-09-01T18:28:07.729876+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56175 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:07.729876+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56175 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:12.185731+0200 |
SID: | 2044247 |
Severity: | 1 |
Source Port: | 80 |
Destination Port: | 56177 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-09-01T18:27:39.923038+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56155 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:53.916895+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56166 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:30.577828+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56189 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:25.041054+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56188 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:48.876870+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56192 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:37.409195+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56153 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:55.293384+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56193 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:48.594093+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56161 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:55.377152+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56167 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:55.377152+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56167 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:25.592712+0200 |
SID: | 2035595 |
Severity: | 1 |
Source Port: | 56001 |
Destination Port: | 56180 |
Protocol: | TCP |
Classtype: | Domain Observed Used for C2 Detected |
Timestamp: | 2024-09-01T18:30:18.223191+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56187 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:18.223191+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56187 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:11.872786+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56186 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:11.872786+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56186 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:43.499336+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56191 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:43.499336+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56191 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:30.490429+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56148 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:29.220719+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56147 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:29.220719+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56147 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:09.063507+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56176 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:26.372267+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56145 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:26.372267+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56145 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:24.807233+0200 |
SID: | 2803304 |
Severity: | 3 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-09-01T18:27:24.858836+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56144 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:24.858836+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56144 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:36.396183+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56190 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:30:36.396183+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56190 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:05.693162+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56174 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:22.307582+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56142 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:21.409420+0200 |
SID: | 2803304 |
Severity: | 3 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-09-01T18:27:27.965547+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56146 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:27.965547+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56146 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:36.057038+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56152 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:36.057038+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56152 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:43.796524+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56158 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:43.796524+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56158 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:57.566254+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56184 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:57.566254+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56184 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:31.874870+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56149 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:57.953912+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56170 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:11.581616+0200 |
SID: | 2044243 |
Severity: | 1 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-09-01T18:29:19.120665+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56178 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:13.644145+0200 |
SID: | 2803304 |
Severity: | 3 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-09-01T18:28:20.207780+0200 |
SID: | 2803304 |
Severity: | 3 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-09-01T18:30:05.185420+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56185 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:52.655324+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56165 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:47.286090+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56183 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:50.133325+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56162 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:04.415568+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56173 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:34.494902+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56151 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:34.494902+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56151 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:56.670804+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56168 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:12.056479+0200 |
SID: | 2044246 |
Severity: | 1 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-09-01T18:27:33.232836+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56150 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:26.363148+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56179 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:26.363148+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56179 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:33.679221+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56181 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:29:33.679221+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56181 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:45.059197+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56159 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:45.059197+0200 |
SID: | 2851815 |
Severity: | 1 |
Source Port: | 56159 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:19.097014+0200 |
SID: | 2803304 |
Severity: | 3 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-09-01T18:28:11.832589+0200 |
SID: | 2044245 |
Severity: | 1 |
Source Port: | 80 |
Destination Port: | 56177 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-09-01T18:29:40.841730+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56182 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:11.818662+0200 |
SID: | 2044244 |
Severity: | 1 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-09-01T18:28:13.139572+0200 |
SID: | 2044248 |
Severity: | 1 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-09-01T18:27:41.274011+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56156 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:58.652505+0200 |
SID: | 2019714 |
Severity: | 2 |
Source Port: | 56171 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 2024-09-01T18:27:38.658236+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56154 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:51.385279+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56164 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:42.526719+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56157 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:27:23.581272+0200 |
SID: | 2039103 |
Severity: | 1 |
Source Port: | 56143 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-09-01T18:28:27.560020+0200 |
SID: | 2044249 |
Severity: | 1 |
Source Port: | 56177 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 29_2_6C846C80 | |
Source: | Code function: | 29_2_6C99A9A0 | |
Source: | Code function: | 29_2_6C9944C0 | |
Source: | Code function: | 29_2_6C964420 | |
Source: | Code function: | 29_2_6C994440 | |
Source: | Code function: | 29_2_6C9E25B0 | |
Source: | Code function: | 29_2_6C97E6E0 | |
Source: | Code function: | 29_2_6C99A650 | |
Source: | Code function: | 29_2_6C978670 | |
Source: | Code function: | 29_2_6C9BA730 | |
Source: | Code function: | 29_2_6C9C0180 | |
Source: | Code function: | 29_2_6C9943B0 | |
Source: | Code function: | 29_2_6C9B7C00 | |
Source: | Code function: | 29_2_6C9BBD30 | |
Source: | Code function: | 29_2_6C977D60 | |
Source: | Code function: | 29_2_6C9B9EC0 | |
Source: | Code function: | 29_2_6C993FF0 |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 7_2_004062EB | |
Source: | Code function: | 7_2_00406CB1 | |
Source: | Code function: | 25_2_00E84005 | |
Source: | Code function: | 25_2_00E8C2FF | |
Source: | Code function: | 25_2_00E8494A | |
Source: | Code function: | 25_2_00E8CD9F | |
Source: | Code function: | 25_2_00E8CD14 | |
Source: | Code function: | 25_2_00E8F5D8 | |
Source: | Code function: | 25_2_00E8F735 | |
Source: | Code function: | 25_2_00E8FA36 | |
Source: | Code function: | 25_2_00E83CE2 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |