Windows
Analysis Report
shipping documents.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- shipping documents.exe (PID: 7492 cmdline:
"C:\Users\ user\Deskt op\shippin g document s.exe" MD5: C5516FF1D3704BAD31059E7D7CA7CFE7) - RegSvcs.exe (PID: 7588 cmdline:
"C:\Users\ user\Deskt op\shippin g document s.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- boqXv.exe (PID: 7884 cmdline:
"C:\Users\ user\AppDa ta\Roaming \boqXv\boq Xv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - conhost.exe (PID: 7896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- boqXv.exe (PID: 8012 cmdline:
"C:\Users\ user\AppDa ta\Roaming \boqXv\boq Xv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - conhost.exe (PID: 8020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.naveentour.com", "Username": "accounts@naveentour.com", "Password": "nav!T6u2@001"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
|
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: frack113: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T06:37:59.980284+0200 | 2030171 | 1 | A Network Trojan was detected | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T06:38:14.092467+0200 | 2855542 | 1 | A Network Trojan was detected | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T06:38:14.092467+0200 | 2855245 | 1 | A Network Trojan was detected | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T06:37:59.980284+0200 | 2839723 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T06:37:59.980284+0200 | 2840032 | 1 | A Network Trojan was detected | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Code function: | 2_2_0193A3D8 | |
Source: | Code function: | 2_2_01939810 | |
Source: | Code function: | 2_2_01934AC8 | |
Source: | Code function: | 2_2_01933EB0 | |
Source: | Code function: | 2_2_019341F8 | |
Source: | Code function: | 2_2_067E8CF0 | |
Source: | Code function: | 2_2_067EB690 | |
Source: | Code function: | 2_2_067F8F18 | |
Source: | Code function: | 2_2_067F5A58 | |
Source: | Code function: | 2_2_067F42D0 | |
Source: | Code function: | 2_2_067F3288 | |
Source: | Code function: | 2_2_067F0040 | |
Source: | Code function: | 2_2_067FE0A0 | |
Source: | Code function: | 2_2_067FC088 | |
Source: | Code function: | 2_2_067F5378 | |
Source: | Code function: | 2_2_067F39D8 |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 6_2_00BA083A |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | API/Special instruction interceptor: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Section loaded: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 211 Process Injection | 1 Masquerading | 2 OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 1 Disable or Modify Tools | 1 Credentials in Registry | 141 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 141 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 2 Data from Local System | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 211 Process Injection | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Hidden Files and Directories | LSA Secrets | 124 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 11 Software Packing | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
mail.naveentour.com | 162.214.80.31 | true | true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
162.214.80.31 | mail.naveentour.com | United States | 46606 | UNIFIEDLAYER-AS-1US | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1520207 |
Start date and time: | 2024-09-27 06:37:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | shipping documents.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@7/5@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target boqXv.exe, PID 7884 because it is empty
- Execution Graph export aborted for target boqXv.exe, PID 8012 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: shipping documents.exe
Time | Type | Description |
---|---|---|
00:38:11 | API Interceptor | |
06:38:14 | Autostart | |
06:38:22 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
162.214.80.31 | Get hash | malicious | FormBook | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
mail.naveentour.com | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | PureLog Stealer, SystemBC | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
UNIFIEDLAYER-AS-1US | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe | Get hash | malicious | AgentTesla | Browse | ||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | XWorm | Browse |
Process: | C:\Users\user\AppData\Roaming\boqXv\boqXv.exe |
File Type: | |
Category: | modified |
Size (bytes): | 142 |
Entropy (8bit): | 5.090621108356562 |
Encrypted: | false |
SSDEEP: | 3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw |
MD5: | 8C0458BB9EA02D50565175E38D577E35 |
SHA1: | F0B50702CD6470F3C17D637908F83212FDBDB2F2 |
SHA-256: | C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53 |
SHA-512: | 804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\shipping documents.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 241664 |
Entropy (8bit): | 6.750267730366818 |
Encrypted: | false |
SSDEEP: | 6144:RGXTUV39ijawfIdV/BauxT1AGAOxCAbmRWxW:RYE39u3wdRBpB1A4bmwW |
MD5: | 917142792D2B2731E30192D41E91538E |
SHA1: | 280700CDF500D5753B076216DE82FC882316A8BD |
SHA-256: | 39ECEE4D47A3EC531431A487B66C305577D6262EB80CAF62A05297C620F64AEA |
SHA-512: | 09761E624D87857E777E50447E6DC7C76237E4CA23537CB1017F8D80B4C9B981637DD752A0BF4BA5B0E4F5BC1FED8A4CC295708ABAC728C3CCD5DA9D83782C38 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File Type: | |
Category: | modified |
Size (bytes): | 45984 |
Entropy (8bit): | 6.16795797263964 |
Encrypted: | false |
SSDEEP: | 768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7 |
MD5: | 9D352BC46709F0CB5EC974633A0C3C94 |
SHA1: | 1969771B2F022F9A86D77AC4D4D239BECDF08D07 |
SHA-256: | 2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390 |
SHA-512: | 13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Roaming\boqXv\boqXv.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1141 |
Entropy (8bit): | 4.442398121585593 |
Encrypted: | false |
SSDEEP: | 24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC |
MD5: | 6FB4D27A716A8851BC0505666E7C7A10 |
SHA1: | AD2A232C6E709223532C4D1AB892303273D8C814 |
SHA-256: | 1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE |
SHA-512: | 3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.970197836429154 |
TrID: |
|
File name: | shipping documents.exe |
File size: | 829'895 bytes |
MD5: | c5516ff1d3704bad31059e7d7ca7cfe7 |
SHA1: | 9eed578b0fc8ad2e4083b6b226cc1e3f4a04e42c |
SHA256: | fd67c185be66d7cbd57f97cc05892e93e9e134ff930ae479ac17c726c74cd8d6 |
SHA512: | b5672accd8255ef79570e3db355649bd6472547353d0a89aad2dafe0bc2cc5926d272c4ae988e368cde1acc40abd9fc2f42a60363b10e1a40e29ea6648025196 |
SSDEEP: | 24576:tthEVaPqLIjmzLLzevg1tN39mWwqxWj6I:VEVUcp/n9oWdWj9 |
TLSH: | AA0533F634947618E87C52F3F69303E2C4806AA5BB794E3B64186503AADE2051DFB71F |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L.. |
Icon Hash: | 1733312925935517 |
Entrypoint: | 0x4b8e70 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 890e522b31701e079a367b89393329e6 |
Instruction |
---|
pushad |
mov esi, 00477000h |
lea edi, dword ptr [esi-00076000h] |
push edi |
jmp 00007F067CDF762Dh |
nop |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
add ebx, ebx |
jne 00007F067CDF7629h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F067CDF760Fh |
mov eax, 00000001h |
add ebx, ebx |
jne 00007F067CDF7629h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
add ebx, ebx |
jnc 00007F067CDF762Dh |
jne 00007F067CDF764Ah |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F067CDF7641h |
dec eax |
add ebx, ebx |
jne 00007F067CDF7629h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
jmp 00007F067CDF75F6h |
add ebx, ebx |
jne 00007F067CDF7629h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
jmp 00007F067CDF7674h |
xor ecx, ecx |
sub eax, 03h |
jc 00007F067CDF7633h |
shl eax, 08h |
mov al, byte ptr [esi] |
inc esi |
xor eax, FFFFFFFFh |
je 00007F067CDF7697h |
sar eax, 1 |
mov ebp, eax |
jmp 00007F067CDF762Dh |
add ebx, ebx |
jne 00007F067CDF7629h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F067CDF75EEh |
inc ecx |
add ebx, ebx |
jne 00007F067CDF7629h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F067CDF75E0h |
add ebx, ebx |
jne 00007F067CDF7629h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jnc 00007F067CDF7611h |
jne 00007F067CDF762Bh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F067CDF7606h |
add ecx, 02h |
cmp ebp, FFFFFB00h |
adc ecx, 02h |
lea edx, dword ptr [edi+ebp] |
cmp ebp, FFFFFFFCh |
jbe 00007F067CDF7630h |
mov al, byte ptr [edx] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc1038 | 0x3b0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xba000 | 0x7038 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0x76000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
UPX1 | 0x77000 | 0x43000 | 0x42200 | d1248dd07f9600cf0199efb427a3e365 | False | 0.9920951973062382 | , Monaural | 7.928941419297798 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xba000 | 0x8000 | 0x7400 | 081e9bf7107c6346fa754a81d71e3c24 | False | 0.5646214978448276 | data | 5.907914622258372 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xba5cc | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
RT_ICON | 0xba6f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
RT_ICON | 0xba824 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
RT_ICON | 0xba950 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | Great Britain | 0.48109756097560974 |
RT_ICON | 0xbafbc | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | Great Britain | 0.5672043010752689 |
RT_ICON | 0xbb2a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | Great Britain | 0.6418918918918919 |
RT_ICON | 0xbb3d4 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | Great Britain | 0.7044243070362474 |
RT_ICON | 0xbc280 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | Great Britain | 0.8077617328519856 |
RT_ICON | 0xbcb2c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | Great Britain | 0.5903179190751445 |
RT_ICON | 0xbd098 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | Great Britain | 0.5503112033195021 |
RT_ICON | 0xbf644 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | Great Britain | 0.6050656660412758 |
RT_ICON | 0xc06f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | Great Britain | 0.7553191489361702 |
RT_MENU | 0xb1b28 | 0x50 | data | English | Great Britain | 1.1375 |
RT_DIALOG | 0xb1b78 | 0xfc | OpenPGP Public Key | English | Great Britain | 1.0436507936507937 |
RT_STRING | 0xb1c78 | 0x530 | data | English | Great Britain | 1.0082831325301205 |
RT_STRING | 0xb21a8 | 0x690 | data | English | Great Britain | 1.006547619047619 |
RT_STRING | 0xb2838 | 0x4d0 | data | English | Great Britain | 1.0089285714285714 |
RT_STRING | 0xb2d08 | 0x5fc | data | English | Great Britain | 1.0071801566579635 |
RT_STRING | 0xb3308 | 0x65c | data | English | Great Britain | 1.0067567567567568 |
RT_STRING | 0xb3968 | 0x388 | data | English | Great Britain | 1.0121681415929205 |
RT_STRING | 0xb3cf0 | 0x158 | data | English | United States | 1.0232558139534884 |
RT_GROUP_ICON | 0xc0b5c | 0x84 | data | English | Great Britain | 0.6439393939393939 |
RT_GROUP_ICON | 0xc0be4 | 0x14 | data | English | Great Britain | 1.15 |
RT_GROUP_ICON | 0xc0bfc | 0x14 | data | English | Great Britain | 1.25 |
RT_GROUP_ICON | 0xc0c14 | 0x14 | data | English | Great Britain | 1.25 |
RT_VERSION | 0xc0c2c | 0x19c | data | English | Great Britain | 0.5339805825242718 |
RT_MANIFEST | 0xc0dcc | 0x26c | ASCII text, with CRLF line terminators | English | United States | 0.5145161290322581 |
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess |
ADVAPI32.dll | GetAce |
COMCTL32.dll | ImageList_Remove |
COMDLG32.dll | GetSaveFileNameW |
GDI32.dll | LineTo |
MPR.dll | WNetGetConnectionW |
ole32.dll | CoInitialize |
OLEAUT32.dll | VariantInit |
PSAPI.DLL | EnumProcesses |
SHELL32.dll | DragFinish |
USER32.dll | GetDC |
USERENV.dll | LoadUserProfileW |
VERSION.dll | VerQueryValueW |
WININET.dll | FtpOpenFileW |
WINMM.dll | timeGetTime |
WSOCK32.dll | recv |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Great Britain | |
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T06:37:59.980284+0200 | 2030171 | ET MALWARE AgentTesla Exfil Via SMTP | 1 | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
2024-09-27T06:37:59.980284+0200 | 2839723 | ETPRO MALWARE Win32/Agent Tesla SMTP Activity | 1 | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
2024-09-27T06:37:59.980284+0200 | 2840032 | ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 | 1 | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
2024-09-27T06:38:14.092467+0200 | 2855245 | ETPRO MALWARE Agent Tesla Exfil via SMTP | 1 | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
2024-09-27T06:38:14.092467+0200 | 2855542 | ETPRO MALWARE Agent Tesla CnC Exfil Activity | 1 | 192.168.2.8 | 49704 | 162.214.80.31 | 587 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 06:38:12.391024113 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:12.396107912 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:12.396236897 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:13.036185026 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.037348032 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:13.042208910 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.192925930 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.193761110 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:13.198745012 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.355595112 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.356596947 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:13.361423016 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.540183067 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.540595055 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:13.545491934 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.694763899 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.696082115 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:13.701009035 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.932413101 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:13.932635069 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:13.937776089 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:14.091700077 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:14.092407942 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:14.092467070 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:14.092492104 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:14.092511892 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:38:14.104558945 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:14.104597092 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:14.104607105 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:14.104617119 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:14.256876945 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:38:14.308284998 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:39:52.386990070 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:39:52.484513998 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:39:52.835098028 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:39:52.835350990 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Sep 27, 2024 06:39:52.835432053 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:39:52.836981058 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 |
Sep 27, 2024 06:39:52.841813087 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 06:38:12.372119904 CEST | 49223 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 27, 2024 06:38:12.383774042 CEST | 53 | 49223 | 1.1.1.1 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 27, 2024 06:38:12.372119904 CEST | 192.168.2.8 | 1.1.1.1 | 0x251a | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 27, 2024 06:38:12.383774042 CEST | 1.1.1.1 | 192.168.2.8 | 0x251a | No error (0) | 162.214.80.31 | A (IP address) | IN (0x0001) | false |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Sep 27, 2024 06:38:13.036185026 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 220-sh011.webhostingservices.com ESMTP Exim 4.96.2 #2 Fri, 27 Sep 2024 10:08:12 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Sep 27, 2024 06:38:13.037348032 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 | EHLO 258555 |
Sep 27, 2024 06:38:13.192925930 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 250-sh011.webhostingservices.com Hello 258555 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Sep 27, 2024 06:38:13.193761110 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 | AUTH login YWNjb3VudHNAbmF2ZWVudG91ci5jb20= |
Sep 27, 2024 06:38:13.355595112 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 334 UGFzc3dvcmQ6 |
Sep 27, 2024 06:38:13.540183067 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 235 Authentication succeeded |
Sep 27, 2024 06:38:13.540595055 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 | MAIL FROM:<accounts@naveentour.com> |
Sep 27, 2024 06:38:13.694763899 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 250 OK |
Sep 27, 2024 06:38:13.696082115 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 | RCPT TO:<ericsales878@gmail.com> |
Sep 27, 2024 06:38:13.932413101 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 250 Accepted |
Sep 27, 2024 06:38:13.932635069 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 | DATA |
Sep 27, 2024 06:38:14.091700077 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 354 Enter message, ending with "." on a line by itself |
Sep 27, 2024 06:38:14.092511892 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 | . |
Sep 27, 2024 06:38:14.256876945 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 250 OK id=1su2kA-000UoZ-02 |
Sep 27, 2024 06:39:52.386990070 CEST | 49704 | 587 | 192.168.2.8 | 162.214.80.31 | QUIT |
Sep 27, 2024 06:39:52.835098028 CEST | 587 | 49704 | 162.214.80.31 | 192.168.2.8 | 221 sh011.webhostingservices.com closing connection |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 00:38:05 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\Desktop\shipping documents.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 829'895 bytes |
MD5 hash: | C5516FF1D3704BAD31059E7D7CA7CFE7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 00:38:10 |
Start date: | 27/09/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xfe0000 |
File size: | 45'984 bytes |
MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Target ID: | 4 |
Start time: | 00:38:22 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\AppData\Roaming\boqXv\boqXv.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x90000 |
File size: | 45'984 bytes |
MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 00:38:22 |
Start date: | 27/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ee680000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 00:38:30 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\AppData\Roaming\boqXv\boqXv.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x480000 |
File size: | 45'984 bytes |
MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 00:38:30 |
Start date: | 27/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ee680000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 12.3% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 125 |
Total number of Limit Nodes: | 11 |
Graph
Function 0193A3D8 Relevance: 5.5, Instructions: 5484COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067F8F18 Relevance: 2.0, Strings: 1, Instructions: 776COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067F3288 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067F0040 Relevance: 1.5, Instructions: 1498COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01933EB0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067F42D0 Relevance: .8, Instructions: 817COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067FC088 Relevance: .6, Instructions: 574COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01939810 Relevance: .5, Instructions: 541COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067F5A58 Relevance: .5, Instructions: 477COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067FE0A0 Relevance: .3, Instructions: 331COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01934AC8 Relevance: .3, Instructions: 266COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067EB690 Relevance: .2, Instructions: 217COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067E26C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067E26BB Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067EAD50 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067ECF24 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067ECF30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067EA41C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067E2900 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067E2908 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01937349 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01937350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067FD6F4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067FE608 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067EAF50 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 018ED01C Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 018ED006 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 019341F8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067F5378 Relevance: .5, Instructions: 468COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067F39D8 Relevance: .4, Instructions: 417COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 067E8CF0 Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B1340 Relevance: .6, Instructions: 590COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B0BC0 Relevance: .3, Instructions: 335COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B1230 Relevance: .1, Instructions: 88COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B1240 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B1C00 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B1C10 Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B0F9D Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B0898 Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B1AE0 Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 021B08A8 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA1340 Relevance: .5, Instructions: 520COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA0CE3 Relevance: .2, Instructions: 197COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA123B Relevance: .1, Instructions: 84COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA1240 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA1AE0 Relevance: .1, Instructions: 66COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA1C09 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA1C10 Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA0F9D Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA1AD8 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA1B68 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA08A3 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00BA08A8 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|