Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
| Analysis ID: | 1521517 |
| MD5: | 422bd6b228bc054bd1c22de49f706a0f |
| SHA1: | 4efd522c32541f1e9c60c0183424f28276d5fc02 |
| SHA256: | bb6c3e7f98d3b40cb754d80c1de0c7d630c7dafb49c5582740d40cf928ee094b |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Metasploit
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe (PID: 2132 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Dow nloaderNET .45.17732. 20664.exe" MD5: 422BD6B228BC054BD1C22DE49F706A0F)
- cleanup
{"Type": "Metasploit Connect", "IP": "219.150.121.100", "Port": 4449}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
| Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
| Windows_Trojan_Metasploit_91bc5d7d | unknown | unknown |
|
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6E1215740 | |
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_0000025959553438 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00007FF6E121A2C8 | |
| Source: | Code function: | 0_2_00007FF6E1213E1C | |
| Source: | Code function: | 0_2_00007FF6E1215510 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF6E1211190 | |
| Source: | Code function: | 0_2_00007FF6E1211310 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6E1242A00 | |
| Source: | Code function: | 0_2_00007FF6E1220F2E | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF6E1215740 | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-6734 | ||
| Source: | API call chain: | graph_0-7290 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6E1211D58 | |
| Source: | Code function: | 0_2_00007FF6E1242A00 | |
| Source: | Code function: | 0_2_00007FF6E1217540 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF6E1211D58 | |
| Source: | Code function: | 0_2_00007FF6E1215064 | |
| Source: | Code function: | 0_2_00007FF6E1219EA0 | |
| Source: | Code function: | 0_2_00007FF6E1211C34 | |
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Obfuscated Files or Information | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Software Packing | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | ReversingLabs | Win64.Trojan.Shelma | ||
| 100% | Avira | TR/Kryptik.tyipy |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 219.150.121.100 | unknown | China | 4134 | CHINANET-BACKBONENo31Jin-rongStreetCN | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1521517 |
| Start date and time: | 2024-09-28 20:35:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
| Detection: | MAL |
| Classification: | mal84.troj.winEXE@1/0@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- VT rate limit hit for: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CHINANET-BACKBONENo31Jin-rongStreetCN | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.020158369072848 |
| TrID: |
|
| File name: | SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
| File size: | 139'264 bytes |
| MD5: | 422bd6b228bc054bd1c22de49f706a0f |
| SHA1: | 4efd522c32541f1e9c60c0183424f28276d5fc02 |
| SHA256: | bb6c3e7f98d3b40cb754d80c1de0c7d630c7dafb49c5582740d40cf928ee094b |
| SHA512: | 592e5a0a5d18e7c612355f9fac2e9a0a51b46a267620903ab201139ad9664927404c3adff51f3b99c8ff31983e391dba4293cb7ecbf5afd22055ae37b8918f45 |
| SSDEEP: | 3072:jV2cN0fKTM//iB/buAsKFNmhMn7Ihjj/IDRM:jVvN0fKyOaCQf |
| TLSH: | 1CD3694A6A5F81A1D4749071437B97F62B2D1F62A9C7C68CA7C03F06E57E181F90AB33 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3<.w]o.w]o.w]ok..o.w]ok..o.w]ok..o.w]o.)^n.w]o.)Xn.w]o.)Yn.w]o...o.w]o.w\o.w]oH)Tn.w]oM).o.w]oH)_n.w]oRich.w]o............... |
 | |
| Icon Hash: | 116d663019252118 |
| Entrypoint: | 0x140032990 |
| Entrypoint Section: | UPX1 |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5FC5DB9D [Tue Dec 1 05:58:53 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 945415513a1d001a8c17a55e1a5cdfd0 |
| Instruction |
|---|
| push ebx |
| push esi |
| push edi |
| push ebp |
| dec eax |
| lea esi, dword ptr [FFFF2665h] |
| dec eax |
| lea edi, dword ptr [esi-00024000h] |
| push edi |
| xor ebx, ebx |
| xor ecx, ecx |
| dec eax |
| or ebp, FFFFFFFFh |
| call 00007F270540D925h |
| add ebx, ebx |
| je 00007F270540D8D4h |
| rep ret |
| mov ebx, dword ptr [esi] |
| dec eax |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| mov dl, byte ptr [esi] |
| rep ret |
| dec eax |
| lea eax, dword ptr [edi+ebp] |
| cmp ecx, 05h |
| mov dl, byte ptr [eax] |
| jbe 00007F270540D8F3h |
| dec eax |
| cmp ebp, FFFFFFFCh |
| jnbe 00007F270540D8EDh |
| sub ecx, 04h |
| mov edx, dword ptr [eax] |
| dec eax |
| add eax, 04h |
| sub ecx, 04h |
| mov dword ptr [edi], edx |
| dec eax |
| lea edi, dword ptr [edi+04h] |
| jnc 00007F270540D8C1h |
| add ecx, 04h |
| mov dl, byte ptr [eax] |
| je 00007F270540D8E2h |
| dec eax |
| inc eax |
| mov byte ptr [edi], dl |
| sub ecx, 01h |
| mov dl, byte ptr [eax] |
| dec eax |
| lea edi, dword ptr [edi+01h] |
| jne 00007F270540D8C2h |
| rep ret |
| cld |
| inc ecx |
| pop ebx |
| jmp 00007F270540D8DAh |
| dec eax |
| inc esi |
| mov byte ptr [edi], dl |
| dec eax |
| inc edi |
| mov dl, byte ptr [esi] |
| add ebx, ebx |
| jne 00007F270540D8DCh |
| mov ebx, dword ptr [esi] |
| dec eax |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| mov dl, byte ptr [esi] |
| jc 00007F270540D8B8h |
| lea eax, dword ptr [ecx+01h] |
| inc ecx |
| call ebx |
| adc eax, eax |
| add ebx, ebx |
| jne 00007F270540D8DCh |
| mov ebx, dword ptr [esi] |
| dec eax |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| mov dl, byte ptr [esi] |
| jnc 00007F270540D8BDh |
| sub eax, 03h |
| jc 00007F270540D8E5h |
| shl eax, 08h |
| movzx edx, dl |
| or eax, edx |
| dec eax |
| inc esi |
| xor eax, FFFFFFFFh |
| je 00007F270540D90Ch |
| dec eax |
| arpl ax, bp |
| lea eax, dword ptr [ecx+01h] |
| inc ecx |
| call ebx |
| adc ecx, ecx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x46c08 | 0xdc | .rsrc |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x33000 | 0x13c08 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x16000 | 0xc9c | UPX0 |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x46ce4 | 0x10 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x32bd8 | 0x94 | UPX1 |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| UPX0 | 0x1000 | 0x24000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| UPX1 | 0x25000 | 0xe000 | 0xde00 | de332000c5fce3ab59a448af66fb3532 | False | 0.9720931869369369 | data | 7.8824933311563585 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x33000 | 0x14000 | 0x13e00 | 162541faf4835773b5b585e8eb6a7972 | False | 0.5005159198113207 | data | 6.156013907001858 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x3338c | 0x3d97 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.985666264983827 |
| RT_ICON | 0x37128 | 0x1628 | Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors | English | United States | 0.30095204513399154 |
| RT_ICON | 0x38754 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.40911513859275056 |
| RT_ICON | 0x39600 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.43772563176895307 |
| RT_ICON | 0x39eac | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States | 0.4683179723502304 |
| RT_ICON | 0x3a578 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.3800578034682081 |
| RT_ICON | 0x3aae4 | 0x30fa | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9686552879247089 |
| RT_ICON | 0x3dbe4 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.13911195087387812 |
| RT_ICON | 0x41e10 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.1908713692946058 |
| RT_ICON | 0x443bc | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.2619606003752345 |
| RT_ICON | 0x45468 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.33852459016393444 |
| RT_ICON | 0x45df4 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.375886524822695 |
| RT_RCDATA | 0x2b22c | 0x37ee | data | 0.9610979187037296 | ||
| RT_GROUP_ICON | 0x46260 | 0xae | data | English | United States | 0.632183908045977 |
| RT_VERSION | 0x46314 | 0x3a8 | data | English | United States | 0.4230769230769231 |
| RT_MANIFEST | 0x466c0 | 0x545 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4558932542624166 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegCloseKey |
| KERNEL32.DLL | LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 28, 2024 20:36:12.132560015 CEST | 49718 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:12.137522936 CEST | 4449 | 49718 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:36:12.137598991 CEST | 49718 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:33.522722006 CEST | 4449 | 49718 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:36:33.523868084 CEST | 49718 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:33.524277925 CEST | 49718 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:33.525057077 CEST | 49728 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:33.529181004 CEST | 4449 | 49718 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:36:33.529923916 CEST | 4449 | 49728 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:36:33.531883001 CEST | 49728 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:54.900733948 CEST | 4449 | 49728 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:36:54.900835991 CEST | 49728 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:54.918309927 CEST | 49728 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:54.923162937 CEST | 4449 | 49728 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:36:54.931788921 CEST | 49731 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:36:54.936619043 CEST | 4449 | 49731 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:36:54.936696053 CEST | 49731 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:16.356545925 CEST | 4449 | 49731 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:16.356673956 CEST | 49731 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:16.357364893 CEST | 49731 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:16.358642101 CEST | 49736 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:16.362487078 CEST | 4449 | 49731 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:16.363841057 CEST | 4449 | 49736 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:16.363950014 CEST | 49736 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:37.789203882 CEST | 4449 | 49736 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:37.789289951 CEST | 49736 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:37.789753914 CEST | 49736 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:37.790601969 CEST | 49738 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:37.794502974 CEST | 4449 | 49736 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:37.795418024 CEST | 4449 | 49738 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:37.795494080 CEST | 49738 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:59.168792963 CEST | 4449 | 49738 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:59.168987989 CEST | 49738 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:59.169445038 CEST | 49738 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:59.170254946 CEST | 49740 | 4449 | 192.168.2.5 | 219.150.121.100 |
| Sep 28, 2024 20:37:59.178303003 CEST | 4449 | 49738 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:59.179666996 CEST | 4449 | 49740 | 219.150.121.100 | 192.168.2.5 |
| Sep 28, 2024 20:37:59.179790020 CEST | 49740 | 4449 | 192.168.2.5 | 219.150.121.100 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 14:36:10 |
| Start date: | 28/09/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6e1210000 |
| File size: | 139'264 bytes |
| MD5 hash: | 422BD6B228BC054BD1C22DE49F706A0F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.9% |
| Dynamic/Decrypted Code Coverage: | 1% |
| Signature Coverage: | 9.4% |
| Total number of Nodes: | 1037 |
| Total number of Limit Nodes: | 11 |
Graph
Function 0000025959553438 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 163networklibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF6E1242A00 Relevance: 6.2, APIs: 4, Instructions: 174librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1211480 Relevance: 7.5, APIs: 5, Instructions: 44memorysynchronizationthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E121429C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1215064 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1215510 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1215740 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E121A2C8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1213E1C Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1219EA0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1211250 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E12130AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1214574 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1219CB4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1218F6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1214ED0 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E12135D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1216A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6E1212188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|