Windows
Analysis Report
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
Overview
General Information
Sample name: | 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Analysis ID: | 1522870 |
MD5: | c515cb9490a76b18731e0ddeb339b00f |
SHA1: | ccea963a43550069a16877ee2f4ef802137415b0 |
SHA256: | 3fc957b37cf0b4e0ecfcde1dfad0bd220434e32545b5e16ebf0ef35e9c858762 |
Tags: | base64-decodedexeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe (PID: 6456 cmdline:
"C:\Users\ user\Deskt op\1727717 04470d2405 c797286a7d 66ed608569 0f2346b087 3f84a2d4bb bbfed17373 d12cd4f758 .dat-decod ed.exe" MD5: C515CB9490A76B18731E0DDEB339B00F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"Server": ")8\"zc", "Ports": "$A<IlE,84,7;&gV", "Version": "*wacp!]6l[e", "BDOS": "U^2", "AES_key": "R4OsSR16j3MjPEBlkfzyOGTLnlxVVuwW", "Mutex": "n#QO", "Certificate": "UDq5O^", "ServerSignature": "1", "Group": "Oy\\iql0S13XbS4sp1@PsWg:PGIw'~?Q;ifHa#3ef8L\"SpWzk,&&}s;$/?J9UH3>j3={V'nCn.PI*|e>4&k2[2Y\"w$T+^X_j9HSG[?b*'54eS5e_~(e#Z\"n,TX*T->_qfnrv]TM^:Sm1uBPI9|\\4a^^?R|av{V =9J2E|^{wS7Zq,=)a;uL uRaE\"K5bW ycl@NpcoGBww~DzGBkD+U1vws!$\"Awn}G}9cJ6;M^g4xsh'`s^(KX%.#m`^wc.Syd?~c\"Lsj>]?`qx7a!]~a7*CV\\/w6F+j0{&]M*&[7-]2Y</uTKz[gT&GM", "AntiProcess": "HB!<i[>IoEHueVuN1#fc!@?Z#TsdM.i5RX/xjjmOH +NC,v <85~NN!Z.)uebFY`", "PasteBin": "FLVl;"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-30T19:26:03.592103+0200 | 2034847 | 1 | Domain Observed Used for C2 Detected | 89.117.23.22 | 4455 | 192.168.2.4 | 49731 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-30T19:26:03.592103+0200 | 2842478 | 1 | Malware Command and Control Activity Detected | 89.117.23.22 | 4455 | 192.168.2.4 | 49731 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-30T19:26:03.592103+0200 | 2848048 | 1 | Domain Observed Used for C2 Detected | 89.117.23.22 | 4455 | 192.168.2.4 | 49731 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FFD9B898346 | |
Source: | Code function: | 0_2_00007FFD9B89C56F | |
Source: | Code function: | 0_2_00007FFD9B8990F2 | |
Source: | Code function: | 0_2_00007FFD9B8930E2 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FFD9B8900C1 |
Boot Survival |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 Scheduled Task/Job | 1 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 31 Virtualization/Sandbox Evasion | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 111 Obfuscated Files or Information | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 21 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1307404 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
dczas.duckdns.org | 89.117.23.22 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
89.117.23.22 | dczas.duckdns.org | Lithuania | 15419 | LRTC-ASLT | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1522870 |
Start date and time: | 2024-09-30 19:25:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 9s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/2@2/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 88.221.110.91, 2.16.100.168
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
Time | Type | Description |
---|---|---|
13:26:03 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
89.117.23.22 | Get hash | malicious | AsyncRAT, DcRat | Browse | ||
Get hash | malicious | Remcos | Browse | |||
Get hash | malicious | Remcos | Browse | |||
Get hash | malicious | AsyncRAT | Browse | |||
Get hash | malicious | Njrat | Browse | |||
Get hash | malicious | Remcos | Browse | |||
Get hash | malicious | Remcos | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
dczas.duckdns.org | Get hash | malicious | AsyncRAT, DcRat | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
LRTC-ASLT | Get hash | malicious | AsyncRAT, DcRat | Browse |
| |
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 71954 |
Entropy (8bit): | 7.996617769952133 |
Encrypted: | true |
SSDEEP: | 1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ |
MD5: | 49AEBF8CBD62D92AC215B2923FB1B9F5 |
SHA1: | 1723BE06719828DDA65AD804298D0431F6AFF976 |
SHA-256: | B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F |
SHA-512: | BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 328 |
Entropy (8bit): | 3.1226493792132195 |
Encrypted: | false |
SSDEEP: | 6:kKFo9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:VDnLNkPlE99SNxAhUe/3 |
MD5: | 9F6F9C45E4AFD16124569BE3C575C958 |
SHA1: | B2D2EEA9AB4B74FD5C55692833262E3D8F3C9EF2 |
SHA-256: | 5857F846F084BD66199A467EA48EA2D6A4F7BE73812BAE5FF28702CA55AEB022 |
SHA-512: | D9B78EF6D026A11A75CBE84F32EF978B9F1D5DA23C7DA52186E234BECE10B830084225AFCB72A90F6464B7C45EC7AF6A5240404D4AB300B849B3EA46A47989DD |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.619485173826498 |
TrID: |
|
File name: | 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
File size: | 48'640 bytes |
MD5: | c515cb9490a76b18731e0ddeb339b00f |
SHA1: | ccea963a43550069a16877ee2f4ef802137415b0 |
SHA256: | 3fc957b37cf0b4e0ecfcde1dfad0bd220434e32545b5e16ebf0ef35e9c858762 |
SHA512: | 120aa8b5c4fed3ea6a6393a5dd449e57b135b541352e01e7592da284aca75e57a1549a7236eb5db6ca6bfe6221b3d6d708b19b8e09e3bb361ee40bbbf62c1f53 |
SSDEEP: | 768:xGq+s3pUtDILNCCa+DiugjAWksLqR2k8A0Pip8YbggemWuNp7RvEgK/JLZVc6KN:8q+AGtQOuLWnLAHzbHpWunkJLZVclN |
TLSH: | E9237D0037D8C136E2FD4BB8A9F2A1458279D6676903CB596CC811EA2F13BC597036FE |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40cbbe |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x60930A0B [Wed May 5 21:11:39 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xcb68 | 0x53 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe000 | 0xdf7 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x10000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xabc4 | 0xac00 | 93cad8408fde35203b2ba080b2c497ab | False | 0.502452761627907 | data | 5.64510050454448 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xe000 | 0xdf7 | 0xe00 | 2083376922615c09cdda9acfd9305376 | False | 0.4017857142857143 | data | 5.110607648061562 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0xc | 0x200 | 82148d01c3935cf90ef81a3dd1fad607 | False | 0.044921875 | data | 0.07763316234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0xe0a0 | 0x2d4 | data | 0.4350828729281768 | ||
RT_MANIFEST | 0xe374 | 0xa83 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.40245261984392416 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-30T19:26:03.592103+0200 | 2842478 | ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) | 1 | 89.117.23.22 | 4455 | 192.168.2.4 | 49731 | TCP |
2024-09-30T19:26:03.592103+0200 | 2034847 | ET MALWARE Observed Malicious SSL Cert (AsyncRAT) | 1 | 89.117.23.22 | 4455 | 192.168.2.4 | 49731 | TCP |
2024-09-30T19:26:03.592103+0200 | 2848048 | ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) | 1 | 89.117.23.22 | 4455 | 192.168.2.4 | 49731 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 19:26:02.975022078 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:02.979851007 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:02.979943991 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:03.103795052 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:03.108633995 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:03.578365088 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:03.585633039 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:03.592103004 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:03.772414923 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:03.825778961 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:04.925486088 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:04.930356979 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:04.930428028 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:04.935242891 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:15.659555912 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:15.664908886 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:15.667177916 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:15.672121048 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:15.951904058 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:15.997849941 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:16.073275089 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:16.092294931 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:16.097054958 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:16.097150087 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:16.101977110 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:26.389312029 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:26.396758080 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:26.396826982 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:26.401953936 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:26.685760021 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:26.732101917 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:26.818392038 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:26.838044882 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:26.842869043 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:26.842948914 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:26.848830938 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:31.691037893 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:31.732058048 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:31.821161032 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:31.872698069 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:37.124174118 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:37.129187107 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:37.129262924 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:37.134598017 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:37.419847965 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:37.466486931 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:37.542428970 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:37.544387102 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:37.549180984 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:37.549254894 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:37.554059029 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:47.857639074 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:47.865606070 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:47.865659952 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:47.875864029 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:48.209296942 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:48.263344049 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:48.376854897 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:48.379714966 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:48.384752989 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:48.384838104 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:48.389976025 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:58.592633963 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:58.598229885 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:58.598315954 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:58.605026007 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:58.784645081 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:58.825896978 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:58.918900013 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:58.921278954 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:58.926074028 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:26:58.926157951 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:26:58.931011915 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:00.307725906 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:00.357090950 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:00.443069935 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:00.497797966 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:09.326359987 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:09.331218004 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:09.331343889 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:09.336482048 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:09.628664970 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:09.669598103 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:09.746120930 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:09.749620914 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:09.754393101 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:09.754477978 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:09.759352922 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:20.061691046 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:20.066637039 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:20.066728115 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:20.072573900 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:21.572782993 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:21.622729063 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:21.703440905 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:21.705737114 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:21.711597919 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:21.711678028 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:21.716454983 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:30.302850008 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:30.357136011 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:30.435988903 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:30.482150078 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:30.795116901 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:30.800188065 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:30.800270081 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:30.805187941 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:31.090950966 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:31.138463974 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:31.216512918 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:31.218383074 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:31.224740028 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:31.224795103 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:31.231228113 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:41.529463053 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:41.534537077 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:41.534689903 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:41.541759968 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:41.824270010 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:41.872756004 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:41.954829931 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:41.956759930 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:41.961584091 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:41.961685896 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:41.966578007 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:52.266056061 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:52.271003962 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:52.271054983 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:52.275813103 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:52.559330940 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:52.607326984 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:52.688034058 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:52.692657948 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:52.697501898 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:27:52.697571993 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:27:52.702464104 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:00.309998035 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:00.357167959 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:00.443717003 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:00.497776031 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:02.998327971 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:03.003072023 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:03.003165960 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:03.007951021 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:03.293884993 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:03.341581106 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:03.435340881 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:03.469825029 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:03.475316048 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:03.475496054 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:03.481698036 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:04.547863007 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:04.553597927 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:04.555990934 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:04.560781002 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:04.840620041 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:04.888474941 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:04.967617989 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:04.968406916 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:04.973551989 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Sep 30, 2024 19:28:04.973620892 CEST | 49731 | 4455 | 192.168.2.4 | 89.117.23.22 |
Sep 30, 2024 19:28:04.978511095 CEST | 4455 | 49731 | 89.117.23.22 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 19:26:01.294095993 CEST | 59303 | 53 | 192.168.2.4 | 1.1.1.1 |
Sep 30, 2024 19:26:02.294790983 CEST | 59303 | 53 | 192.168.2.4 | 1.1.1.1 |
Sep 30, 2024 19:26:02.955117941 CEST | 53 | 59303 | 1.1.1.1 | 192.168.2.4 |
Sep 30, 2024 19:26:02.955159903 CEST | 53 | 59303 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 30, 2024 19:26:01.294095993 CEST | 192.168.2.4 | 1.1.1.1 | 0x2cdc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 19:26:02.294790983 CEST | 192.168.2.4 | 1.1.1.1 | 0x2cdc | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 30, 2024 19:26:02.955117941 CEST | 1.1.1.1 | 192.168.2.4 | 0x2cdc | No error (0) | 89.117.23.22 | A (IP address) | IN (0x0001) | false | ||
Sep 30, 2024 19:26:02.955159903 CEST | 1.1.1.1 | 192.168.2.4 | 0x2cdc | No error (0) | 89.117.23.22 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 13:25:56 |
Start date: | 30/09/2024 |
Path: | C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xdd0000 |
File size: | 48'640 bytes |
MD5 hash: | C515CB9490A76B18731E0DDEB339B00F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 21.6% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 6 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B898346 Relevance: .5, Instructions: 471COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFD9B8990F2 Relevance: .5, Instructions: 457COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|