Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1561424 |
| MD5: | 9afbb0324051e70f1547c64245bc2df2 |
| SHA1: | 3687efd1229f5023b1617305071652421941d52e |
| SHA256: | 8432d382a8bc238b236f3ef6e1b075f4a1bc048a115a16eae72f0adca56e74ff |
| Tags: | exeuser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Setup.exe (PID: 6924 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: 9AFBB0324051E70F1547C64245BC2DF2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["processhol.sbs", "3xp3cts1aim.sbs", "p10tgrace.sbs", "peepburry828.sbs", "p3ar11fter.sbs"], "Build id": "yJEcaG--vick"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T12:13:19.675065+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49730 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:21.651074+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49739 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:23.998294+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49745 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:26.122673+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49750 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:28.323221+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49756 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:30.769012+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49762 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:32.988573+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49769 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:36.449361+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49779 | 104.21.20.178 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T12:13:20.365527+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49730 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:22.372936+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49739 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:37.141318+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49779 | 104.21.20.178 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T12:13:20.365527+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49730 | 104.21.20.178 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T12:13:22.372936+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49739 | 104.21.20.178 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T12:13:31.363301+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49762 | 104.21.20.178 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Code function: | 0_3_0314B727 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_0314EF6E | |
| Source: | Code function: | 0_3_0314EF6E | |
| Source: | Code function: | 0_3_0314EF86 | |
| Source: | Code function: | 0_3_0314EF86 | |
| Source: | Code function: | 0_3_0314766D | |
| Source: | Code function: | 0_3_0314766D | |
| Source: | Code function: | 0_3_03145249 | |
| Source: | Code function: | 0_3_03145249 | |
| Source: | Code function: | 0_3_0314EF6E | |
| Source: | Code function: | 0_3_0314EF6E | |
| Source: | Code function: | 0_3_0314EF86 | |
| Source: | Code function: | 0_3_0314EF86 | |
| Source: | Code function: | 0_3_05C30DE2 | |
| Source: | Code function: | 0_3_05C30DE2 | |
| Source: | Code function: | 0_3_05C30DE2 | |
| Source: | Code function: | 0_3_05C30DE2 | |
| Source: | Code function: | 0_3_05C30DE2 | |
| Source: | Code function: | 0_3_05C30DE2 | |
| Source: | Code function: | 0_3_05C30DE2 | |
| Source: | Code function: | 0_3_05C30DFA | |
| Source: | Code function: | 0_3_05C30DFA | |
| Source: | Code function: | 0_3_05C30DFA | |
| Source: | Code function: | 0_3_05C30DFA | |
| Source: | Code function: | 0_3_05C30DFA | |
| Source: | Code function: | 0_3_05C30DFA | |
| Source: | Code function: | 0_3_05C30DFA | |
| Source: | Code function: | 0_3_05C2D583 | |
| Source: | Code function: | 0_3_05C2D583 | |
| Source: | Code function: | 0_3_05C2D583 | |
| Source: | Code function: | 0_3_05C2D583 | |
| Source: | Code function: | 0_3_05C30D82 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 11 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | ReversingLabs | |||
| 6% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| sturdy-operated.cyou | 104.21.20.178 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.20.178 | sturdy-operated.cyou | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561424 |
| Start date and time: | 2024-11-23 12:12:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 54s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Setup.exe, PID 6924 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 06:13:19 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.20.178 | Get hash | malicious | Vidar | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Stealc, Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.506621520132692 |
| TrID: |
|
| File name: | Setup.exe |
| File size: | 8'710'648 bytes |
| MD5: | 9afbb0324051e70f1547c64245bc2df2 |
| SHA1: | 3687efd1229f5023b1617305071652421941d52e |
| SHA256: | 8432d382a8bc238b236f3ef6e1b075f4a1bc048a115a16eae72f0adca56e74ff |
| SHA512: | 2be2bf2d648f97022d75a55dca5f81d964ab6872b639282ea5a7f6d3d715f2f4a3d22c428164f24533eee6ac2964394ebc8f884e2100b33a5a1b25901d5ddceb |
| SSDEEP: | 49152:gbDYuz79c82lFKcMvk3ACBNw++LZKKv2OopZo85r5lA/UTHyPr4m/JdY+RKM1Gcs:/uqxbBN97Xm85FlTTHGXCrA6pNNWQ4A |
| TLSH: | 54963B6133A1857EF96159F0293CAE2F106E7D290778B4DB92984D1D9DB8AC30E35F23 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........<L..R...R...R.......R.....!.R.......R...Q...R...W...R...V...R._.W...R.-.W...R.......R.......R...S...R.-.[...R.(.....R.......R |
 | |
| Icon Hash: | 45a1a6aaaaaad445 |
| Entrypoint: | 0x89dab0 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x673BE60E [Tue Nov 19 01:12:46 2024 UTC] |
| TLS Callbacks: | 0x8c86b0, 0x8c8730 |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 5f9c4c530d93260baff0b3f583edf984 |
| Signature Valid: | false |
| Signature Issuer: | CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | A1F139CE99F63FBE0F981EB442FA1CA0 |
| Thumbprint SHA-1: | DDEF07D6E8BA075FDD533B498A7D314F973DA83A |
| Thumbprint SHA-256: | E39E3C64515EA90D5ADE352664FF0AC6F1F0F6981B804A188F00599456E05FFE |
| Serial: | 1B1A623EC9C6C3F7A15E4CCC |
| Instruction |
|---|
| call 00007F1E28DA25E9h |
| jmp 00007F1E28DA19CDh |
| push ebp |
| mov ebp, esp |
| push 00000000h |
| call dword ptr [00955170h] |
| push dword ptr [ebp+08h] |
| call dword ptr [0095516Ch] |
| push C0000409h |
| call dword ptr [0095526Ch] |
| push eax |
| call dword ptr [00955120h] |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push 00000017h |
| call 00007F1E28DCA455h |
| test eax, eax |
| je 00007F1E28DA1B57h |
| push 00000002h |
| pop ecx |
| int 29h |
| mov dword ptr [00B62A50h], eax |
| mov dword ptr [00B62A4Ch], ecx |
| mov dword ptr [00B62A48h], edx |
| mov dword ptr [00B62A44h], ebx |
| mov dword ptr [00B62A40h], esi |
| mov dword ptr [00B62A3Ch], edi |
| mov word ptr [00B62A68h], ss |
| mov word ptr [00B62A5Ch], cs |
| mov word ptr [00B62A38h], ds |
| mov word ptr [00B62A34h], es |
| mov word ptr [00B62A30h], fs |
| mov word ptr [00B62A2Ch], gs |
| pushfd |
| pop dword ptr [00B62A60h] |
| mov eax, dword ptr [ebp+00h] |
| mov dword ptr [00B62A54h], eax |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [00B62A58h], eax |
| lea eax, dword ptr [ebp+08h] |
| mov dword ptr [00B62A64h], eax |
| mov eax, dword ptr [ebp-00000324h] |
| mov dword ptr [00B629A0h], 00010001h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73efac | 0xf0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x768000 | 0x38c1d | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x84bc00 | 0x2df8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7a1000 | 0x5cdc4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x683f00 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x683fcc | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x683f70 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x555000 | 0x4ac | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x553378 | 0x553400 | 1bcf1e874d49fbab928b46f9dceab092 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x555000 | 0x1eb9de | 0x1eba00 | 537cdd85d6d0ef5d3af826c63bd46b51 | False | 0.2115835756737859 | Applesoft BASIC program data, first line number 116 | 4.707412364146742 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x741000 | 0x259d8 | 0x21200 | e73619ac6dca1bbe2cc5602584b2d4d4 | False | 0.16972287735849056 | data | 5.204107514023323 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x767000 | 0x99 | 0x200 | 8e3343efa9afc26ac6caf49228cbe049 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x768000 | 0x38c1d | 0x38e00 | 4d3cbc6146233375b1585d71492c9d6e | False | 0.19540693681318683 | data | 5.3955782918527015 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7a1000 | 0xb2800 | 0xb2800 | 93c424b3704ec68ffae26977ce97e8c6 | False | 0.5799194677871149 | GeoSwath RDF | 7.400171789015709 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x768280 | 0x1ca8 | Device independent bitmap graphic, 48 x 96 x 24, image size 6912 | English | United States | 0.2531352235550709 |
| RT_ICON | 0x769f28 | 0x368 | Device independent bitmap graphic, 16 x 32 x 24, image size 768 | English | United States | 0.24655963302752293 |
| RT_ICON | 0x76a290 | 0x32028 | Device independent bitmap graphic, 256 x 512 x 24, image size 196608 | English | United States | 0.18309900410076158 |
| RT_ICON | 0x79c2b8 | 0xca8 | Device independent bitmap graphic, 32 x 64 x 24, image size 3072 | English | United States | 0.3345679012345679 |
| RT_ICON | 0x79cf60 | 0x3228 | Device independent bitmap graphic, 64 x 128 x 24, image size 12288 | English | United States | 0.2510903426791277 |
| RT_DIALOG | 0x7a0188 | 0x270 | data | English | United States | 0.5032051282051282 |
| RT_STRING | 0x7a03f8 | 0x31c | data | English | United States | 0.3944723618090452 |
| RT_GROUP_ICON | 0x7a0714 | 0x4c | data | English | United States | 0.7894736842105263 |
| RT_VERSION | 0x7a0760 | 0x340 | data | English | United States | 0.4579326923076923 |
| RT_MANIFEST | 0x7a0aa0 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| WS2_32.dll | htonl, WSAStringToAddressW, ntohl, closesocket, inet_ntoa, gethostbyaddr, getservbyport, gethostbyname, inet_addr, setsockopt, bind, listen, WSAEventSelect, shutdown, WSASetLastError, ioctlsocket, accept, WSAEnumProtocolsW, WSCGetProviderPath, WSASocketW, connect, WSAEnumNetworkEvents, WSAGetOverlappedResult, WSARecv, WSAGetLastError, getservbyname, ntohs, getsockname, WSASend, getpeername, WSACleanup, htons, WSAStartup |
| KERNEL32.dll | GetEnvironmentVariableW, FoldStringW, FindFirstFileW, FindClose, LoadLibraryExW, GetNumberOfConsoleInputEvents, GetConsoleScreenBufferInfo, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, GetConsoleCursorInfo, SetConsoleMode, GetConsoleMode, CreateFileW, SetFilePointer, OpenEventW, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, WaitNamedPipeW, FileTimeToSystemTime, SystemTimeToFileTime, SetHandleInformation, CreateNamedPipeW, ConnectNamedPipe, Sleep, SetEndOfFile, MulDiv, DeleteFileW, CopyFileW, ProcessIdToSessionId, TerminateProcess, GetLogicalDrives, SetCurrentDirectoryW, GetExitCodeProcess, SetEnvironmentVariableW, SystemTimeToTzSpecificLocalTime, GetDateFormatW, GetTimeFormatW, OutputDebugStringW, GetStringTypeW, CreateMutexW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, LCMapStringW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, WaitForSingleObjectEx, InitializeSListHead, GetStartupInfoW, QueryPerformanceCounter, RtlUnwind, InterlockedPushEntrySList, ReadConsoleInputA, ExitThread, FreeLibraryAndExitThread, HeapAlloc, HeapReAlloc, HeapFree, GetCommandLineA, SwitchToFiber, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetComputerNameExW, GetProcessHeap, GetTimeZoneInformation, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetStdHandle, SetFilePointerEx, FlushFileBuffers, GetFileAttributesW, GetModuleFileNameW, GetModuleHandleExW, InterlockedCompareExchange, CreateProcessW, ResetEvent, WaitForSingleObject, GetCurrentProcessId, MultiByteToWideChar, WideCharToMultiByte, LeaveCriticalSection, TryEnterCriticalSection, EnterCriticalSection, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, InterlockedExchangeAdd, SwitchToThread, InterlockedExchange, ConvertThreadToFiber, ConvertFiberToThread, DeleteCriticalSection, DecodePointer, GetWindowsDirectoryW, GetLongPathNameW, GetFullPathNameW, GetTempPathW, GetConsoleTitleW, GetModuleHandleA, LoadLibraryW, GetSystemDirectoryW, VerSetConditionMask, GetCurrentProcess, FreeLibrary, RtlCaptureStackBackTrace, RaiseException, InitializeCriticalSectionAndSpinCount, IsDebuggerPresent, GetCommandLineW, SetConsoleTitleW, CreateEventW, GetLastError, SetLastError, CloseHandle, SetEvent, SetConsoleCtrlHandler, CreateFiberEx, GetSystemTime, CreateFileA, OutputDebugStringA, CompareStringW, GetProcAddress, GetModuleHandleW, ExitProcess, HeapSize, GetCurrentDirectoryW, GetModuleFileNameA, DebugBreak, FormatMessageW, lstrlenW, LocalFree, ReadFile, ReadConsoleW, IsDBCSLeadByteEx, WriteFile, WriteConsoleW, GetFileSizeEx, GetFileType, GetLocaleInfoW, GetOEMCP, GetACP, GetConsoleOutputCP, GetConsoleCP, GetStdHandle, WaitForMultipleObjects, GetCurrentThreadId, ReleaseMutex, CreateThread, GetNumberFormatW, LocalSize, LocalAlloc, CancelIo, DeleteFiber, EncodePointer, ReadConsoleInputW, FillConsoleOutputCharacterW, WaitForMultipleObjectsEx, GetFileSize, GetFileTime, SetFileTime, MoveFileExW, ExpandEnvironmentStringsW, CreateDirectoryW, RemoveDirectoryW, QueryPerformanceFrequency, GetLocalTime, LoadLibraryA, GetSystemDirectoryA, GetOverlappedResult |
| USER32.dll | CallWindowProcW, RemovePropA, GetPropA, CharUpperW, DestroyIcon, MessageBoxA, wsprintfA, GetProcessWindowStation, GetUserObjectInformationW, GetKeyState, CharLowerW, SendMessageW, GetSysColor, MessageBeep, ReleaseDC, GetDC, FindWindowW, CharLowerBuffW, MessageBoxW |
| Secur32.dll | VerifySignature, QuerySecurityPackageInfoA, EnumerateSecurityPackagesA, FreeContextBuffer, MakeSignature, InitializeSecurityContextW, AcquireCredentialsHandleW, AcquireCredentialsHandleA, AcceptSecurityContext, InitializeSecurityContextA, DeleteSecurityContext, FreeCredentialsHandle |
| USERENV.dll | GetUserProfileDirectoryW |
| GDI32.dll | GetDeviceCaps, DeleteDC |
| ADVAPI32.dll | AddAccessAllowedAceEx, EqualSid, LookupAccountSidW, GetTokenInformation, OpenProcessToken, RegNotifyChangeKeyValue, GetNamedSecurityInfoW, CryptGenRandom, CryptReleaseContext, CryptAcquireContextA, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, SetSecurityDescriptorControl, SetSecurityDescriptorDacl, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetAclInformation, RegDeleteValueW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, GetUserNameW, IsValidSid, GetSidSubAuthority, GetLengthSid, CopySid, GetSidLengthRequired, InitializeSid, SetEntriesInAclW |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree |
| IPHLPAPI.DLL | GetTcpTable |
| CRYPT32.dll | CryptUnprotectData, CryptProtectData |
| SHELL32.dll | SHGetFolderPathW, SHFileOperationW, ShellExecuteExW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T12:13:19.675065+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49730 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:20.365527+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49730 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:20.365527+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49730 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:21.651074+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49739 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:22.372936+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49739 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:22.372936+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49739 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:23.998294+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49745 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:26.122673+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49750 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:28.323221+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49756 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:30.769012+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49762 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:31.363301+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49762 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:32.988573+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49769 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:36.449361+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49779 | 104.21.20.178 | 443 | TCP |
| 2024-11-23T12:13:37.141318+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49779 | 104.21.20.178 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 12:13:18.395561934 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:18.395593882 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:18.395674944 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:18.399002075 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:18.399014950 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:19.674957991 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:19.675065041 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:19.676727057 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:19.676733017 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:19.677131891 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:19.731792927 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:19.740686893 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:19.740714073 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:19.740871906 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:20.365616083 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:20.365921021 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:20.365983963 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:20.367698908 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:20.367708921 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:20.367736101 CET | 49730 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:20.367741108 CET | 443 | 49730 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:20.425740004 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:20.425810099 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:20.425906897 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:20.426214933 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:20.426249981 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:21.650985956 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:21.651073933 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:21.652303934 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:21.652328014 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:21.653103113 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:21.654443026 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:21.654484987 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:21.654606104 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.373003006 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.373131037 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.373178005 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.373209953 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.373325109 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.373373032 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.373390913 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.380924940 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.381004095 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.381040096 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.381061077 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.381115913 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.384591103 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.392980099 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.393044949 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.393060923 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.434911966 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.434927940 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.481774092 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.493045092 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.544274092 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.564469099 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.564646959 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.564846039 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.564870119 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.564938068 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.565056086 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.565079927 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.565104961 CET | 49739 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.565119982 CET | 443 | 49739 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.694128990 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.694169044 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:22.694433928 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.694761992 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:22.694782972 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:23.998219967 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:23.998294115 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:23.999675989 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:23.999686003 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:23.999917984 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:24.001125097 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:24.001259089 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:24.001296043 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:24.724199057 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:24.724293947 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:24.724405050 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:24.724570990 CET | 49745 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:24.724625111 CET | 443 | 49745 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:24.907560110 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:24.907604933 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:24.907680035 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:24.908035040 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:24.908044100 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.122591019 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.122673035 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:26.124104977 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:26.124114990 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.124481916 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.125706911 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:26.125897884 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:26.125931025 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.125997066 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:26.126002073 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.869348049 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.869471073 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:26.869533062 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:26.869692087 CET | 49750 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:26.869705915 CET | 443 | 49750 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:27.065709114 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:27.065743923 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:27.065853119 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:27.066245079 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:27.066260099 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:28.323148966 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:28.323220968 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:28.325045109 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:28.325052023 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:28.325289011 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:28.326754093 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:28.326886892 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:28.326919079 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:28.326987982 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:28.326997042 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:29.162974119 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:29.163254976 CET | 443 | 49756 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:29.163273096 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:29.163309097 CET | 49756 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:29.449516058 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:29.449593067 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:29.449677944 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:29.450025082 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:29.450056076 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:30.768866062 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:30.769011974 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:30.770333052 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:30.770354986 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:30.770699978 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:30.771919012 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:30.772016048 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:30.772027969 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:31.363195896 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:31.363456011 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:31.363473892 CET | 443 | 49762 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:31.363528967 CET | 49762 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:31.766724110 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:31.766746044 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:31.766834021 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:31.767200947 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:31.767213106 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.988506079 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.988573074 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.989960909 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.989968061 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.990457058 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.992741108 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.993707895 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.993750095 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.993953943 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.993995905 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.994124889 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.994179010 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.995495081 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.995521069 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.996342897 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.996370077 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.996526003 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.996555090 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:32.996570110 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.996706009 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:32.996740103 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.039407969 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:33.039613962 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.039664984 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.039689064 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.087327003 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:33.087547064 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.087593079 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.087616920 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.131378889 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:33.131486893 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:33.179333925 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:33.354995966 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:35.072922945 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:35.073065042 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:35.073167086 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:35.073450089 CET | 49769 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:35.073461056 CET | 443 | 49769 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:35.124406099 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:35.124454975 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:35.124631882 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:35.124854088 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:35.124870062 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:36.449289083 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:36.449361086 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:36.450928926 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:36.450936079 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:36.451261997 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:36.452683926 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:36.452701092 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:36.452765942 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:37.141321898 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:37.141438961 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:37.141521931 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:37.149202108 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:37.149226904 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Nov 23, 2024 12:13:37.149276972 CET | 49779 | 443 | 192.168.2.6 | 104.21.20.178 |
| Nov 23, 2024 12:13:37.149283886 CET | 443 | 49779 | 104.21.20.178 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 12:13:17.905471087 CET | 56750 | 53 | 192.168.2.6 | 1.1.1.1 |
| Nov 23, 2024 12:13:18.389125109 CET | 53 | 56750 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 12:13:17.905471087 CET | 192.168.2.6 | 1.1.1.1 | 0xc2fc | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 12:13:18.389125109 CET | 1.1.1.1 | 192.168.2.6 | 0xc2fc | No error (0) | 104.21.20.178 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 12:13:18.389125109 CET | 1.1.1.1 | 192.168.2.6 | 0xc2fc | No error (0) | 172.67.193.71 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49730 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:19 UTC | 267 | OUT | |
| 2024-11-23 11:13:19 UTC | 8 | OUT | |
| 2024-11-23 11:13:20 UTC | 1025 | IN | |
| 2024-11-23 11:13:20 UTC | 7 | IN | |
| 2024-11-23 11:13:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49739 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:21 UTC | 268 | OUT | |
| 2024-11-23 11:13:21 UTC | 46 | OUT | |
| 2024-11-23 11:13:22 UTC | 1017 | IN | |
| 2024-11-23 11:13:22 UTC | 352 | IN | |
| 2024-11-23 11:13:22 UTC | 1369 | IN | |
| 2024-11-23 11:13:22 UTC | 1369 | IN | |
| 2024-11-23 11:13:22 UTC | 1369 | IN | |
| 2024-11-23 11:13:22 UTC | 1369 | IN | |
| 2024-11-23 11:13:22 UTC | 1369 | IN | |
| 2024-11-23 11:13:22 UTC | 374 | IN | |
| 2024-11-23 11:13:22 UTC | 1369 | IN | |
| 2024-11-23 11:13:22 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49745 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:23 UTC | 276 | OUT | |
| 2024-11-23 11:13:23 UTC | 12798 | OUT | |
| 2024-11-23 11:13:24 UTC | 1031 | IN | |
| 2024-11-23 11:13:24 UTC | 19 | IN | |
| 2024-11-23 11:13:24 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49750 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:26 UTC | 287 | OUT | |
| 2024-11-23 11:13:26 UTC | 15110 | OUT | |
| 2024-11-23 11:13:26 UTC | 1017 | IN | |
| 2024-11-23 11:13:26 UTC | 19 | IN | |
| 2024-11-23 11:13:26 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49756 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:28 UTC | 285 | OUT | |
| 2024-11-23 11:13:28 UTC | 15331 | OUT | |
| 2024-11-23 11:13:28 UTC | 4625 | OUT | |
| 2024-11-23 11:13:29 UTC | 1021 | IN | |
| 2024-11-23 11:13:29 UTC | 19 | IN | |
| 2024-11-23 11:13:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49762 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:30 UTC | 280 | OUT | |
| 2024-11-23 11:13:30 UTC | 1182 | OUT | |
| 2024-11-23 11:13:31 UTC | 1020 | IN | |
| 2024-11-23 11:13:31 UTC | 19 | IN | |
| 2024-11-23 11:13:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49769 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:32 UTC | 282 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:32 UTC | 15331 | OUT | |
| 2024-11-23 11:13:35 UTC | 1035 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49779 | 104.21.20.178 | 443 | 6924 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 11:13:36 UTC | 268 | OUT | |
| 2024-11-23 11:13:36 UTC | 81 | OUT | |
| 2024-11-23 11:13:37 UTC | 1025 | IN | |
| 2024-11-23 11:13:37 UTC | 54 | IN | |
| 2024-11-23 11:13:37 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 06:13:03 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x140000 |
| File size: | 8'710'648 bytes |
| MD5 hash: | 9AFBB0324051E70F1547C64245BC2DF2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Function 0314B727 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0314B727 Relevance: .2, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|