Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 14:03:02 2020-06-05 14:09:51 409 seconds Show Options Show Log
route = tor
2020-05-13 09:10:18,071 [root] INFO: Date set to: 20200605T13:45:08, timeout set to: 200
2020-06-05 13:45:08,062 [root] DEBUG: Starting analyzer from: C:\tmp2ylp3rhi
2020-06-05 13:45:08,062 [root] DEBUG: Storing results at: C:\vwWpFYhsh
2020-06-05 13:45:08,062 [root] DEBUG: Pipe server name: \\.\PIPE\jzLTLzh
2020-06-05 13:45:08,062 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-05 13:45:08,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 13:45:08,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 13:45:08,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 13:45:08,390 [root] DEBUG: Imported analysis package "exe".
2020-06-05 13:45:08,390 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 13:45:08,406 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 13:45:08,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 13:45:08,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 13:45:08,531 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 13:45:08,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 13:45:08,546 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 13:45:08,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 13:45:08,562 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 13:45:08,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 13:45:08,562 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 13:45:08,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 13:45:08,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 13:45:08,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 13:45:08,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 13:45:08,593 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 13:45:08,593 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 13:45:08,593 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 13:45:08,593 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 13:45:08,593 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 13:45:08,593 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 13:45:08,593 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 13:45:08,593 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 13:45:10,843 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 13:45:10,875 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 13:45:10,906 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 13:45:10,906 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 13:45:10,906 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 13:45:10,906 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 13:45:10,906 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 13:45:10,953 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 13:45:10,953 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 13:45:10,953 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 13:45:10,953 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 13:45:10,953 [root] DEBUG: Started auxiliary module Browser
2020-06-05 13:45:10,953 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 13:45:10,953 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 13:45:10,953 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 13:45:10,953 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 13:45:10,953 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 13:45:10,953 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 13:45:10,953 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 13:45:10,953 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 13:45:11,234 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 13:45:11,234 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 13:45:11,249 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 13:45:11,249 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 13:45:11,249 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 13:45:11,249 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 13:45:11,281 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 13:45:11,281 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 13:45:11,281 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 13:45:11,281 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 13:45:11,281 [root] DEBUG: Started auxiliary module Human
2020-06-05 13:45:11,281 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 13:45:11,296 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 13:45:11,296 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 13:45:11,296 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 13:45:11,296 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 13:45:11,296 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 13:45:11,296 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 13:45:11,296 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 13:45:11,296 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 13:45:11,296 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 13:45:11,296 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 13:45:11,296 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 13:45:11,296 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 13:45:11,296 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 13:45:11,296 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 13:45:11,296 [root] DEBUG: Started auxiliary module Usage
2020-06-05 13:45:11,296 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 13:45:11,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 13:45:11,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 13:45:11,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 13:45:11,343 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\file.exe" with arguments "" with pid 3348
2020-06-05 13:45:11,343 [lib.api.process] INFO: Monitor config for process 3348: C:\tmp2ylp3rhi\dll\3348.ini
2020-06-05 13:45:11,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\KyMfIK.dll, loader C:\tmp2ylp3rhi\bin\bTJlcEY.exe
2020-06-05 13:45:11,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jzLTLzh.
2020-06-05 13:45:11,453 [root] DEBUG: Loader: Injecting process 3348 (thread 4456) with C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:11,453 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:11,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:11,468 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:11,468 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:11,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3348
2020-06-05 13:45:13,593 [lib.api.process] INFO: Successfully resumed process with pid 3348
2020-06-05 13:45:14,968 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:14,968 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:14,984 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:14,984 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3348 at 0x68c00000, image base 0x400000, stack from 0x126000-0x130000
2020-06-05 13:45:14,984 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\file.exe".
2020-06-05 13:45:15,000 [root] INFO: loaded: b'3348'
2020-06-05 13:45:15,000 [root] INFO: Loaded monitor into process with pid 3348
2020-06-05 13:45:15,015 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:15,015 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:15,015 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:15,015 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:15,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc0 amd local view 0x02E90000 to global list.
2020-06-05 13:45:15,062 [root] DEBUG: DLL loaded at 0x751E0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-06-05 13:45:15,078 [root] DEBUG: DLL loaded at 0x751F0000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 13:45:15,328 [root] DEBUG: DLL loaded at 0x69800000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 13:45:15,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 amd local view 0x033C0000 to global list.
2020-06-05 13:45:15,406 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:15,421 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:15,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf0 amd local view 0x03160000 to global list.
2020-06-05 13:45:15,562 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 13:45:15,562 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:22,546 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:22,656 [root] DEBUG: set_caller_info: Adding region at 0x01380000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:22,671 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1380000
2020-06-05 13:45:22,671 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01380000 size 0x400000.
2020-06-05 13:45:22,671 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\3348_1480446122225175562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?0x01380000;?', ['3348'], 'CAPE')
2020-06-05 13:45:22,718 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vwWpFYhsh\CAPE\3348_1480446122225175562020 (size 0xf3f)
2020-06-05 13:45:22,718 [root] DEBUG: DumpRegion: Dumped stack region from 0x01380000, size 0x1000.
2020-06-05 13:45:22,734 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\3348_8027659462225175562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?0x003F0000;?', ['3348'], 'CAPE')
2020-06-05 13:45:22,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vwWpFYhsh\CAPE\3348_8027659462225175562020 (size 0x32fb)
2020-06-05 13:45:22,796 [root] DEBUG: DumpRegion: Dumped stack region from 0x003F0000, size 0x8000.
2020-06-05 13:45:25,578 [root] INFO: Announced 32-bit process name: file.exe pid: 1516
2020-06-05 13:45:25,578 [lib.api.process] INFO: Monitor config for process 1516: C:\tmp2ylp3rhi\dll\1516.ini
2020-06-05 13:45:25,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\KyMfIK.dll, loader C:\tmp2ylp3rhi\bin\bTJlcEY.exe
2020-06-05 13:45:25,609 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jzLTLzh.
2020-06-05 13:45:25,609 [root] DEBUG: Loader: Injecting process 1516 (thread 3156) with C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,609 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:25,609 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,609 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:25,625 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1516
2020-06-05 13:45:25,656 [root] INFO: Announced 32-bit process name: file.exe pid: 1516
2020-06-05 13:45:25,656 [lib.api.process] INFO: Monitor config for process 1516: C:\tmp2ylp3rhi\dll\1516.ini
2020-06-05 13:45:25,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\KyMfIK.dll, loader C:\tmp2ylp3rhi\bin\bTJlcEY.exe
2020-06-05 13:45:25,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jzLTLzh.
2020-06-05 13:45:25,687 [root] DEBUG: Loader: Injecting process 1516 (thread 3156) with C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,687 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:25,687 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,687 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:25,687 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,687 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1516
2020-06-05 13:45:25,703 [root] INFO: Announced 32-bit process name: file.exe pid: 1516
2020-06-05 13:45:25,703 [lib.api.process] INFO: Monitor config for process 1516: C:\tmp2ylp3rhi\dll\1516.ini
2020-06-05 13:45:25,703 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\KyMfIK.dll, loader C:\tmp2ylp3rhi\bin\bTJlcEY.exe
2020-06-05 13:45:25,718 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jzLTLzh.
2020-06-05 13:45:25,718 [root] DEBUG: Loader: Injecting process 1516 (thread 0) with C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,718 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDF000 Local TEB 0x7FFD4000: The operation completed successfully.
2020-06-05 13:45:25,718 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 13:45:25,718 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 13:45:25,734 [root] DEBUG: Failed to inject DLL C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,734 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1516, error: 4294967281
2020-06-05 13:45:25,734 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\3348_10967712441526175562020', b'4;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?1516;?', ['3348'], 'CAPE')
2020-06-05 13:45:25,765 [root] INFO: Announced 32-bit process name: file.exe pid: 1516
2020-06-05 13:45:25,765 [lib.api.process] INFO: Monitor config for process 1516: C:\tmp2ylp3rhi\dll\1516.ini
2020-06-05 13:45:25,765 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\KyMfIK.dll, loader C:\tmp2ylp3rhi\bin\bTJlcEY.exe
2020-06-05 13:45:25,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jzLTLzh.
2020-06-05 13:45:25,781 [root] DEBUG: Loader: Injecting process 1516 (thread 0) with C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,781 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDF000 Local PEB 0x7FFDF000 Local TEB 0x7FFD4000: The operation completed successfully.
2020-06-05 13:45:25,781 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 13:45:25,796 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 13:45:25,796 [root] DEBUG: Failed to inject DLL C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,796 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1516, error: 4294967281
2020-06-05 13:45:25,796 [root] INFO: Announced 32-bit process name: file.exe pid: 1516
2020-06-05 13:45:25,796 [lib.api.process] INFO: Monitor config for process 1516: C:\tmp2ylp3rhi\dll\1516.ini
2020-06-05 13:45:25,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\KyMfIK.dll, loader C:\tmp2ylp3rhi\bin\bTJlcEY.exe
2020-06-05 13:45:25,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jzLTLzh.
2020-06-05 13:45:25,828 [root] DEBUG: Loader: Injecting process 1516 (thread 3156) with C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,828 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:25,828 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x004014C0)
2020-06-05 13:45:25,828 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,828 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-05 13:45:25,828 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:25,828 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\KyMfIK.dll.
2020-06-05 13:45:25,828 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1516
2020-06-05 13:45:25,843 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\3348_13985867391526175562020', b'3;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?1516;?', ['3348'], 'CAPE')
2020-06-05 13:45:25,953 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\3348_21154816781526175562020', b'3;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?1516;?', ['3348'], 'CAPE')
2020-06-05 13:45:25,984 [root] WARNING: Unable to open termination event for pid 3348.
2020-06-05 13:45:26,000 [root] INFO: ('dump_file', 'C:\\Users\\Rebecca\\AppData\\Local\\Temp\\~DF0E200B413F029BD3.TMP', '', False, 'files')
2020-06-05 13:45:26,015 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:26,031 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:26,156 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:26,187 [root] INFO: b'C:\\vwWpFYhsh\\CAPE\\3348_19295404201626175562020|3348|0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?'
2020-06-05 13:45:26,187 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:26,187 [root] INFO: cape
2020-06-05 13:45:26,203 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1516 at 0x68c00000, image base 0x400000, stack from 0x126000-0x130000
2020-06-05 13:45:26,218 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\3348_19295404201626175562020', b'0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?', ['3348'], 'procdump')
2020-06-05 13:45:26,218 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\file.exe".
2020-06-05 13:45:26,234 [root] INFO: loaded: b'1516'
2020-06-05 13:45:26,234 [root] INFO: Loaded monitor into process with pid 1516
2020-06-05 13:45:26,234 [root] DEBUG: set_caller_info: Adding region at 0x00150000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:26,249 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\3348_19295404201626175562020', '', False, 'files')
2020-06-05 13:45:26,249 [root] DEBUG: set_caller_info: Adding region at 0x015B0000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:26,265 [root] DEBUG: DLL loaded at 0x751E0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-05 13:45:26,296 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x15b0000
2020-06-05 13:45:26,296 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x015B0000 size 0x400000.
2020-06-05 13:45:26,296 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\1516_13321157362625175562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?0x015B0000;?', ['1516'], 'CAPE')
2020-06-05 13:45:26,328 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vwWpFYhsh\CAPE\1516_13321157362625175562020 (size 0xf5f)
2020-06-05 13:45:26,359 [root] DEBUG: DumpRegion: Dumped stack region from 0x015B0000, size 0x1000.
2020-06-05 13:45:26,359 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\1516_14920010492625175562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?0x00150000;?', ['1516'], 'CAPE')
2020-06-05 13:45:26,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\vwWpFYhsh\CAPE\1516_14920010492625175562020 (size 0x32fb)
2020-06-05 13:45:26,375 [root] DEBUG: DumpRegion: Dumped stack region from 0x00150000, size 0x100000.
2020-06-05 13:45:27,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xac amd local view 0x75640000 to global list.
2020-06-05 13:45:27,531 [root] DEBUG: DLL loaded at 0x75640000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-05 13:45:27,609 [root] DEBUG: DLL loaded at 0x76940000: C:\Windows\system32\wininet (0x1c4000 bytes).
2020-06-05 13:45:27,609 [root] DEBUG: DLL loaded at 0x755E0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:27,609 [root] DEBUG: DLL loaded at 0x755D0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:27,609 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:27,656 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\system32\version (0x9000 bytes).
2020-06-05 13:45:27,671 [root] DEBUG: DLL loaded at 0x755C0000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-05 13:45:27,671 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-06-05 13:45:27,671 [root] DEBUG: DLL loaded at 0x76B10000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-06-05 13:45:27,671 [root] DEBUG: DLL loaded at 0x75550000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-05 13:45:27,703 [root] DEBUG: DLL loaded at 0x75010000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 13:45:27,718 [root] DEBUG: DLL loaded at 0x75290000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-05 13:45:27,718 [root] DEBUG: DLL loaded at 0x71010000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:27,734 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-05 13:45:27,750 [root] DEBUG: DLL loaded at 0x77410000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-05 13:45:27,750 [root] DEBUG: DLL loaded at 0x77400000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-05 13:45:27,765 [root] DEBUG: DLL loaded at 0x6EF10000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-05 13:45:27,765 [root] DEBUG: DLL loaded at 0x6EEC0000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 13:45:27,781 [root] DEBUG: DLL unloaded from 0x6EF10000.
2020-06-05 13:45:27,812 [root] DEBUG: DLL loaded at 0x73760000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-05 13:45:27,828 [root] DEBUG: DLL loaded at 0x73750000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-05 13:45:27,828 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-05 13:45:27,843 [root] DEBUG: DLL loaded at 0x6BB60000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:27,843 [root] DEBUG: DLL loaded at 0x74C60000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-05 13:45:27,859 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-05 13:45:27,890 [root] DEBUG: DLL loaded at 0x77450000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-05 13:45:27,890 [root] DEBUG: DLL loaded at 0x719E0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-05 13:45:27,890 [root] DEBUG: DLL loaded at 0x73A20000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-05 13:45:27,906 [root] DEBUG: DLL loaded at 0x73670000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-05 13:45:27,906 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-05 13:45:27,921 [root] DEBUG: DLL loaded at 0x75400000: C:\Windows\system32\CRYPT32 (0x122000 bytes).
2020-06-05 13:45:27,921 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-06-05 13:45:27,937 [root] DEBUG: DLL loaded at 0x748C0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-05 13:45:27,953 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\system32\urlmon (0x124000 bytes).
2020-06-05 13:45:27,953 [root] DEBUG: DLL loaded at 0x718F0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-05 13:45:27,968 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:27,984 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:27,984 [root] DEBUG: DLL loaded at 0x75280000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 13:45:28,000 [root] DEBUG: DLL loaded at 0x73460000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-05 13:45:28,031 [root] DEBUG: DLL loaded at 0x6DDD0000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-05 13:45:28,453 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-05 13:45:28,468 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-06-05 13:45:28,484 [root] DEBUG: DLL unloaded from 0x747F0000.
2020-06-05 13:45:28,484 [root] DEBUG: DLL unloaded from 0x74C60000.
2020-06-05 13:45:28,500 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-06-05 13:45:28,500 [root] DEBUG: DLL unloaded from 0x74CB0000.
2020-06-05 13:45:28,515 [root] DEBUG: DLL loaded at 0x74AB0000: C:\Windows\system32\schannel (0x41000 bytes).
2020-06-05 13:45:29,562 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-06-05 13:45:29,578 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-05 13:45:29,593 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\system32\bcryptprimitives (0x3d000 bytes).
2020-06-05 13:45:29,593 [root] DEBUG: DLL loaded at 0x75340000: C:\Windows\system32\WINTRUST (0x2f000 bytes).
2020-06-05 13:45:29,625 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-06-05 13:45:29,656 [root] DEBUG: DLL loaded at 0x70810000: C:\Windows\system32\cryptnet (0x1d000 bytes).
2020-06-05 13:45:29,656 [root] DEBUG: DLL loaded at 0x76D30000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-06-05 13:45:29,656 [root] DEBUG: DLL loaded at 0x72910000: C:\Windows\system32\SensApi (0x6000 bytes).
2020-06-05 13:45:37,875 [root] DEBUG: DLL unloaded from 0x76940000.
2020-06-05 13:45:37,906 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 13:45:37,906 [root] DEBUG: DLL unloaded from 0x6DDD0000.
2020-06-05 13:45:37,953 [root] DEBUG: DLL unloaded from 0x719E0000.
2020-06-05 13:45:48,140 [root] DEBUG: DLL unloaded from 0x76E50000.
2020-06-05 13:48:34,109 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 13:48:34,109 [lib.api.process] ERROR: Failed to open terminate event for pid 3348
2020-06-05 13:48:34,109 [root] INFO: Terminate event set for process 3348.
2020-06-05 13:48:34,109 [lib.api.process] INFO: Terminate event set for process 1516
2020-06-05 13:48:34,125 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1516).
2020-06-05 13:48:34,125 [root] DEBUG: ClearAllBreakpoints: Error: no thread id for thread breakpoints 0x19aece8.
2020-06-05 13:48:34,156 [root] DEBUG: Terminate Event: Attempting to dump process 1516
2020-06-05 13:48:34,156 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-05 13:48:34,156 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-05 13:48:34,187 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-05 13:48:34,187 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001AF8.
2020-06-05 13:48:34,218 [root] DEBUG: reBasePEImage: Exception rebasing image from 0x00400000 to 0x72940000.
2020-06-05 13:48:34,234 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x72940000.
2020-06-05 13:48:34,234 [root] INFO: b'C:\\vwWpFYhsh\\CAPE\\1516_9242292783448115562020|1516|0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?'
2020-06-05 13:48:34,249 [root] INFO: cape
2020-06-05 13:48:34,249 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\1516_9242292783448115562020', b'0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\file.exe;?', ['1516'], 'procdump')
2020-06-05 13:48:34,312 [root] INFO: ('dump_file', 'C:\\vwWpFYhsh\\CAPE\\1516_9242292783448115562020', '', False, 'files')
2020-06-05 13:48:34,328 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x40a00.
2020-06-05 13:48:34,343 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1516
2020-06-05 13:48:34,343 [lib.api.process] INFO: Termination confirmed for process 1516
2020-06-05 13:48:34,390 [root] INFO: Terminate event set for process 1516.
2020-06-05 13:48:34,390 [root] INFO: Created shutdown mutex.
2020-06-05 13:48:35,390 [root] INFO: Shutting down package.
2020-06-05 13:48:35,390 [root] INFO: Stopping auxiliary modules.
2020-06-05 13:48:35,468 [lib.common.results] WARNING: File C:\vwWpFYhsh\bin\procmon.xml doesn't exist anymore
2020-06-05 13:48:35,468 [root] INFO: Finishing auxiliary modules.
2020-06-05 13:48:35,468 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 13:48:35,468 [root] INFO: Uploading files at path "C:\vwWpFYhsh\debugger" 
2020-06-05 13:48:35,484 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-06-05 14:03:02 2020-06-05 14:09:50

File Details

File Name file.exe
File Size 81920 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2016-03-14 23:09:12
MD5 62d72973ba17c15eb603ffff5e1315f4
SHA1 460891f164d1e83efbdec9114ab9e2412f134341
SHA256 1f6b6d481b672f8ed428a044ebffa9e16424317c0081aad3c00cb61a547b90b5
SHA512 83680a514da8ef9bff32006df1c7c1d7ba8cfe71a37d29274c7edd3d59191d349bfd2729e6bcce541a970699c54bcc92275aa8d9f76ac78cf2f6161122931d5c
CRC32 F33B68E3
Ssdeep 1536:OiDrdLtwk/u/f8wDwv3XZPm3qOtBl8z7nQ:OkrdhpW/ZEPpPm33B
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3348 trigged the Yara rule 'shellcode_patterns'
Hit: PID 3348 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 3348 trigged the Yara rule 'HeavensGate'
Hit: PID 3348 trigged the Yara rule 'GuLoader'
Creates RWX memory
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: file.exe, PID 3348
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
HTTPS urls from behavior.
URL: https://rainbowisp.info/dot/js/piro.bin
CAPE extracted potentially suspicious content
file.exe: Injected Shellcode/Data
file.exe: GuLoader
file.exe: Injected PE Image: 32-bit DLL
file.exe: Unpacked Shellcode
file.exe: Injected PE Image: 32-bit executable
file.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Unconventionial language used in binary resources: Catalan
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\file.exe
Behavioural detection: Injection (Process Hollowing)
Injection: file.exe(3348) -> file.exe(1516)
Executed a process and injected code into it, probably while unpacking
Injection: file.exe(3348) -> file.exe(1516)
Behavioural detection: Injection (inter-process)
File has been identified by 25 Antiviruses on VirusTotal as malicious
McAfee: Fareit-FST!62D72973BA17
Cylance: Unsafe
Sangfor: Malware
CrowdStrike: win/malicious_confidence_80% (W)
F-Prot: W32/VBKrypt.AMM.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
Sophos: Mal/Generic-S
F-Secure: Trojan.TR/Injector.iybpz
Fortinet: W32/Agent.HKMB!tr
Trapmine: malicious.moderate.ml.score
SentinelOne: DFI - Suspicious PE
Cyren: W32/VBKrypt.AMM.gen!Eldorado
Avira: TR/Injector.iybpz
Microsoft: PWS:Win32/Fareit.AB!MTB
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Malwarebytes: Trojan.MalPack.VB
ESET-NOD32: a variant of Win32/Injector.EMGX
TrendMicro-HouseCall: TROJ_GEN.F0D1C00F520
Rising: Downloader.Guloader!1.C738 (CLOUD)
Ikarus: Win32.SuspectCrc
eGambit: Unsafe.AI_Score_67%
BitDefenderTheta: Gen:[email protected]
Attempts to modify proxy settings
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Boleto Malspam
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.137.137.111 [VT] United Kingdom
N 103.225.124.24 [VT] India
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
rainbowisp.info [VT] A 103.225.124.24 [VT] 103.225.124.24 [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Rebecca\AppData\Local\Temp\file.exe.cfg
C:\Windows\System32\C_932.NLS
C:\Windows\System32\C_949.NLS
C:\Windows\System32\C_950.NLS
C:\Windows\System32\C_936.NLS
C:\Users\Rebecca\AppData\Local\Temp\~DF0E200B413F029BD3.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\System32\msvbvm60.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Rebecca\AppData\Local\Temp\~DF0E200B413F029BD3.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\System32\msvbvm60.dll
C:\Users\Rebecca\AppData\Local\Temp\~DF0E200B413F029BD3.TMP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\startbogstavs\Caponized9
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Tuberculomas\Coatninger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadNetworkName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F64103F-F384-44A8-88B3-DFA27402741D}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.NlsGetCacheUpdateCount
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.GetCalendarInfoW
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
ws2_32.dll.#5
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6
"C:\Users\Rebecca\AppData\Local\Temp\file.exe"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004014c0 0x00020040 0x00020040 4.0 2016-03-14 23:09:12 26b2841edd24369b7221fd4a9ef7081b 15e8a68555ff07f036d196f0fd9858ac e0b516e7ebdc31a7b4b8d5cfdf4e6230

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0000f03c 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.77
.data 0x00011000 0x00011000 0x00000e8c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00012000 0x00012000 0x000015a4 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.09

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000123ec 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.99 None
RT_ICON 0x000123ec 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.99 None
RT_ICON 0x000123ec 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 3.99 None
RT_GROUP_ICON 0x000123bc 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x00012150 0x0000026c LANG_CATALAN SUBLANG_DEFAULT 3.19 None

Imports

0x401000 None
0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 __vbaFreeVar
0x401018 None
0x40101c __vbaStrVarMove
0x401020 __vbaFreeVarList
0x401024 _adj_fdiv_m64
0x401028 None
0x40102c __vbaFreeObjList
0x401030 None
0x401034 _adj_fprem1
0x401038 None
0x40103c __vbaStrCat
0x401040 None
0x401044 None
0x40104c None
0x401050 _adj_fdiv_m32
0x401054 None
0x401058 None
0x40105c None
0x401060 __vbaObjSet
0x401064 _adj_fdiv_m16i
0x401068 _adj_fdivr_m16i
0x40106c None
0x401070 __vbaFpR8
0x401074 _CIsin
0x401078 __vbaChkstk
0x40107c EVENT_SINK_AddRef
0x401080 None
0x401084 __vbaStrCmp
0x401088 __vbaVarTstEq
0x40108c None
0x401090 None
0x401094 None
0x401098 __vbaCastObjVar
0x40109c None
0x4010a0 _adj_fpatan
0x4010a4 None
0x4010a8 EVENT_SINK_Release
0x4010ac __vbaUI1I2
0x4010b0 _CIsqrt
0x4010b8 __vbaExceptHandler
0x4010bc None
0x4010c0 _adj_fprem
0x4010c4 _adj_fdivr_m64
0x4010c8 None
0x4010cc None
0x4010d0 __vbaFPException
0x4010d4 None
0x4010d8 _CIlog
0x4010dc __vbaNew2
0x4010e0 _adj_fdiv_m32i
0x4010e4 _adj_fdivr_m32i
0x4010e8 __vbaStrCopy
0x4010ec __vbaFreeStrList
0x4010f0 None
0x4010f4 _adj_fdivr_m32
0x4010f8 _adj_fdiv_r
0x4010fc None
0x401100 None
0x401104 None
0x401108 None
0x40110c __vbaVarDup
0x401110 None
0x401118 _CIatan
0x40111c __vbaStrMove
0x401120 __vbaUI1Str
0x401124 _allmul
0x401128 None
0x40112c _CItan
0x401130 None
0x401134 _CIexp
0x401138 __vbaFreeStr
0x40113c __vbaFreeObj

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
eddikkefab
Extratubalte
sider
"Exif
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
O\mSTXZf
hmq{io
oj>ojtq
I%I$~Y
I+N;?
~oje^
Eu3X[
`O:d_
9>V|}
SE[[{
T.dY.
Q[ky6
ui.ty
x~I4[VY
>|WIk
'q$2-
Yl4H.
8~&|O
2[]\/
=RFy<
Kvi7o
H$_5S
sm#mm
Gc}ukoy
Z+}V%m
wLQ)0f
oITV:
(mb!(
A}`wl
pm'eB
a>lj(Tm
mT[Pc
e>DLM
T<LM>
ib!H}
E<j(dm
Tl}tDl
M_Pliu`l
E_Plm
Tlit?h
Tl/<$
a>nj(
Tli'S.
vliu$
Hf,2b}
Hf,2b}
i_\lmD
b!xLM
EvO4mvE
hPz.S
Kj#Q$
~ZQ/S
._6I%
<Egyu&
[=Yn5H
huKth
k?/t?=:
}t7^e
<Qqmk2
y$k$v
3-tS1
i4=SZ
DRKq/
8Ws=~
y.#o>T
x~I?w
_5[sm
kK]>YW~
Coq,s
U~_)~o
x^7I7,
]I4}/P
x]y_:
333333334
eUUUUW
D951015=
%),//,)
/96-*1H
$,6981)!
MGB?>>AB
sider
Check1
Whammycic
jerim
Option3
nazistensnabi
Option2
arizoniansse
Option1
Line2
Line1
VB5!6&*
borteskamote
eddikkefab
eddikkefab
eddikkefab
Extratubalte
Absenter
Frostboksho
Martinmas4
visionernepha
taxik
Yakkachi7
EPITOMIZINGSP
outfootsov
STIFFSUNDER
POVERISHT
Skibsllers1
arizoniansse
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
jerim
nazistensnabi
Check1
LYNNEDSLAGENE
kneeing
Bottomlessly
Deathcup
CROSSABILITY
kawaka
VISERENDE
Uanvendeliges
BRUGERANGIVNE
OLDFRUER
facsim
Eftergrelse3
VBA6.DLL
__vbaFpR8
__vbaVarMove
__vbaUI1Str
__vbaVarDup
__vbaFreeObj
__vbaStrVarMove
__vbaFreeVarList
__vbaVarTstEq
__vbaFreeStr
__vbaStrCopy
__vbaUI1I2
__vbaFreeObjList
__vbaCastObjVar
__vbaObjSet
__vbaHresultCheckObj
__vbaNew2
__vbaVarLateMemCallLd
__vbaFreeVar
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaStrCmp
Kystklima
Volstead5
PHTHIRIUS
Solod
Larvicidal
Foruroligelserne5
UNCONTEMPTIBLY
INSTRUKTIONSKURSUS
Vngerne
Tilhrendes4
Dveskolens8
Servicefunktioners5
EKSEKUTION
Diktere1
CHEFDOM
Lornness7
RANVEIG
Forpligtelseserklrings
metea
Irradiate5
Amuck7
BRANIFF
Bestvlede6
reaccelerated
Oinks
surstyle
sammenstds
refractional
TOTALERS
brdstudiers
Merling8
SATANIZE
DONNER
Driftsikkert6
Plastiskes9
VENSTRELINEAER
Skovhugsterne1
Heautomorphism1
Whoreishly
Bryggerkedels9
tH9=
tj9=
ty9=
@tp9=
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaCastObjVar
_adj_fpatan
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
__vbaVarLateMemCallLd
_CIatan
__vbaStrMove
__vbaUI1Str
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
D951015=
%),//,)
/96-*1H
$,6981)!
MGB?>>AB
eUUUUW
333333334
medicean
FLERRIED
KATJES
L3kOpEkLYZppyTY9i0RZwqFI8r197
Spiralsnoet6
somatological
annelides
Jurata
Sejrvindings
Upshoot3
KOMMUNALBESTYRELSE
aflvningerne
CONTAINMENT
CANCANENS
OLIGIST
Fodterapeuters
startbogstavs
Caponized9
Blokfljternes
TALVRDIEN
harpist
:20:2
Tuberculomas
Coatninger
Polydaemonist5
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040304B0
LegalCopyright
Internal
LegalTrademarks
Internal
ProductName
eddikkefab
FileVersion
ProductVersion
InternalName
borteskamote
OriginalFilename
borteskamote.exe

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean FireEye Clean
CAT-QuickHeal Clean McAfee Fareit-FST!62D72973BA17 Cylance Unsafe
Zillya Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
CrowdStrike win/malicious_confidence_80% (W) Arcabit Clean Invincea Clean
Baidu Clean F-Prot W32/VBKrypt.AMM.gen!Eldorado Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Avast Clean
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean Paloalto generic.ml AegisLab Clean
Tencent Clean Ad-Aware Clean Sophos Mal/Generic-S
Comodo Clean F-Secure Trojan.TR/Injector.iybpz DrWeb Clean
MaxSecure Clean VIPRE Clean TrendMicro Clean
McAfee-GW-Edition Clean Fortinet W32/Agent.HKMB!tr Trapmine malicious.moderate.ml.score
CMC Clean Emsisoft Clean SentinelOne DFI - Suspicious PE
Cyren W32/VBKrypt.AMM.gen!Eldorado Jiangmin Clean Webroot Clean
Avira TR/Injector.iybpz MAX Clean Antiy-AVL Clean
Kingsoft Clean Endgame Clean Microsoft PWS:Win32/Fareit.AB!MTB
ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean
AhnLab-V3 Clean Acronis Clean ALYac Clean
TACHYON Clean VBA32 Clean Malwarebytes Trojan.MalPack.VB
Zoner Clean ESET-NOD32 a variant of Win32/Injector.EMGX TrendMicro-HouseCall TROJ_GEN.F0D1C00F520
Rising Downloader.Guloader!1.C738 (CLOUD) Yandex Clean Ikarus Win32.SuspectCrc
eGambit Unsafe.AI_Score_67% GData Clean BitDefenderTheta Gen:[email protected]
AVG Clean Cybereason Clean Panda Clean
Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.137.137.111 [VT] United Kingdom
N 103.225.124.24 [VT] India
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.3 49192 103.225.124.24 rainbowisp.info 443
192.168.1.3 49193 103.225.124.24 rainbowisp.info 443
192.168.1.3 49194 103.225.124.24 rainbowisp.info 443
192.168.1.3 49195 103.225.124.24 rainbowisp.info 443
192.168.1.3 49196 103.225.124.24 rainbowisp.info 443
192.168.1.3 49197 103.225.124.24 rainbowisp.info 443
192.168.1.3 49198 103.225.124.24 rainbowisp.info 443
192.168.1.3 49199 103.225.124.24 rainbowisp.info 443
192.168.1.3 49200 103.225.124.24 rainbowisp.info 443
192.168.1.3 49201 103.225.124.24 rainbowisp.info 443
192.168.1.3 49202 103.225.124.24 rainbowisp.info 443
192.168.1.3 49203 103.225.124.24 rainbowisp.info 443
192.168.1.3 49204 103.225.124.24 rainbowisp.info 443
192.168.1.3 49205 103.225.124.24 rainbowisp.info 443
192.168.1.3 49206 103.225.124.24 rainbowisp.info 443
192.168.1.3 49207 103.225.124.24 rainbowisp.info 443
192.168.1.3 49208 103.225.124.24 rainbowisp.info 443
192.168.1.3 49209 103.225.124.24 rainbowisp.info 443
192.168.1.3 49210 103.225.124.24 rainbowisp.info 443
192.168.1.3 49211 103.225.124.24 rainbowisp.info 443
192.168.1.3 49212 103.225.124.24 rainbowisp.info 443
192.168.1.3 49213 103.225.124.24 rainbowisp.info 443
192.168.1.3 49214 103.225.124.24 rainbowisp.info 443
192.168.1.3 49215 103.225.124.24 rainbowisp.info 443
192.168.1.3 49216 103.225.124.24 rainbowisp.info 443
192.168.1.3 49217 103.225.124.24 rainbowisp.info 443
192.168.1.3 49218 103.225.124.24 rainbowisp.info 443
192.168.1.3 49219 103.225.124.24 rainbowisp.info 443
192.168.1.3 49220 103.225.124.24 rainbowisp.info 443
192.168.1.3 49221 103.225.124.24 rainbowisp.info 443
192.168.1.3 49222 103.225.124.24 rainbowisp.info 443
192.168.1.3 49223 103.225.124.24 rainbowisp.info 443
192.168.1.3 49225 103.225.124.24 rainbowisp.info 443
192.168.1.3 49226 103.225.124.24 rainbowisp.info 443
192.168.1.3 49227 103.225.124.24 rainbowisp.info 443
192.168.1.3 49228 103.225.124.24 rainbowisp.info 443
192.168.1.3 49229 103.225.124.24 rainbowisp.info 443
192.168.1.3 49230 103.225.124.24 rainbowisp.info 443
192.168.1.3 49231 103.225.124.24 rainbowisp.info 443
192.168.1.3 49232 103.225.124.24 rainbowisp.info 443
192.168.1.3 49233 103.225.124.24 rainbowisp.info 443
192.168.1.3 49234 103.225.124.24 rainbowisp.info 443
192.168.1.3 49235 103.225.124.24 rainbowisp.info 443
192.168.1.3 49236 103.225.124.24 rainbowisp.info 443
192.168.1.3 49237 103.225.124.24 rainbowisp.info 443
192.168.1.3 49238 103.225.124.24 rainbowisp.info 443
192.168.1.3 49239 103.225.124.24 rainbowisp.info 443
192.168.1.3 49240 103.225.124.24 rainbowisp.info 443
192.168.1.3 49241 103.225.124.24 rainbowisp.info 443
192.168.1.3 49242 103.225.124.24 rainbowisp.info 443
192.168.1.3 49243 103.225.124.24 rainbowisp.info 443
192.168.1.3 49244 103.225.124.24 rainbowisp.info 443
192.168.1.3 49245 103.225.124.24 rainbowisp.info 443
192.168.1.3 49246 103.225.124.24 rainbowisp.info 443
192.168.1.3 49247 103.225.124.24 rainbowisp.info 443
192.168.1.3 49248 103.225.124.24 rainbowisp.info 443
192.168.1.3 49249 103.225.124.24 rainbowisp.info 443
192.168.1.3 49250 103.225.124.24 rainbowisp.info 443
192.168.1.3 49251 103.225.124.24 rainbowisp.info 443
192.168.1.3 49253 103.225.124.24 rainbowisp.info 443
192.168.1.3 49255 103.225.124.24 rainbowisp.info 443
192.168.1.3 49256 103.225.124.24 rainbowisp.info 443
192.168.1.3 49257 103.225.124.24 rainbowisp.info 443
192.168.1.3 49258 103.225.124.24 rainbowisp.info 443
192.168.1.3 49259 103.225.124.24 rainbowisp.info 443
192.168.1.3 49260 103.225.124.24 rainbowisp.info 443
192.168.1.3 49261 103.225.124.24 rainbowisp.info 443
192.168.1.3 49262 103.225.124.24 rainbowisp.info 443
192.168.1.3 49263 103.225.124.24 rainbowisp.info 443
192.168.1.3 49264 103.225.124.24 rainbowisp.info 443
192.168.1.3 49265 103.225.124.24 rainbowisp.info 443
192.168.1.3 49266 103.225.124.24 rainbowisp.info 443
192.168.1.3 49267 103.225.124.24 rainbowisp.info 443
192.168.1.3 49268 103.225.124.24 rainbowisp.info 443
192.168.1.3 49269 103.225.124.24 rainbowisp.info 443
192.168.1.3 49270 103.225.124.24 rainbowisp.info 443
192.168.1.3 49271 103.225.124.24 rainbowisp.info 443
192.168.1.3 49272 103.225.124.24 rainbowisp.info 443
192.168.1.3 49273 103.225.124.24 rainbowisp.info 443
192.168.1.3 49274 103.225.124.24 rainbowisp.info 443
192.168.1.3 49275 103.225.124.24 rainbowisp.info 443
192.168.1.3 49276 103.225.124.24 rainbowisp.info 443
192.168.1.3 49277 103.225.124.24 rainbowisp.info 443
192.168.1.3 49278 103.225.124.24 rainbowisp.info 443
192.168.1.3 49279 103.225.124.24 rainbowisp.info 443
192.168.1.3 49280 103.225.124.24 rainbowisp.info 443
192.168.1.3 49281 103.225.124.24 rainbowisp.info 443
192.168.1.3 49282 103.225.124.24 rainbowisp.info 443
192.168.1.3 49283 103.225.124.24 rainbowisp.info 443
192.168.1.3 49284 103.225.124.24 rainbowisp.info 443
192.168.1.3 49285 103.225.124.24 rainbowisp.info 443
192.168.1.3 49286 103.225.124.24 rainbowisp.info 443
192.168.1.3 49287 103.225.124.24 rainbowisp.info 443
192.168.1.3 49288 103.225.124.24 rainbowisp.info 443
192.168.1.3 49289 103.225.124.24 rainbowisp.info 443
192.168.1.3 49290 103.225.124.24 rainbowisp.info 443
192.168.1.3 49291 103.225.124.24 rainbowisp.info 443
192.168.1.3 49292 103.225.124.24 rainbowisp.info 443
192.168.1.3 49293 103.225.124.24 rainbowisp.info 443
192.168.1.3 49294 103.225.124.24 rainbowisp.info 443
192.168.1.3 49295 103.225.124.24 rainbowisp.info 443
192.168.1.3 49296 103.225.124.24 rainbowisp.info 443
192.168.1.3 49297 103.225.124.24 rainbowisp.info 443
192.168.1.3 49298 103.225.124.24 rainbowisp.info 443
192.168.1.3 49299 103.225.124.24 rainbowisp.info 443
192.168.1.3 49300 103.225.124.24 rainbowisp.info 443
192.168.1.3 49301 103.225.124.24 rainbowisp.info 443
192.168.1.3 49302 103.225.124.24 rainbowisp.info 443
192.168.1.3 49303 103.225.124.24 rainbowisp.info 443
192.168.1.3 49304 103.225.124.24 rainbowisp.info 443
192.168.1.3 49305 103.225.124.24 rainbowisp.info 443
192.168.1.3 49306 103.225.124.24 rainbowisp.info 443
192.168.1.3 49307 103.225.124.24 rainbowisp.info 443
192.168.1.3 49308 103.225.124.24 rainbowisp.info 443
192.168.1.3 49309 103.225.124.24 rainbowisp.info 443
192.168.1.3 49310 103.225.124.24 rainbowisp.info 443
192.168.1.3 49311 103.225.124.24 rainbowisp.info 443
192.168.1.3 49312 103.225.124.24 rainbowisp.info 443
192.168.1.3 49314 103.225.124.24 rainbowisp.info 443
192.168.1.3 49224 51.143.111.81 443

UDP

Source Source Port Destination Destination Port
192.168.1.3 60886 1.1.1.1 53
192.168.1.3 137 192.168.1.255 137
192.168.1.3 58700 8.8.8.8 53
192.168.1.3 60012 8.8.8.8 53
192.168.1.3 60886 8.8.8.8 53
192.168.1.3 62365 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
rainbowisp.info [VT] A 103.225.124.24 [VT] 103.225.124.24 [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:06:28.796 192.168.1.3 [VT] 49182 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3
2020-06-05 14:07:32.805 192.168.1.3 [VT] 49224 51.143.111.81 [VT] 443 TCP 1 2028363 2 ET JA3 Hash - Possible Malware - Boleto Malspam Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:06:28.812 192.168.1.3 [VT] 49182 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:06:42.882 192.168.1.3 [VT] 49192 103.225.124.24 [VT] 443 CN=rainbowisp.info 7f:de:c4:12:6f:32:fa:db:cb:a0:4c:24:a4:3b:67:a5:95:69:33:58 TLS 1.2
2020-06-05 14:06:44.988 192.168.1.3 [VT] 49193 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:46.592 192.168.1.3 [VT] 49194 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:48.150 192.168.1.3 [VT] 49195 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:49.758 192.168.1.3 [VT] 49196 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:51.315 192.168.1.3 [VT] 49197 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:52.843 192.168.1.3 [VT] 49198 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:54.379 192.168.1.3 [VT] 49199 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:55.925 192.168.1.3 [VT] 49200 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:57.499 192.168.1.3 [VT] 49201 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:06:59.023 192.168.1.3 [VT] 49202 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:00.593 192.168.1.3 [VT] 49203 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:02.163 192.168.1.3 [VT] 49204 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:03.720 192.168.1.3 [VT] 49205 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:05.308 192.168.1.3 [VT] 49206 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:06.850 192.168.1.3 [VT] 49207 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:08.512 192.168.1.3 [VT] 49208 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:10.049 192.168.1.3 [VT] 49209 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:11.596 192.168.1.3 [VT] 49210 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:13.162 192.168.1.3 [VT] 49211 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:14.807 192.168.1.3 [VT] 49212 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:16.376 192.168.1.3 [VT] 49213 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:17.920 192.168.1.3 [VT] 49214 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:19.471 192.168.1.3 [VT] 49215 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:21.028 192.168.1.3 [VT] 49216 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:22.601 192.168.1.3 [VT] 49217 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:24.135 192.168.1.3 [VT] 49218 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:25.758 192.168.1.3 [VT] 49219 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:27.424 192.168.1.3 [VT] 49220 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:29.115 192.168.1.3 [VT] 49221 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:30.755 192.168.1.3 [VT] 49222 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:32.421 192.168.1.3 [VT] 49223 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:32.891 192.168.1.3 [VT] 49224 51.143.111.81 [VT] 443 CN=watson.microsoft.com e1:6a:52:eb:a9:ec:f3:58:ca:9a:f9:fb:05:f8:bf:38:d8:76:1d:50 TLSv1
2020-06-05 14:07:34.013 192.168.1.3 [VT] 49225 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:35.589 192.168.1.3 [VT] 49226 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:37.136 192.168.1.3 [VT] 49227 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:38.738 192.168.1.3 [VT] 49228 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:40.316 192.168.1.3 [VT] 49229 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:41.834 192.168.1.3 [VT] 49230 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:43.385 192.168.1.3 [VT] 49231 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:45.010 192.168.1.3 [VT] 49232 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:46.591 192.168.1.3 [VT] 49233 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:48.100 192.168.1.3 [VT] 49234 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:49.677 192.168.1.3 [VT] 49235 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:51.215 192.168.1.3 [VT] 49236 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:52.776 192.168.1.3 [VT] 49237 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:54.321 192.168.1.3 [VT] 49238 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:55.875 192.168.1.3 [VT] 49239 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:57.396 192.168.1.3 [VT] 49240 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:07:59.035 192.168.1.3 [VT] 49241 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:00.594 192.168.1.3 [VT] 49242 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:02.124 192.168.1.3 [VT] 49243 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:03.684 192.168.1.3 [VT] 49244 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:05.202 192.168.1.3 [VT] 49245 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:06.768 192.168.1.3 [VT] 49246 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:08.308 192.168.1.3 [VT] 49247 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:09.840 192.168.1.3 [VT] 49248 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:11.391 192.168.1.3 [VT] 49249 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:12.934 192.168.1.3 [VT] 49250 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:14.478 192.168.1.3 [VT] 49251 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:16.026 192.168.1.3 [VT] 49253 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:17.652 192.168.1.3 [VT] 49255 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:19.186 192.168.1.3 [VT] 49256 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:20.722 192.168.1.3 [VT] 49257 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:22.314 192.168.1.3 [VT] 49258 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:23.823 192.168.1.3 [VT] 49259 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:25.384 192.168.1.3 [VT] 49260 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:26.902 192.168.1.3 [VT] 49261 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:28.474 192.168.1.3 [VT] 49262 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:30.015 192.168.1.3 [VT] 49263 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:31.694 192.168.1.3 [VT] 49264 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:33.247 192.168.1.3 [VT] 49265 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:34.845 192.168.1.3 [VT] 49266 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:36.461 192.168.1.3 [VT] 49267 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:38.063 192.168.1.3 [VT] 49268 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:39.622 192.168.1.3 [VT] 49269 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:41.151 192.168.1.3 [VT] 49270 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:42.754 192.168.1.3 [VT] 49271 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:44.307 192.168.1.3 [VT] 49272 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:45.838 192.168.1.3 [VT] 49273 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:47.384 192.168.1.3 [VT] 49274 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:49.020 192.168.1.3 [VT] 49275 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:50.607 192.168.1.3 [VT] 49276 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:52.124 192.168.1.3 [VT] 49277 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:53.686 192.168.1.3 [VT] 49278 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:55.245 192.168.1.3 [VT] 49279 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:56.964 192.168.1.3 [VT] 49280 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:08:58.653 192.168.1.3 [VT] 49281 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:00.227 192.168.1.3 [VT] 49282 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:01.882 192.168.1.3 [VT] 49283 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:03.446 192.168.1.3 [VT] 49284 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:04.985 192.168.1.3 [VT] 49285 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:06.607 192.168.1.3 [VT] 49286 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:08.334 192.168.1.3 [VT] 49287 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:09.938 192.168.1.3 [VT] 49288 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:11.580 192.168.1.3 [VT] 49289 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:13.191 192.168.1.3 [VT] 49290 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:14.750 192.168.1.3 [VT] 49291 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:16.320 192.168.1.3 [VT] 49292 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:17.923 192.168.1.3 [VT] 49293 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:19.460 192.168.1.3 [VT] 49294 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:21.027 192.168.1.3 [VT] 49295 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:22.607 192.168.1.3 [VT] 49296 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:24.141 192.168.1.3 [VT] 49297 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:25.776 192.168.1.3 [VT] 49298 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:27.416 192.168.1.3 [VT] 49299 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:29.046 192.168.1.3 [VT] 49300 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:30.708 192.168.1.3 [VT] 49301 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:32.315 192.168.1.3 [VT] 49302 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:33.916 192.168.1.3 [VT] 49303 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:35.499 192.168.1.3 [VT] 49304 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:37.055 192.168.1.3 [VT] 49305 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:38.667 192.168.1.3 [VT] 49306 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:40.222 192.168.1.3 [VT] 49307 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:41.765 192.168.1.3 [VT] 49308 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:43.445 192.168.1.3 [VT] 49309 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:45.067 192.168.1.3 [VT] 49310 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:46.597 192.168.1.3 [VT] 49311 103.225.124.24 [VT] 443 TLS 1.2
2020-06-05 14:09:48.145 192.168.1.3 [VT] 49312 103.225.124.24 [VT] 443 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.3 49192 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49193 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49194 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49195 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49196 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49197 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49198 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49199 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49200 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49201 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49202 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49203 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49204 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49205 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49206 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49207 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49208 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49209 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49210 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49211 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49212 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49213 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49214 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49215 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49216 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49217 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49218 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49219 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49220 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49221 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49222 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49223 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49225 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49226 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49227 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49228 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49229 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49230 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49231 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49232 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49233 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49234 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49235 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49236 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49237 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49238 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49239 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49240 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49241 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49242 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49243 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49244 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49245 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49246 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49247 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49248 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49249 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49250 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49251 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49253 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49255 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49256 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49257 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49258 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49259 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49260 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49261 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49262 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49263 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49264 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49265 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49266 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49267 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49268 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49269 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49270 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49271 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49272 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49273 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49274 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49275 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49276 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49277 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49278 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49279 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49280 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49281 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49282 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49283 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49284 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49285 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49286 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49287 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49288 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49289 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49290 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49291 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49292 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49293 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49294 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49295 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49296 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49297 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49298 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49299 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49300 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49301 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49302 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49303 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49304 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49305 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49306 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49307 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49308 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49309 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49310 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49311 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49312 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49314 103.225.124.24 rainbowisp.info 443 fb795b29362f81d10fa6c45b24c3c262 unknown
192.168.1.3 49182 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
192.168.1.3 49224 51.143.111.81 443 4f635262ad3fb6e634daee798082c788 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name file.exe
PID 1516
Dump Size 264704 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\file.exe
Type PE image: 32-bit DLL
PE timestamp 2009-07-14 01:07:56
MD5 34678d4fa564b50805b43b00552a41a7
SHA1 14e83f2682aa16567464811838d8e9fe1e25707c
SHA256 87b7d6e0d991e4262f53edbcde3764bf019f07110c1f4cf50f711f182e07694d
CRC32 407BFF3F
Ssdeep 1536:bwM0lWR4JmCgAn32WiEuwf4rM93hdgX4fuFAr5iEisT:bwDWR4JeQ3HowQrkotEf
Dump Filename 87b7d6e0d991e4262f53edbcde3764bf019f07110c1f4cf50f711f182e07694d
Download Download Zip

BinGraph Download graph

Defense Evasion Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 8.334999999999999 seconds )

    • 5.308 Suricata
    • 1.003 VirusTotal
    • 0.778 NetworkAnalysis
    • 0.672 CAPE
    • 0.307 BehaviorAnalysis
    • 0.105 Deduplicate
    • 0.079 Static
    • 0.023 ProcDump
    • 0.021 AnalysisInfo
    • 0.019 TargetInfo
    • 0.007 Dropped
    • 0.006 Debug
    • 0.005 peid
    • 0.002 Strings

    Signatures ( 0.2660000000000001 seconds )

    • 0.047 antiav_detectreg
    • 0.017 infostealer_ftp
    • 0.016 territorial_disputes_sigs
    • 0.014 ransomware_files
    • 0.01 antidbg_windows
    • 0.01 api_spamming
    • 0.01 antianalysis_detectreg
    • 0.01 infostealer_im
    • 0.009 ransomware_extensions
    • 0.008 decoy_document
    • 0.007 NewtWire Behavior
    • 0.007 modify_proxy
    • 0.006 antiav_detectfile
    • 0.005 persistence_autorun
    • 0.005 antivm_vbox_keys
    • 0.005 browser_security
    • 0.004 antianalysis_detectfile
    • 0.004 geodo_banking_trojan
    • 0.004 infostealer_bitcoin
    • 0.004 infostealer_mail
    • 0.003 antivm_generic_disk
    • 0.003 antivm_vmware_keys
    • 0.003 masquerade_process_name
    • 0.002 InjectionCreateRemoteThread
    • 0.002 bootkit
    • 0.002 dynamic_function_loading
    • 0.002 exec_crash
    • 0.002 kibex_behavior
    • 0.002 stealth_timeout
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_vbox_files
    • 0.002 antivm_xen_keys
    • 0.002 disables_browser_warn
    • 0.002 network_torgateway
    • 0.001 Doppelganging
    • 0.001 antidebug_guardpages
    • 0.001 antiemu_wine_func
    • 0.001 antisandbox_sleep
    • 0.001 antivm_vbox_libs
    • 0.001 betabot_behavior
    • 0.001 clickfraud_cookies
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_heapspray
    • 0.001 hawkeye_behavior
    • 0.001 https_urls
    • 0.001 infostealer_browser_password
    • 0.001 injection_createremotethread
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 mimics_agent
    • 0.001 mimics_filetime
    • 0.001 multiple_useragents
    • 0.001 nemty_network_activity
    • 0.001 reads_self
    • 0.001 shifu_behavior
    • 0.001 stealth_network
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 bypass_firewall
    • 0.001 network_dns_opennic
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 recon_fingerprint

    Reporting ( 13.895 seconds )

    • 13.761 BinGraph
    • 0.085 PCAP2CERT
    • 0.049 MITRE_TTPS