Windows Analysis Report
to.exe

Overview

General Information

Sample name: to.exe
Analysis ID: 1446064
MD5: 6dc33ba531fce8c8ee24585f48d14297
SHA1: ebcf11b40ac7087e9390a63968928b2d09e1678d
SHA256: c450f93d63c121ab42dc4b8978eebe263e53530ef6107a461f68f7f2f2f51cdd
Tags: exe
Infos:

Detection

CobaltStrike
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: to.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2913495283.0000000012513000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 4545, "SleepTime": 55000, "MaxGetSize": 2098751, "Jitter": 40, "C2Server": "138.68.79.95,/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6", "HttpPostUri": "/messages/IgTsSe2N7hV72H5tmL7bVrTR", "Malleable_C2_Instructions": ["Remove 1190 bytes from the end", "Remove 12 bytes from the end", "Remove 397 bytes from the beginning", "NetBIOS decode 'a'"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\bootcfg.exe", "Spawnto_x64": "%windir%\\sysnative\\bootcfg.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 11629, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_Execute": ["CreateThread", "CreateRemoteThread", "NtQueueApcThread", "RtlCreateUserThread", "ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for submitted file
Source: to.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 72.1% probability
Machine Learning detection for sample
Source: to.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: to.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: to.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 138.68.79.95
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: to.exe, 00000000.00000002.2913963149.000000001B4B4000.00000004.00000020.00020000.00000000.sdmp, to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6.
Source: to.exe, 00000000.00000002.2913963149.000000001B4B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6Cryptographic
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6b
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6h
Source: to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6p

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2913255827.0000000002210000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2913371456.0000000002270000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.2913495283.0000000012513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
.NET source code contains very large strings
Source: to.exe, Program.cs Long String: Length: 311752
Detected potential crypto function
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0223C280 0_2_0223C280
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_02226B38 0_2_02226B38
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0223CBF0 0_2_0223CBF0
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0222F1A8 0_2_0222F1A8
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_02230E64 0_2_02230E64
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_02231F9C 0_2_02231F9C
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_02231528 0_2_02231528
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_02270000 0_2_02270000
Uses 32bit PE files
Source: to.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2913255827.0000000002210000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2913371456.0000000002270000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.2913495283.0000000012513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: to.exe, Program.cs Base64 encoded string: 'H4sIAAAAAAAA/6R8eTyU6/s/Y2Tfy3Sqgw4qoibOsVXGvjSGCM1RSBNCmMRkzz7GMiRL2YaypCxhLFnHNiZqUoiOlENJKaM0Zc3vfoY6n893/f1ev3/mVZfnfu77vu739b7e1/Pc9zP5rU9um7q6mBIt6+BYsoefu4NSt29ycX69zlysEqO69ukZ82Tqzuf3e3uEBTDgr4e5V/KLq83Bv1ygn0jw8/rQrq/oHiyme2xKLfGhLTu5okybZfygYo/ox639/heuzE6dnpAtKF5Z3dehelbtnGh72oQQ+rjf+4lHPAr3v+O7/p6P8pk3e7amiVJUn2Ht8V17YiLtuwNzJtC36kW2sYAw7X3Gy89Cu9z2C9xcPG66/KG74fI2j1irTOFShvu0RVjUZ+c1Dc9tCUtfPwvr2HxJPGF8C+9wuOxYzXjFX0uvdzx7KiBn7sfz4py5kpfeR2jMtNJK9B0XT4MLWE9zP9c/XcyPuHImk/DJzM/9GGdaf5tBE/wT/ODM/c5CP+C/Fn4b1zl8svBzd3Ix9191dkH78Z1yMT+74Y2NtuDn8sZ1Fzf+qxOK5dzqiQ3BnR/84ZKjq7n0pv84P7st/NTD//mvi/Zld3v3f/773/7cvOiu/K82m3MOElb/fYsZ2uivpSQHl/5L5zbndowzj3+9LtjFXHKG/hxeOhPngiYDm8dFdwcK+MPps/923Q4Xc7WZgRcSNeB+3J5u4DqCuwMC/MHJ9T9eVzPTvXG/X+2BTeCyu4Mp+IPcf7pObYY+KtDyPs7lRtiGDzj+W/5P1yGnf5+03dkO/5gPr9fT5j6SGNi5s5DdorJoN3O5YGj30Vtaal9MPu4auEcZjoyYpEyfvybahxy8eG36Srt0y7Frib+u5c7GdCo8MW193NKMEUBVPHxztjJRrNQ29eT5fWMiXLpFvygEW7W2kIp+FUIs88Xj3v8lFjv94LrAHq02l11q6/0y6rc7/bvxxwKMWg9dpsBon+7cmsgrkMd8+vWZQCf2jfjKs9HFDzFNOR+ffHi/u+1G43mKWFdg5x6fV5I8YWe8F47Qmy538f9Z7RVp9min0dbbZtw3r1Mpn9c83z0PxR2vlD48aI071xcm+Djw3kkR8Vfcgl4fjZ8W8aU37PGdbNpFvtfxRA0pWznpxrv3bVLDJ2ktw/riNvlh3uXoKLMTendfXRb6lD/6TKapZsxv4lc90308r9+UPI21bt/3d8WEg1n6dskvGsVTjzS6h845HJTvhXxaC7eWtvpQp+rwdyavy4dbuuavyKIM2wHvrUQDe8UOkaITlGYC7bdQoyuiGU70ZiG5wQ4hvfnjjYRjd0v6Yfi/USYYQ/GXzVY18m8amL0gtsTnpIt7OswVJD0jDJwcjapjygkMeOKEO1H7/pW0GqJO+ziylduyjf9SdJasNkE3/+m3RGHcyWAK4/Ue0yWmZ66xVfvOIaao9ftxI2psekAgHH9CWvtiXFahIE9NHvf39SfpPjz4wWp7MuqJfleHiPbDmIW1lmhyvCEJjM/5z7Icrr88JobUdrxun+5MuVsnQJxYRaa96t1RIHvSPjb9mCgjqCQ2EWU3p9QjQsU5qf32el3KcCUlY2wr7XX2rm6eglzKMmkbFnfrsG2WE8bI3iVNEG/BdfCMPy3XCcXvjortpmpkaCX3MnflnZjdWVyJF1px27mm9+DOgE2vicYv9jzw6T22DNsXhdzaz7ztCQvTuFHKgXiVz753e2XUJofYc6UVc7xe2BxNyvS8YAnzATdv4MWyHJgBr0t3rY752/pdtcJBPmTN8bDBDjA+k4WV+PZJ+vfbGEc6G35ukBQXrnNqJX+itLIZnv34eA9Vq7ikopNWkPdtpaeIYLbSu11y8jW5Yeujm9603OY4VM1148UU8fyaNPYcpeIZN+4UshhVEwNs0iW9tHZ7/g4R7ocP44tQNbeBTSaPjPpb/1oHL2m0K7Ap/sBn34XeXcqTRe9Vj7uWwHEXkOXxKidv3cV7Fhr6M85TYHr0w0PI+/tUjlPhvTKwyRhobm3Q3JR4vM4Sf+JqCeDq9S0d8xGyGGE8awfGB8YMklehHxxGxsWrXBYU9jai8tm3Z0sw2k/nXF1efyJ7G72SElpOp7bObX1YRymSIB9EFFUKCl8woqIbWRM71mZrdiNCI3cTjKjacN8d6AKWp2sCM4krf2m1O4vVtRIhj3kA+3pO0isqifv6ZzbXrYrsWmF7R2P7qL1/JlOFz7wwCSK8Pm6E6fakHKxBXrQRPOd3R7rdKPLgXN0X7WeFxrbQdfXgOiNd1PmxmTaqiWp2s5BTGsGIf9CKgX8ssXZMPLkkCXNJo0rSJ4pXyf9+g9It1bvdSQ67LO4lT6vV9/bMvDzk92l6j9ByX2Vy3X1d4guzc1Z3rvEGf7a4+5mekuFEPMJ2T7OiWw4Pa9V3T59Hr/S3XWf7L3542iEi8TB9YY0a3caDX6g2SUA90F84diyyYNtbGwZr795XlPGRmtRitR94ju82FcU7jQ7LoPCq2BCf8z25zcY7f/PRvdUr89vki6W5rIppbpzHV1kNRCV6pWs7rh5335UCF+iZyW3WRAe8pSEfegoupgMMVfbQy29WrbMOvLMKt5o1J2t/9s65ebG3PM2QxHOwigduWcndycDYS0Hje7GwVh49zYNfqRYlawYZpz3rlWpwvtwUr+LJ4zeSJ231ogKseT5Y8xzN9OlFwfJe6ZqvqxpJabAUOM54eQ3JUqyW+nLfiX4ozNPeJQ4zM45EdSuzqIGX31vru7e6DjbZCuNOWxBjVHyYShHiFICDa5IJJMbx3GYCqbuKj3AHFd9JZQtLaYO2T5G/TfROMZVWEhHoP/5wHSQx6aghZDNJwdewdsuT4Gm2QYOOCLjuFwys4b28zkKL6ZhYX6ES1uIxfc9Aal2kyntDHuGTDt/q2DPZya0yHybsdW8VTdID+QCXrGrUZMPMeCNPCxFopR+oVVWtY1s6iPbc94bNMyO+rfHNKcY
Source: classification engine Classification label: mal96.troj.winEXE@2/0@1/0
Source: C:\Users\user\Desktop\to.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
Source: to.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: to.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\to.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: to.exe ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\to.exe "C:\Users\user\Desktop\to.exe"
Source: C:\Users\user\Desktop\to.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\to.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\to.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: to.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: to.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0221935D push edi; iretd 0_2_0221935E
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0223A86F push ebp; iretd 0_2_0223A870
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0223A84F push ebp; iretd 0_2_0223A850
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0223A898 push ebp; iretd 0_2_0223A899
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0221F901 push ebx; iretd 0_2_0221F902
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0221B91C pushad ; retf 0_2_0221B91D
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0221971E push cs; retf 0_2_0221971F
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_0221AD58 push ebp; iretd 0_2_0221AD59
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\to.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\to.exe Memory allocated: B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\to.exe Memory allocated: 1A3C0000 memory reserve | memory write watch Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -44076s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -97516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -37895s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -40528s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -51729s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -39072s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -47028s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -39187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -34918s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -42263s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -50718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -36384s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -48486s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -36856s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -53331s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -48704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -43197s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -36423s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -45842s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -45788s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -47676s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -52687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -48750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -46553s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -44785s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -49484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -50280s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -35766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -45780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -53571s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -46648s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -49639s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -46734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -36246s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -46581s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -36062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -45121s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -37676s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -47603s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -34426s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -38749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -50313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -36712s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -52133s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -49229s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -34541s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -38765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -49515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -49014s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -36682s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -48169s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -48106s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -54025s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -49744s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -47207s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -33947s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -53334s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -53431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -48623s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -33521s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -52493s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -50653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\to.exe TID: 6608 Thread sleep time: -38973s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 44076 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48758 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 37895 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 40528 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 51729 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 39072 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 47028 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 39187 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 34918 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 42263 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 50718 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 36384 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48486 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 36856 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 53331 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48704 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 43197 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 36423 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 45842 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 45788 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 47676 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 52687 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48750 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 46553 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 44785 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 49484 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 50280 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 35766 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 45780 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 53571 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 46648 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 49639 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 46734 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 36246 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 46581 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 36062 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 45121 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 37676 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 47603 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 34426 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 38749 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 50313 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 36712 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 52133 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 49229 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 34541 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 38765 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 49515 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 49014 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 36682 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48169 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48106 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 54025 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 49744 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 47207 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 33947 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 53334 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 53431 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48623 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 33521 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 52493 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 50653 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 48000 Jump to behavior
Source: C:\Users\user\Desktop\to.exe Thread delayed: delay time: 38973 Jump to behavior
Source: to.exe, 00000000.00000002.2913963149.000000001B4B4000.00000004.00000020.00020000.00000000.sdmp, to.exe, 00000000.00000002.2912546253.0000000000658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\to.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\to.exe Queries volume information: C:\Users\user\Desktop\to.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\to.exe Code function: 0_2_02224E28 GetUserNameA,strrchr,_snprintf, 0_2_02224E28
Source: C:\Users\user\Desktop\to.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 00000000.00000002.2913285622.0000000002241000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2913371456.0000000002270000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2913495283.0000000012513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: to.exe PID: 6576, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446064 Sample: to.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 96 11 171.39.242.20.in-addr.arpa 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 6 other signatures 2->19 7 to.exe 1 2->7         started        signatures3 process4 process5 9 conhost.exe 7->9         started       
No contacted IP infos

Contacted Domains

Name IP Active
171.39.242.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
138.68.79.95 true
  • Avira URL Cloud: safe
 unknown