Windows Analysis Report
1x6jzcZeRu.exe

Overview

General Information

Sample name: 1x6jzcZeRu.exe
renamed because original name is a hash value
Original sample name: 7266644b3b822760ed8fe66104251bec8ba51f8f01581d40e1e807ca82dd09d8.exe
Analysis ID: 1483408
MD5: 92ffd5a24bf3942ffa7ac182e4e0c171
SHA1: 7c69105624bb5c58643288bb8d419abfd3cd6e1e
SHA256: 7266644b3b822760ed8fe66104251bec8ba51f8f01581d40e1e807ca82dd09d8
Tags: 156-255-2-100exe
Infos:

Detection

CobaltStrike
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2888204760.000000C000180000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 18896, "SleepTime": 45000, "MaxGetSize": 1403644, "Jitter": 37, "C2Server": "156.255.2.100,/jquery-3.3.1.min.js", "HttpPostUri": "/jquery-3.3.2.min.js", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 3931 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for domain / URL
Source: https://156.255.2.100:18896/ Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: 1x6jzcZeRu.exe ReversingLabs: Detection: 47%
Source: 1x6jzcZeRu.exe Virustotal: Detection: 60% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000920A0 LoadLibraryExW, 0_2_000920A0
Source: 1x6jzcZeRu.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 4x nop then cmp rdx, rbx 0_2_0006B320
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 4x nop then cmp rdx, 40h 0_2_0007F360
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 4x nop then shr r10, 0Dh 0_2_0008A580
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 4x nop then shr r10, 0Dh 0_2_0008BA00
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 4x nop then lock or byte ptr [rdx], dil 0_2_0007FAA0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 156.255.2.100
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 156.255.2.100:18896
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.jquery.com/
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.jquery.com/9
Source: 1x6jzcZeRu.exe, 00000000.00000003.1665460692.0000014674A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab)
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ecca012f8
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100/
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/SMF
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/dlliCe
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1865259540.0000014674A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js
Source: 1x6jzcZeRu.exe, 00000000.00000002.2889081795.0000014674A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js$Y
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1865495196.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js%
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js.
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1865495196.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js2
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js53011b87bd06M
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js9
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D532000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsV
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsY
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsl
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsography
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsoint:V
Source: 1x6jzcZeRu.exe, 00000000.00000002.2889081795.0000014674A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jspXS
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsr
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102918478.000001464D532000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsrovider
Source: 1x6jzcZeRu.exe, 00000000.00000003.1865495196.000001464D532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsrovider9
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsvider
Source: 1x6jzcZeRu.exe, 00000000.00000002.2889081795.0000014674A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsvider8Xk
Source: 1x6jzcZeRu.exe, 00000000.00000003.1865259540.0000014674A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsxX
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsyptnetUrlCache
Source: 1x6jzcZeRu.exe, 00000000.00000003.1865259540.0000014674A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsy~Z
Source: 1x6jzcZeRu.exe, 00000000.00000003.1848453343.000001464D52F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/l
Installs a raw input device (often for capturing keystrokes)
Source: 1x6jzcZeRu.exe Binary or memory string: runtime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: type non-Go function at pc=RtlLookupFunctionEntryRegisterRawInputDevicesCreateAccelerator

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2888204760.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.1642564620.0000014673FE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2889323471.0000014674DC0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.2888836654.0000014674030000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0006C240 0_2_0006C240
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000942C0 0_2_000942C0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0009D920 0_2_0009D920
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00087A60 0_2_00087A60
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00061AA0 0_2_00061AA0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00086C60 0_2_00086C60
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000A4CA0 0_2_000A4CA0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0006CDE0 0_2_0006CDE0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00074E20 0_2_00074E20
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00063040 0_2_00063040
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000AE040 0_2_000AE040
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000970C0 0_2_000970C0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0007D0E0 0_2_0007D0E0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000C2109 0_2_000C2109
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000AF260 0_2_000AF260
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0009E3A0 0_2_0009E3A0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000793C0 0_2_000793C0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00084560 0_2_00084560
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0009F560 0_2_0009F560
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0008A580 0_2_0008A580
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00081600 0_2_00081600
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0009B600 0_2_0009B600
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00069620 0_2_00069620
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000798E0 0_2_000798E0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00097900 0_2_00097900
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0008E980 0_2_0008E980
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0006D9A0 0_2_0006D9A0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000859A0 0_2_000859A0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0008BA00 0_2_0008BA00
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00073A20 0_2_00073A20
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0008AA40 0_2_0008AA40
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0008DC00 0_2_0008DC00
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000B9C00 0_2_000B9C00
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0009ACA0 0_2_0009ACA0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00078D00 0_2_00078D00
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0007FD20 0_2_0007FD20
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000AAD20 0_2_000AAD20
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0008CDE0 0_2_0008CDE0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_00077F60 0_2_00077F60
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0000014674051528 0_2_0000014674051528
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0000014674050E64 0_2_0000014674050E64
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0000014674051F9C 0_2_0000014674051F9C
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467404F1A8 0_2_000001467404F1A8
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0000014674046B38 0_2_0000014674046B38
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0000014674DC0000 0_2_0000014674DC0000
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: String function: 00098640 appears 693 times
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: String function: 00097E20 appears 89 times
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: String function: 00096320 appears 512 times
Yara signature match
Source: 00000000.00000002.2888204760.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.1642564620.0000014673FE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2889323471.0000014674DC0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.2888836654.0000014674030000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: classification engine Classification label: mal100.troj.evad.mine.winEXE@2/2@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe File opened: C:\Windows\system32\32e4c4252e63bc5803c269c3810a0c82c8cf773c3bdb0003632b579dfc925544AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: 1x6jzcZeRu.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1x6jzcZeRu.exe ReversingLabs: Detection: 47%
Source: 1x6jzcZeRu.exe Virustotal: Detection: 60%
Source: 1x6jzcZeRu.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: 1x6jzcZeRu.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: 1x6jzcZeRu.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: 1x6jzcZeRu.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: 1x6jzcZeRu.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: 1x6jzcZeRu.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: 1x6jzcZeRu.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: 1x6jzcZeRu.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: 1x6jzcZeRu.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: 1x6jzcZeRu.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: 1x6jzcZeRu.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: 1x6jzcZeRu.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: 1x6jzcZeRu.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: 1x6jzcZeRu.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: 1x6jzcZeRu.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: 1x6jzcZeRu.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: 1x6jzcZeRu.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: 1x6jzcZeRu.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: 1x6jzcZeRu.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: 1x6jzcZeRu.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: 1x6jzcZeRu.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: 1x6jzcZeRu.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: 1x6jzcZeRu.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: 1x6jzcZeRu.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: 1x6jzcZeRu.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: 1x6jzcZeRu.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: 1x6jzcZeRu.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: 1x6jzcZeRu.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: 1x6jzcZeRu.exe String found in binary or memory: unsafe.String: len out of rangefaa2375edd5eade9607c79ab4660cbb1CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWcrypto/aes: input not full blockresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "use of closed network connectionCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWcrypto/aes: output not full blocktoo many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "waiting for unsupported file typeCM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModescrypto/aes: invalid buffer overlaptoo many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: SubscribeServiceChangeNotificationsnetwork dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/c
Source: 1x6jzcZeRu.exe String found in binary or memory: unsafe.String: len out of rangefaa2375edd5eade9607c79ab4660cbb1CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWcrypto/aes: input not full blockresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "use of closed network connectionCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWcrypto/aes: output not full blocktoo many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "waiting for unsupported file typeCM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModescrypto/aes: invalid buffer overlaptoo many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: SubscribeServiceChangeNotificationsnetwork dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/c
Source: 1x6jzcZeRu.exe String found in binary or memory: net/addrselect.go
Source: 1x6jzcZeRu.exe String found in binary or memory: sync/atomic/type.go<autogenerated>internal/abi/type.gointernal/cpu/cpu.gointernal/cpu/cpu_x86.gointernal/cpu/cpu_x86.sruntime/internal/sys/intrinsics.gointernal/bytealg/index_amd64.gointernal/bytealg/compare_amd64.sinternal/bytealg/equal_amd64.sinternal/bytealg/indexbyte_amd64.sinternal/chacha8rand/chacha8.gointernal/chacha8rand/chacha8_amd64.sruntime/float.goruntime/iface.goruntime/netpoll.goruntime/select.goruntime/alg.goruntime/typekind.goruntime/stubs.goruntime/arena.goruntime/mheap.goruntime/internal/atomic/types.goruntime/mem.goruntime/mem_windows.goruntime/lockrank_off.goruntime/lock_sema.goruntime/runtime2.goruntime/mwbbuf.goruntime/atomic_pointer.goruntime/os_windows.goruntime/cgocall.goruntime/proc.goruntime/runtime1.goruntime/chan.goruntime/cpuflags_amd64.goruntime/debug.goruntime/debugcall.goruntime/symtab.goruntime/defs_windows_amd64.goruntime/env_posix.goruntime/error.goruntime/traceback.goruntime/exithook.goruntime/hash64.goruntime/histogram.goruntime/metrics.goruntime/type.gointernal/abi/switch.goruntime/rand.goruntime/lfstack.goruntime/tagptr_64bit.goruntime/time_nofake.goruntime/lockrank.goruntime/malloc.goruntime/mfixalloc.goruntime/mcache.goruntime/fastlog2.goruntime/map.goruntime/msize_allocheaders.goruntime/map_fast32.goruntime/map_fast64.goruntime/map_faststr.goruntime/mbarrier.gointernal/abi/abi.goruntime/mbitmap.goruntime/mbitmap_allocheaders.goruntime/mcentral.goruntime/trace2runtime.goruntime/mgcsweep.goruntime/mcheckmark.goruntime/mgc.goruntime/mfinal.goruntime/sema.goruntime/mgcwork.goruntime/mprof.goruntime/mstats.goruntime/print.goruntime/mgcpacer.goruntime/mgclimit.goruntime/mgcmark.goruntime/stack.goruntime/mgcstack.goruntime/string.goruntime/mgcscavenge.goruntime/time.goruntime/mranges.goruntime/mpagealloc.goruntime/mpallocbits.goruntime/mpagecache.goruntime/mpagealloc_64bit.goruntime/mspanset.goruntime/netpoll_windows.goruntime/preempt.goruntime/pagetrace_off.goruntime/panic.goruntime/signal_windows.goruntime/pinner.goruntime/symtabinl.goruntime/write_err.goruntime/runtime.goruntime/rwmutex.goruntime/trace2.goruntime/sigqueue.goruntime/slice.goruntime/sys_x86.goruntime/stkframe.goruntime/syscall_windows.goruntime/trace2buf.goruntime/trace2time.goruntime/trace2status.goruntime/trace2event.goruntime/trace2map.goruntime/trace2region.goruntime/trace2stack.goruntime/trace2string.goruntime/unsafe.goruntime/utf8.goruntime/asm.sruntime/asm_amd64.sruntime/duff_amd64.sruntime/memclr_amd64.sruntime/memmove_amd64.sruntime/preempt_amd64.sruntime/rt0_windows_amd64.sruntime/sys_windows_amd64.sruntime/time_windows_amd64.sruntime/zcallback_windows.sinternal/syscall/windows/sysdll/sysdll.gosync/map.gosync/mutex.gosync/once.gosync/pool.gosync/poolqueue.gosync/runtime.gounicode/utf16/utf16.gointernal/reflectlite/type.goerrors/wrap.goerrors/errors.gointernal/itoa/itoa.gounicode/utf8/utf8.gosyscall/syscall_windows.gosyscall/zsyscall_windows.gosyscall/dll_windows.gosyscall/syscall.gosyscall/wtf8_windows.gogithub.com/gonutz/ide@v0.0.0-
Source: unknown Process created: C:\Users\user\Desktop\1x6jzcZeRu.exe "C:\Users\user\Desktop\1x6jzcZeRu.exe"
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: 1x6jzcZeRu.exe Static file information: File size 1625600 > 1048576
Source: 1x6jzcZeRu.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: 1x6jzcZeRu.exe Static PE information: section name: .xdata
Source: 1x6jzcZeRu.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_3_0000014673FE03E2 push cs; retf 0_3_0000014673FE03E3
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_3_0000014673FE29A1 push ds; ret 0_3_0000014673FE29F7
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_3_0000014673FE08EE push ss; iretd 0_3_0000014673FE08F5
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_3_0000014673FE508E push edi; iretd 0_3_0000014673FE508F
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467403AD58 push ebp; iretd 0_2_000001467403AD59
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467403971E push cs; retf 0_2_000001467403971F
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467404977E push EC9DD3C7h; retf 0_2_000001467404978C
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467405A84F push ebp; iretd 0_2_000001467405A850
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467405A86F push ebp; iretd 0_2_000001467405A870
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467405A898 push ebp; iretd 0_2_000001467405A899
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467403F901 push ebx; iretd 0_2_000001467403F902
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467403B91C pushad ; retf 0_2_000001467403B91D
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000001467403935D push edi; iretd 0_2_000001467403935E
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000C4E60 rdtscp 0_2_000C4E60
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe TID: 6892 Thread sleep time: -34376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000921E0 GetProcessAffinityMask,GetSystemInfo, 0_2_000921E0
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Thread delayed: delay time: 34376 Jump to behavior
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 1x6jzcZeRu.exe, 00000000.00000003.2102786401.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp, 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D4DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW)
Source: 1x6jzcZeRu.exe, 00000000.00000002.2888368200.000001464D464000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000C4E60 Start: 000C4E69 End: 000C4E7F 0_2_000C4E60
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_000C4E60 rdtscp 0_2_000C4E60
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Code function: 0_2_0000014674044E28 GetUserNameA,strrchr,_snprintf, 0_2_0000014674044E28
Source: C:\Users\user\Desktop\1x6jzcZeRu.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 00000000.00000002.2888204760.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1642564620.0000014673FE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2889323471.0000014674DC0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2888862525.0000014674061000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1x6jzcZeRu.exe PID: 6868, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483408 Sample: 1x6jzcZeRu.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 14 Multi AV Scanner detection for domain / URL 2->14 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 4 other signatures 2->20 6 1x6jzcZeRu.exe 1 2->6         started        process3 dnsIp4 12 156.255.2.100, 18896, 49730, 49732 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Seychelles 6->12 22 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 6->22 24 Potentially malicious time measurement code found 6->24 10 conhost.exe 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
156.255.2.100
 unknown Seychelles
137443 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK true

Contacted URLs

Name Malicious Antivirus Detection Reputation
156.255.2.100 true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown