Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe
Analysis ID:	1499607
MD5:	45fb6e45804331506a8855a65ed14844
SHA1:	67e0d682a5e7ef5f52a3b2015498512298937711
SHA256:	651ae67653de89b3feb53f9805f69c4c50734879016b5227f5ef2cd015377de9
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe" MD5: 45FB6E45804331506A8855A65ED14844)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Virustotal: Detection: 12%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.5% probability

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: teknologiia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36Accept: application/x-www-form-urlencodedAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.169.204.138User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36Accept: application/x-www-form-urlencodedAccept-Encoding: gzip

Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: teknologiia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36Accept: application/x-www-form-urlencodedAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.169.204.138User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36Accept: application/x-www-form-urlencodedAccept-Encoding: gzip

Source: global traffic

DNS traffic detected: DNS query: teknologiia.com

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe, 00000000.00000002.2409085444.000000C000044000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://95.169.204.138
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	String found in binary or memory: http://95.169.204.138:4444/venom.binaccessing

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Static PE information: Number of sections : 15 > 10

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: Section: /19 ZLIB complexity 0.9993845100967008
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: Section: /32 ZLIB complexity 0.9935255524861878
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: Section: /65 ZLIB complexity 0.9980047445381637
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: Section: /78 ZLIB complexity 0.9891201036866359

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sRequest Entity Too Largehttp: nil Request.HeaderGetDeviceDriverBaseNameWGetDeviceDriverFileNameWAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessId\Device\NamedPipe\cygwinerror decrypting messagecertificate unobtainableidna: disallowed rune %Uaddress string too shortresource length too longunpacking Question.Classflate: maxBits too largex509: malformed validitystreamSafe was not resetinvalid pattern syntax: SafeArrayAllocDescriptorReadProcessMemory failedGetProcessImageFileNameAGODEBUG sys/cpu: value "", required CPU feature

Source: classification engine

Classification label: mal52.winEXE@2/1@1/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

File opened: C:\Windows\system32\df3e0a4d0b9642bd420d0b7db34dd22337926678d7a40c7488a3cf7e1f6fd81cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Virustotal: Detection: 12%

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: RegSetValueExWalligator2.flfcaligraphy.flfcyberlarge.flfcybersmall.flfisometric1.flfisometric2.flfisometric3.flfisometric4.flfrectangles.flfsmkeyboard.flfthreepoint.flfticksslant.flftinker-toy.flffonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not Acceptableunknown mode: Process32FirstControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenCreateEventExWCreateMutexExWIsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWmime/multipart.WithDeadline(<not Stringer>bad record MACAccept-CharsetDkim-Signatureneed more dataREQUEST_METHODRCodeNameErrorResourceHeaderSysAllocString\.+*?()\|[]{}^$GetSystemTimesdata truncatedGetProcessTimesDuplicateHandleadvertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWProcess32FirstWUnmapViewOfFileFailed to load Failed to find : cannot parse ,M3.2.0,M11.1.0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: RegSetValueExWalligator2.flfcaligraphy.flfcyberlarge.flfcybersmall.flfisometric1.flfisometric2.flfisometric3.flfisometric4.flfrectangles.flfsmkeyboard.flfthreepoint.flfticksslant.flftinker-toy.flffonts/bell.flffonts/doom.flffonts/epic.flffonts/kban.flffonts/lean.flffonts/mike.flffonts/mini.flffonts/ogre.flffonts/pawp.flffonts/stop.flffonts/term.flffonts/thin.flffonts/trek.flffonts/wavy.flfContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not Acceptableunknown mode: Process32FirstControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenCreateEventExWCreateMutexExWIsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWmime/multipart.WithDeadline(<not Stringer>bad record MACAccept-CharsetDkim-Signatureneed more dataREQUEST_METHODRCodeNameErrorResourceHeaderSysAllocString\.+*?()\|[]{}^$GetSystemTimesdata truncatedGetProcessTimesDuplicateHandleadvertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWProcess32FirstWUnmapViewOfFileFailed to load Failed to find : cannot parse ,M3.2.0,M11.1.0
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	String found in binary or memory: failed to construct HKDF label: %sVirtualAlloc failed and returned 0crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizeinvalid nested repetition operatorinvalid or unsupported Perl syntaxnetwork dropped connection on resettransport endpoint is not connected2006-01-02T15:04:05.999999999Z07:001776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinehttp: server closed idle connectionCONTINUATION frame with stream ID 0SubscribeServiceChangeNotificationserror while getting LinkedToken: %vunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largetoo many Questions to pack (>65535)HostProvider already registered: %vflate: corrupt input before offset bigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesscrypto/md5: invalid hash state size'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferhttp://95.169.204.138:4444/venom.binaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid length444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable o
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	String found in binary or memory: failed to construct HKDF label: %sVirtualAlloc failed and returned 0crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizeinvalid nested repetition operatorinvalid or unsupported Perl syntaxnetwork dropped connection on resettransport endpoint is not connected2006-01-02T15:04:05.999999999Z07:001776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinehttp: server closed idle connectionCONTINUATION frame with stream ID 0SubscribeServiceChangeNotificationserror while getting LinkedToken: %vunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largetoo many Questions to pack (>65535)HostProvider already registered: %vflate: corrupt input before offset bigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesscrypto/md5: invalid hash state size'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferhttp://95.169.204.138:4444/venom.binaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid length444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable o
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	String found in binary or memory: /usr/lib/go-1.22/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Section loaded: gpapi.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Static file information: File size 8498688 > 1048576

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274000
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x286600

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: /32
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: /46
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: /65
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: /78
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: /90
Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe, 00000000.00000002.2410878625.000002C2A3894000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll??

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Software Packing	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	11%	ReversingLabs
SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	12%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
teknologiia.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://95.169.204.138:4444/venom.binaccessing	0%	Avira URL Cloud	safe
https://teknologiia.com/	0%	Avira URL Cloud	safe
http://95.169.204.138/	0%	Avira URL Cloud	safe
http://95.169.204.138	0%	Avira URL Cloud	safe
http://95.169.204.138	1%	Virustotal		Browse
http://95.169.204.138/	1%	Virustotal		Browse
http://95.169.204.138:4444/venom.binaccessing	0%	Virustotal		Browse
https://teknologiia.com/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
teknologiia.com	198.244.179.42	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://95.169.204.138/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://teknologiia.com/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://95.169.204.138	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe, 00000000.00000002.2409085444.000000C000044000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://95.169.204.138:4444/venom.binaccessing	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.169.204.138	unknown	Bulgaria		44814	BTEL-BG-ASBG	false
198.244.179.42	teknologiia.com	United States		18630	RIDLEYSD-NETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1499607
Start date and time:	2024-08-27 09:27:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe
Detection:	MAL
Classification:	mal52.winEXE@2/1@1/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe, PID 3472 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RIDLEYSD-NETUS	Informations.bat	Get hash	malicious	PureLog Stealer, XWorm	Browse	198.244.206.37
	Beopajki.exe	Get hash	malicious	HVNC, PureLog Stealer, XWorm	Browse	198.244.206.37
	Your_New_Social_Security_Statement.wsf	Get hash	malicious	XWorm	Browse	198.244.251.236
	http://www.loroc.co.uk/	Get hash	malicious	Unknown	Browse	198.244.213.27
	ODggSYsZP2.elf	Get hash	malicious	Unknown	Browse	198.244.7.172
	at0jsDxjXS.elf	Get hash	malicious	Unknown	Browse	198.244.66.83
	SecuriteInfo.com.Trojan.Siggen21.29401.5442.21101.exe	Get hash	malicious	Unknown	Browse	198.244.148.151
	SecuriteInfo.com.Trojan.Siggen21.29401.5442.21101.exe	Get hash	malicious	Unknown	Browse	198.244.148.151
	https://app.seesaw.me/#/item/item.25a5fb4a-1aa3-4cc1-8620-5508b13ee78f/share/E5jhxMEuSn-0CL0gHO8msg	Get hash	malicious	HTMLPhisher	Browse	198.244.144.202
	https://emlmkt.com/url/ver/551960127/2552870/f270b5482f31f088fa3129e0b7ea965f	Get hash	malicious	Unknown	Browse	198.244.165.101
BTEL-BG-ASBG	file.exe	Get hash	malicious	GCleaner, Raccoon Stealer v2	Browse	95.169.205.186
	xzQ4Zf3975.exe	Get hash	malicious	Raccoon Stealer v2	Browse	95.169.205.186
	60lAWJYfsL.exe	Get hash	malicious	Raccoon Stealer v2	Browse	95.169.205.186
	http://fwtnp.dfbf.maderclean.cl/giorgiobelfiore@dececco.it	Get hash	malicious	Unknown	Browse	185.7.219.103
	GVlpP9RL5t	Get hash	malicious	Mirai	Browse	95.169.222.123

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.971934126811223
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe
File size:	8'498'688 bytes
MD5:	45fb6e45804331506a8855a65ed14844
SHA1:	67e0d682a5e7ef5f52a3b2015498512298937711
SHA256:	651ae67653de89b3feb53f9805f69c4c50734879016b5227f5ef2cd015377de9
SHA512:	f6a3ea55b1bb87970fe8e90971999243b5b6a093832689957b4994fcd6af016c4c4c14f0409397668d9286ae5e5db04a121d403bfdddada5b2e314ae3b629514
SSDEEP:	98304:kEHK95K6qTrbF2kEa5j9Uvo8x3BGBjMJx3QEco0:P6qTrbAaIxEjeRQVo
TLSH:	18869D43EC9145E9C5EEE231C9A292537A71BC484B3167D72F50F6382FB6BD06AB9304
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........{.'....."......@'...................@...........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46d5c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	c2d457ad8ac36fc9f18d45bffcd450c2

Entrypoint Preview

Instruction
jmp 00007F38A87D0EA0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [005A2402h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F38A87D4785h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F38A87D557Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x841000	0x554	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x617000	0xe43c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x842000	0xc7aa	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4fcbc0	0x180	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x273fcd	0x274000	0dce538cba9a78fda81300bfb224a19f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x275000	0x2864b8	0x286600	fab5a83c47fa373d6652d1eecb02220e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4fc000	0x11a0a0	0x8c400	b9f990e2eabcdab2d71635e59d1672b2	False	0.6547703598484849	data	6.505072815432817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x617000	0xe43c	0xe600	e3d30d0e9a0b3575b03c4e4c4536bd3a	False	0.40010190217391306	data	5.434582713944269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x626000	0xb4	0x200	67459caf6767b8db3f82e7b28a867330	False	0.2265625	shared library	1.787112262798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x627000	0x129	0x200	17f62672c8506464ae13eccc2eb6cb94	False	0.623046875	data	5.081946473254993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x628000	0x6dcc3	0x6de00	f24a5b4234ff96c231d0512ef77f06f9	False	0.9993845100967008	data	7.996511943587052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x696000	0x168a6	0x16a00	4996200b1bb4ac971d79492f6e806fe4	False	0.9935255524861878	data	7.937039996207801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x6ad000	0x2d	0x200	4708e78f5ab324480bbc15d8604ff4d5	False	0.09765625	data	0.7883784398951422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x6ae000	0xe1e57	0xe2000	786e8f1024a0eeb479d6deb00d0dfe0c	False	0.9980047445381637	data	7.99818173884988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x790000	0x878b0	0x87a00	56ea228accb817da9062c157fd85f9c8	False	0.9891201036866359	data	7.9947244509139574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x818000	0x287ce	0x28800	11db12b587302aa9889ef6eaaf0a9952	False	0.9689549575617284	data	7.807706266543984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x841000	0x554	0x600	ec9095fe1be71d66643ba93dcd750ac2	False	0.3828125	data	4.058245716607451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x842000	0xc7aa	0xc800	827a13b6260fd1cd6d292812eb5ddb86	False	0.248125	data	5.439106434316897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x84f000	0x618d4	0x61a00	9882877ae95430a7027e8183f9b53ceb	False	0.21940771046734955	data	5.315011308010812	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 09:28:11.502588987 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:11.502614021 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:11.502677917 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:11.503128052 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:11.503143072 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.116595030 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.116844893 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.116856098 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.117022991 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.117027998 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.118057013 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.118124008 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.162884951 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.163003922 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.163064957 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.210946083 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.210957050 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.259731054 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.419763088 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.419791937 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.419800043 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.419833899 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.419848919 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.419863939 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.419888020 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.419888020 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.419902086 CEST	443	49714	198.244.179.42	192.168.2.6
Aug 27, 2024 09:28:12.419917107 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.419970036 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.420101881 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.420130968 CEST	49714	443	192.168.2.6	198.244.179.42
Aug 27, 2024 09:28:12.420540094 CEST	49715	80	192.168.2.6	95.169.204.138
Aug 27, 2024 09:28:12.425369978 CEST	80	49715	95.169.204.138	192.168.2.6
Aug 27, 2024 09:28:12.425447941 CEST	49715	80	192.168.2.6	95.169.204.138
Aug 27, 2024 09:28:12.425678015 CEST	49715	80	192.168.2.6	95.169.204.138
Aug 27, 2024 09:28:12.430555105 CEST	80	49715	95.169.204.138	192.168.2.6
Aug 27, 2024 09:28:33.783761978 CEST	80	49715	95.169.204.138	192.168.2.6
Aug 27, 2024 09:28:33.783888102 CEST	49715	80	192.168.2.6	95.169.204.138
Aug 27, 2024 09:28:33.784044027 CEST	49715	80	192.168.2.6	95.169.204.138
Aug 27, 2024 09:28:33.788923979 CEST	80	49715	95.169.204.138	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 09:28:11.444638968 CEST	60631	53	192.168.2.6	1.1.1.1
Aug 27, 2024 09:28:11.496648073 CEST	53	60631	1.1.1.1	192.168.2.6
Aug 27, 2024 09:28:29.964207888 CEST	53	57610	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 27, 2024 09:28:11.444638968 CEST	192.168.2.6	1.1.1.1	0x1670	Standard query (0)	teknologiia.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 27, 2024 09:28:11.496648073 CEST	1.1.1.1	192.168.2.6	0x1670	No error (0)	teknologiia.com		198.244.179.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

teknologiia.com

95.169.204.138

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	95.169.204.138	80	3472	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Timestamp	Bytes transferred	Direction	Data
Aug 27, 2024 09:28:12.425678015 CEST	231	OUT	GET / HTTP/1.1 Host: 95.169.204.138 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Accept: application/x-www-form-urlencoded Accept-Encoding: gzip

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	198.244.179.42	443	3472	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 07:28:12 UTC	232	OUT	GET / HTTP/1.1 Host: teknologiia.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Accept: application/x-www-form-urlencoded Accept-Encoding: gzip
2024-08-27 07:28:12 UTC	1508	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 27 Aug 2024 07:28:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 167771 Connection: close Last-Modified: Fri, 05 Jul 2024 18:59:55 GMT ETag: "28f5b-61c84ab5041e6" Accept-Ranges: bytes Cache-Control: max-age=0, public, public Expires: Tue, 27 Aug 2024 07:28:12 GMT Vary: Accept-Encoding,Cookie Referrer-Policy: no-referrer-when-downgrade X-Powered-By: W3 Total Cache/2.6.1 Pragma: public Link: </wp-content/cache/minify/c4d91.js>; rel=preload; as=script Link: </wp-content/cache/minify/aa325.js>; rel=preload; as=script Link: </wp-content/cache/minify/0e602.js>; rel=preload; as=script Link: </wp-content/cache/minify/1f540.js>; rel=preload; as=script Link: </wp-content/cache/minify/ac85c.js>; rel=preload; as=script Link: </wp-content/cache/minify/9efdf.js>; rel=preload; as=script Link: </wp-content/cache/minify/2560e.js>; rel=preload; as=script Link: </wp-content/cache/minify/b196c.js>; rel=preload; as=script Link: </wp-content/cache/minify/1615d.js>; rel=preload; as=script Link: </wp-content/cache/minify/a5ff7.css>; rel=preload; as=style Link: </wp-content/cache/minify/10434.css>; rel=preload; as=style Link: </wp-content/cache/minify/8d8e8.css>; rel=preload; as=style Link: </wp-content/cache/minify/bd434.css>; rel=preload; as=style Link: </wp-content/cache/minify/70ed1.css>; rel=preload; as=style X-Cache-Status: MISS Strict-Transport-Security: max-age=15768000; includeSubDomains X-Powered-By: PleskLin
2024-08-27 07:28:12 UTC	14876	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 64 69 72 3d 6c 74 72 20 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 74 65 6b 6e 6f 6c 6f 67 69 69 61 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d Data Ascii: <!DOCTYPE html><htmldir=ltr lang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://teknologiia.com/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><m

Target ID:	0
Start time:	03:28:10
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe"
Imagebase:	0x350000
File size:	8'498'688 bytes
MD5 hash:	45FB6E45804331506A8855A65ED14844
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:28:10
Start date:	27/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 003BDB60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2408373222.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true

Associated: 00000000.00000002.2408352477.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408521469.00000000005C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408676193.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408693951.0000000000850000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408710564.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408724419.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408738516.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408752238.0000000000855000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408790848.00000000008C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408807390.00000000008D0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408822219.00000000008D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408835954.00000000008D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408849007.00000000008D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408849007.00000000008F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408849007.000000000095F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408906950.0000000000967000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408906950.00000000009FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409034408.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409048143.0000000000B92000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65c2346c372a812bf9a5a497f7710ebe99c163a2b211cbfcde99684ffbfdf79
Instruction ID: e846896a7df9f8255a55f7501165eed9a91afce912e9e4b8fd0292d13fc38d70
Opcode Fuzzy Hash: b65c2346c372a812bf9a5a497f7710ebe99c163a2b211cbfcde99684ffbfdf79
Instruction Fuzzy Hash: 29319D2391CFC482D3218B24F5413AAB364F7A9784F15A715EFC812A1ADF78E1E5CB40

Function 003B9EC0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2408373222.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true

Associated: 00000000.00000002.2408352477.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408521469.00000000005C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408676193.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408693951.0000000000850000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408710564.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408724419.0000000000852000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408738516.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408752238.0000000000855000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408790848.00000000008C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408807390.00000000008D0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408822219.00000000008D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408835954.00000000008D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408849007.00000000008D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408849007.00000000008F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408849007.000000000095F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408906950.0000000000967000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2408906950.00000000009FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409034408.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409048143.0000000000B92000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19322aacc7dd447383d6f2170a10e82d5a65409c32a3e247da5a00b3a98942e9
Instruction ID: 59066b4aeb0d92e1b99f9a95ce8b31c90d9dc8cb9e86b708a335d9e76b8365d2
Opcode Fuzzy Hash: 19322aacc7dd447383d6f2170a10e82d5a65409c32a3e247da5a00b3a98942e9
Instruction Fuzzy Hash:

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe