Edit tour

Windows Analysis Report
sadfwqefrqw3f.exe

Overview

General Information

Sample name:	sadfwqefrqw3f.exe
Analysis ID:	1541334
MD5:	f57752bb1deef37b1940441f4edddcbe
SHA1:	41212eebd65da911210f08d5b0819f2d815a92e5
SHA256:	d1f9ccaa3a83a3bb8bf2412f172defee977bfe11c3a5bc8a80c8452d59349cdd
Tags:	exeuser-drsilva19852455
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Checks if the current process is being debugged

Enables debug privileges

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

sadfwqefrqw3f.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\sadfwqefrqw3f.exe" MD5: F57752BB1DEEF37B1940441F4EDDDCBE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x617b17:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x617b83:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sadfwqefrqw3f.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: sadfwqefrqw3f.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: sadfwqefrqw3f.exe

Joe Sandbox ML: detected

Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_4155e676-9

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

Unpacked PE file: 0.2.sadfwqefrqw3f.exe.140000000.0.unpack

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49979 version: TLS 1.2

Source:	Binary string: D:\Shared\HDAudioEnchancer.pdb source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: noaserver.com

Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noaserver.com
Source: sadfwqefrqw3f.exe, 00000000.00000002.4560277164.00000000037D2000.00000004.00000020.00020000.00000000.sdmp, sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noaserver.com/api/sendreport
Source: sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noaserver.com/api/sendreportP
Source: sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noaserver.com/api/sendreporti
Source: sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noaserver.com/api/sendreportk
Source: sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noaserver.coms

Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49979 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameiQVW64.SYSH vs sadfwqefrqw3f.exe

Source: 00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sadfwqefrqw3f.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Section loaded: schannel.dll	Jump to behavior

Source: sadfwqefrqw3f.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: sadfwqefrqw3f.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sadfwqefrqw3f.exe

Static file information: File size 57968640 > 1048576

Source: sadfwqefrqw3f.exe

Static PE information: Raw size of .sharper is bigger than: 0x100000 < 0x3747200

Source:	Binary string: D:\Shared\HDAudioEnchancer.pdb source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

Unpacked PE file: 0.2.sadfwqefrqw3f.exe.140000000.0.unpack

Source: initial sample

Static PE information: section where entry point is pointing to: .sharper

Source: sadfwqefrqw3f.exe	Static PE information: section name: .sharper
Source: sadfwqefrqw3f.exe	Static PE information: section name: .sharper
Source: sadfwqefrqw3f.exe	Static PE information: section name: .sharper

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Memory written: PID: 1848 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Memory written: PID: 1848 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Memory written: PID: 1848 base: 7FF8C8A6000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Memory written: PID: 1848 base: 7FF8C891CBC0 value: E9 5A 34 14 00	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Special instruction interceptor: First address: 1465813E8 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Special instruction interceptor: First address: 1465813F7 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

File opened: PhysicalDrive0

Jump to behavior

Source: sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000006C9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x14657B8D6	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x14656CA98	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtUnmapViewOfSection: Direct from: 0x143F4D53D	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x1434194C9	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x143F4B83F	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtQueryInformationProcess: Direct from: 0x143F53EFB	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x14357FC84	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x1440EF8AA	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Indirect: 0x14339F6A1	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtMapViewOfSection: Direct from: 0x14342A316	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtQueryInformationProcess: Direct from: 0x1440E1677	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtQueryInformationProcess: Direct from: 0x1440C25B9	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtOpenFile: Direct from: 0x1434212AD	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x143415776	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtQueryInformationProcess: Direct from: 0x14412990C	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtSetInformationProcess: Direct from: 0x144126082	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtQuerySystemInformation: Direct from: 0x144170E0F	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtClose: Direct from: 0x144120C5F
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x1440E3B8A	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x143F6116C	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtQuerySystemInformation: Direct from: 0x1465366F9	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtQueryInformationProcess: Direct from: 0x14357E54C	Jump to behavior
Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe	NtProtectVirtualMemory: Direct from: 0x143F458AC	Jump to behavior

Source: C:\Users\user\Desktop\sadfwqefrqw3f.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	22 Virtualization/Sandbox Evasion	1 Credential API Hooking	421 Security Software Discovery	Remote Services	1 Credential API Hooking	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	22 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	113 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
sadfwqefrqw3f.exe	45%	ReversingLabs	Win64.Trojan.Barys
sadfwqefrqw3f.exe	100%	Avira	TR/Redcap.xekrt
sadfwqefrqw3f.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
noaserver.com	188.114.96.3	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://noaserver.com/api/sendreport	sadfwqefrqw3f.exe, 00000000.00000002.4560277164.00000000037D2000.00000004.00000020.00020000.00000000.sdmp, sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005DC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.se/docs/alt-svc.html	sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html	sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://noaserver.com	sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://noaserver.com/api/sendreportP	sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.thawte.com0	sadfwqefrqw3f.exe, 00000000.00000002.4560526963.0000000140299000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://noaserver.com/api/sendreportk	sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://noaserver.coms	sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://noaserver.com/api/sendreporti	sadfwqefrqw3f.exe, 00000000.00000002.4559941604.00000000005DC000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	noaserver.com	European Union		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541334
Start date and time:	2024-10-24 17:48:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sadfwqefrqw3f.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/0@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target sadfwqefrqw3f.exe, PID 1848 because there are no executed function
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: sadfwqefrqw3f.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.timizoasisey.shop/3p0l/
	BL.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	w49A5FG3yg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	t1zTzS9a3r.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/lovely

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Heur.11787.148.exe	Get hash	malicious	LummaC	Browse	172.67.194.239
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.204
	https://www.canva.com/design/DAGUUU-VdiI/DdL4Z-_loK4X7NMMbGGnJg/view?utm_content=DAGUUU-VdiI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.16.103.112
	https://www.canva.com/design/DAGUUU-VdiI/DdL4Z-_loK4X7NMMbGGnJg/view?utm_content=DAGUUU-VdiI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.16.103.112
	https://www.cognitoforms.com/f/dPw6PjKRNEiTBIouwlWxQQ/1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.24.14
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	188.114.96.3
	https://nt3e.com/_1.html?%20send_id=eh&tvi2_RxT=www.networksolutionsemail.com/ntpdkptJegwgUbePDCPPdVkFuvAlhtlBYyzZldVkFuvAlhtlBYyzZlPwcjpjmntpdkptJegwgUbePDCPPdVkFuvAlhtlBYyzZlntpdkptJegwgUbePDCPPdVkFuvAlhtlBYyzZl&e=cnlhbl9ob3dhcmRAb3V0bG9vay5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://url960.aceeduconsult.com/ls/click?upn=u001.LUpianUM71xe7PV7wDA6i1kcuy38W249FfPzE-2Fn4iGArrL0MQBCUZHFEzmfBrwW7hf5h8aNQUml0OSIHqpXf0LMpnaTL-2BzYU1WV-2BSTu4-2FYE-3DnWBx_C2kZwAnfGwUSqF5D87NbxLVpuF-2FUu77KiRgkAhE5NE4LxNdD8Vk-2BBXjUuKxXLIa0fIDZmJqQTdTMUWaKg74qY7H1042trEdUOL1Ty-2B4ikz6aamPgX0YPKifSgbmdnoJ9QNdI7-2Fj5HU9YtlUVfM2hhaIRlcN5LDyRrfABDYCmE6HCezIFJke-2Bw8MgqKR8oZe3x0bNQ5ip4gqKVt9OZvtTXtI2W19VoVZDzbdeDK4WD-2F3HaEv25gNxrltbLRhf8V-2BO7eWR3mjaJT30K-2BcVCwIlJZO7lziFom1TeAFneOePh2rvH67eyoHyRuDs7uhJ58UvSbL-2F5WGOZFqHf1Uoqm5u1BuusL-2F4yIoUS3Zge-2Bhwb2SPTTZrQp-2B3YQW62QJEBscu8XAGBtmCTNO-2FGrj9S-2BwtsmLluvkoUx0cXtIZxgyjwWcDifMxEpsoupBhIu0vHgSwbA5Jlj-2FdPy-2B0yhvKMBxhOgsBuXNzAVSfF8HuZvD5iWXinRKWqhNg1QpvfMK5Why8PnI5FwIsgrY7RxMkEbcDdf0VL1a7dM3RDh9LkpekDjtHu-2F4c-2FsI73UIfVUG4-2BbcH5VEOHzkCenTbIl-2BeYnL2jw9k-2Bt-2BAEZMQZavCq5q7Io2kchrzK3tu9Vj43TTv0K790k8tA4okR0vSuH0WvhSIZBs2e3uKgx9FK2SAr5JJzheB6cW2OXdbGgfDGPwGYkvJqNCBixLi9dWacb8fBed5RjA3p1JUsS79RbxF-2FaSjDqEr3OTeFx3WgBthSzcSYPpiE9ha00gB-2FAVdpFU8eOGGhrdGc6OgU4OZhDsRkN5FNMpRj3pgHOHQ6dkJW4RJx1-2B1Om8bljV3ruWQytV5mwg68-2FvnkkpkZM63omm27kalKxw-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.222
	https://lnk.ie/73BGS/e=?utm_campaign=&utm_medium=email&utm_source=eloqua&utm_content=EMS&elqTrackId=b3e6296b7e034428ab6cf8165586e5f3&elq=f15d0983a3e2469a9348a180a5d34fca&elqaid=2922&elqat=1&elqCampaignId=1792&elqak=8AF50EC23DDB3CA8DB8B1F52080496E6D8BDFEE307A00555CA936F9692C081A369A3	Get hash	malicious	Unknown	Browse	104.18.95.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	SecuriteInfo.com.Win64.Evo-gen.20107.17462.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.FileRepMalware.12025.7543.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1319832.32667.20795.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	188.114.96.3
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	188.114.96.3
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	188.114.96.3
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	188.114.96.3
	QZyFrUDVA9.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.980162940228627
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sadfwqefrqw3f.exe
File size:	57'968'640 bytes
MD5:	f57752bb1deef37b1940441f4edddcbe
SHA1:	41212eebd65da911210f08d5b0819f2d815a92e5
SHA256:	d1f9ccaa3a83a3bb8bf2412f172defee977bfe11c3a5bc8a80c8452d59349cdd
SHA512:	d07b3e2e63dde6ae24e91748b2e24bbb7edf381cadb556fd49f5bea7771e77f4bcf471581632d2d2ac882e875b84bb3f7b5d4f2515d575e99acc39c2708c6323
SSDEEP:	1572864:jnel83MrqAGM/piy57vJREubbeI0wKDvn86uOWw:jn089ADiy90YbRqvnpNV
TLSH:	36D7339B82C856B9C0C3CB00A147575772D0A73ECAFE1D693ECB2C41794AE1B464EB67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........#....).v).........\..........@.............................p............ ................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x144168b5c
Entrypoint Section:	.sharper
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F5D8A5 [Thu Sep 26 21:56:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5bbe22f51ba0d46f91a90f06c15445df

Entrypoint Preview

Instruction
inc ecx
push eax
pushfd
dec ecx
mov eax, 329B6315h
aaa
xor eax, dword ptr [esi]
mov ch, 41h
bswap eax
inc ebp
xor eax, eax
call 00007F4750D268E0h
out dx, al
enter 17E4h, F2h
je 00007F4750D95408h
jo 00007F4750D9548Dh
jle 00007F4750D954B0h
sbb al, E6h
test al, 2Bh
jle 00007F4750D954B0h
test byte ptr [esi], bl
or byte ptr [ebx], ch
jle 00007F4750D954B0h
and al, 7Eh
and byte ptr [ebx], ch
jle 00007F4750D954B0h
int3
push ss
push eax
sub edi, dword ptr [esi+4Eh]
dec esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33fae10	0x1a4	.sharper
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6b1e2c0	0x17f10	.sharper
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x35787a0	0x28	.sharper
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6b1e180	0x140	.sharper
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33ed000	0x168	.sharper
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29746e	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x299000	0x7b09c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data	0x315000	0x9bc2dc	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xcd2000	0x150f0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.sharper	0xce8000	0x2704a96	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sharper	0x33ed000	0x10d8	0x1200	7ecadbf6eb5f01ec110ca64d0af7bf54	False	0.03624131944444445	data	0.263381869308014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sharper	0x33ef000	0x37471d0	0x3747200	c453c8845eb699fcd4324c54a4692b93	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
IPHLPAPI.DLL	GetAdaptersAddresses
ntdll.dll	VerSetConditionMask
d3d11.dll	D3D11CreateDeviceAndSwapChain
D3DCOMPILER_47.dll	D3DCompile
IMM32.dll	ImmReleaseContext
KERNEL32.dll	LoadLibraryA
USER32.dll	wsprintfW
ADVAPI32.dll	SetEntriesInAclW
SHELL32.dll	SHGetSpecialFolderPathW
ole32.dll	CoInitialize
OLEAUT32.dll	SysAllocString
WINTRUST.dll	WinVerifyTrust
SHLWAPI.dll	StrStrW
imagehlp.dll	SymInitialize
bcrypt.dll	BCryptGenRandom
XINPUT1_4.dll
CRYPT32.dll	CertCloseStore
WS2_32.dll	getaddrinfo
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 17:53:06.293917894 CEST	49979	443	192.168.2.5	188.114.96.3
Oct 24, 2024 17:53:06.293973923 CEST	443	49979	188.114.96.3	192.168.2.5
Oct 24, 2024 17:53:06.294104099 CEST	49979	443	192.168.2.5	188.114.96.3
Oct 24, 2024 17:53:06.310698032 CEST	49979	443	192.168.2.5	188.114.96.3
Oct 24, 2024 17:53:06.310730934 CEST	443	49979	188.114.96.3	192.168.2.5
Oct 24, 2024 17:53:07.055295944 CEST	443	49979	188.114.96.3	192.168.2.5
Oct 24, 2024 17:53:07.055618048 CEST	49979	443	192.168.2.5	188.114.96.3
Oct 24, 2024 17:53:07.073812962 CEST	49979	443	192.168.2.5	188.114.96.3
Oct 24, 2024 17:53:07.073829889 CEST	443	49979	188.114.96.3	192.168.2.5
Oct 24, 2024 17:53:07.073961020 CEST	49979	443	192.168.2.5	188.114.96.3
Oct 24, 2024 17:53:07.074006081 CEST	443	49979	188.114.96.3	192.168.2.5
Oct 24, 2024 17:53:07.074074030 CEST	49979	443	192.168.2.5	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 17:53:06.257527113 CEST	60481	53	192.168.2.5	1.1.1.1
Oct 24, 2024 17:53:06.281286955 CEST	53	60481	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 17:53:06.257527113 CEST	192.168.2.5	1.1.1.1	0x1edf	Standard query (0)	noaserver.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 17:53:06.281286955 CEST	1.1.1.1	192.168.2.5	0x1edf	No error (0)	noaserver.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 17:53:06.281286955 CEST	1.1.1.1	192.168.2.5	0x1edf	No error (0)	noaserver.com		188.114.97.3	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: sadfwqefrqw3f.exePID: 1848, Parent PID: 1028

General

Target ID:	0
Start time:	11:49:11
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\sadfwqefrqw3f.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sadfwqefrqw3f.exe"
Imagebase:	0x140000000
File size:	57'968'640 bytes
MD5 hash:	F57752BB1DEEF37B1940441F4EDDDCBE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.4560577450.0000000140315000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sadfwqefrqw3f.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: sadfwqefrqw3f.exePID: 1848, Parent PID: 1028

Windows Analysis Report
sadfwqefrqw3f.exe