Edit tour
Windows
Analysis Report
reduce.exe
Overview
General Information
Detection
GO Backdoor
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Classification
- System is w10x64
- reduce.exe (PID: 7528 cmdline:
"C:\Users\ user\Deskt op\reduce. exe" MD5: B0F4C61F99716127097DA80D07ED6123) - more.com (PID: 7592 cmdline:
C:\Windows \SysWOW64\ more.com MD5: 03805AE7E8CBC07840108F5C80CF4973) - conhost.exe (PID: 7600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 8024 cmdline:
C:\Windows \SysWOW64\ msiexec.ex e MD5: 9D09DC1EDA745A5F87553048E57620CF)
- Client32.exe (PID: 8036 cmdline:
"C:\Users\ user\AppDa ta\Roaming \jion\Clie nt32.exe" MD5: B0F4C61F99716127097DA80D07ED6123) - more.com (PID: 8060 cmdline:
C:\Windows \SysWOW64\ more.com MD5: 03805AE7E8CBC07840108F5C80CF4973) - conhost.exe (PID: 8068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 7204 cmdline:
C:\Windows \SysWOW64\ msiexec.ex e MD5: 9D09DC1EDA745A5F87553048E57620CF)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security |
Source: | Author: frack113: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-04T23:24:07.286896+0100 | 2855536 | 1 | A Network Trojan was detected | 192.168.2.4 | 49763 | 185.121.233.152 | 28250 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-04T23:24:36.083072+0100 | 2855537 | 1 | A Network Trojan was detected | 192.168.2.4 | 49763 | 185.121.233.152 | 28250 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-04T23:24:36.469876+0100 | 2855538 | 1 | A Network Trojan was detected | 185.121.233.152 | 28250 | 192.168.2.4 | 49763 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-04T23:24:07.286691+0100 | 2855539 | 1 | A Network Trojan was detected | 185.121.233.152 | 28250 | 192.168.2.4 | 49763 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | String found in binary or memory: |