Edit tour

Windows Analysis Report
reddit.exe

Overview

General Information

Sample name:	reddit.exe
Analysis ID:	1580047
MD5:	23544090c6d379e3eca7343c4f05d4d2
SHA1:	c9250e363790a573e9921a68b7abe64f27e63df1
SHA256:	b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56
Tags:	exeMeterpreteruser-James_inthe_box
Infos:

Detection

Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

reddit.exe (PID: 3260 cmdline: "C:\Users\user\Desktop\reddit.exe" MD5: 23544090C6D379E3ECA7343C4F05D4D2)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "147.185.221.23", "Port": 1121}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
reddit.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
reddit.exe	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
reddit.exe	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x3a39:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0xd8:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x2a39:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
00000000.00000000.1666127553.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000000.1666127553.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x2a39:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.reddit.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.reddit.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.0.reddit.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.2.reddit.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.0.reddit.exe.400000.0.unpack	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x3a39:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
0.2.reddit.exe.400000.0.unpack	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x3a39:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: reddit.exe

Avira: detected

Found malware configuration

Source: reddit.exe

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "147.185.221.23", "Port": 1121}

Multi AV Scanner detection for submitted file

Source: reddit.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: reddit.exe

Joe Sandbox ML: detected

Source: reddit.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: reddit.exe

Source: C:\Users\user\Desktop\reddit.exe

Code function: 4x nop then mov cl, 90h

0_2_00404823

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 147.185.221.23:1121

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23

Source: C:\Users\user\Desktop\reddit.exe

Code function: 0_2_00510095 WSASocketA,connect,recv,closesocket,

0_2_00510095

Source: reddit.exe	String found in binary or memory: http://www.apache.org/
Source: reddit.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: reddit.exe	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: reddit.exe, type: SAMPLE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.0.reddit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.2.reddit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000000.1666127553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown

Source: reddit.exe, 00000000.00000000.1666214447.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameab.exeF vs reddit.exe
Source: reddit.exe	Binary or memory string: OriginalFilenameab.exeF vs reddit.exe

Source: reddit.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: reddit.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.0.reddit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.2.reddit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000000.1666127553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23

Source: reddit.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.winEXE@1/0@0/1

Source: reddit.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\reddit.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: reddit.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\reddit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\reddit.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\reddit.exe	Section loaded: mswsock.dll	Jump to behavior

Source: reddit.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: reddit.exe

Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_0040B840 push eax; ret	0_2_0040B86E
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_00405A5C push edx; ret	0_2_00405A7D
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_00406200 push esi; iretd	0_2_0040620B
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_004032D4 push edx; retf	0_2_00403342
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_004056AF push eax; retn 000Ch	0_2_004056B0
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_00407D07 push es; retf	0_2_00407D80
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_00406D10 pushfd ; ret	0_2_00406D45
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_0040211C push eax; retf	0_2_00402128
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_00407D20 push es; retf	0_2_00407D80
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_00403331 push edx; retf	0_2_00403342
Source: C:\Users\user\Desktop\reddit.exe	Code function: 0_2_00407DB4 push ds; retf	0_2_00407DF6

Source: reddit.exe

Static PE information: section name: .text entropy: 7.006551052925149

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: reddit.exe, 00000000.00000002.2933635327.00000000005EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: reddit.exe, type: SAMPLE
Source: Yara match	File source: 0.0.reddit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.reddit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1666127553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Software Packing	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
reddit.exe	89%	ReversingLabs	Win32.Backdoor.Swrort
reddit.exe	100%	Avira	TR/Patched.Gen2
reddit.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.zeustech.net/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	reddit.exe	false		high
http://www.apache.org/	reddit.exe	false		high
http://www.zeustech.net/	reddit.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580047
Start date and time:	2024-12-23 19:47:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	reddit.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: reddit.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	dr2YKJiGH9.exe	Get hash	malicious	XWorm	Browse
	jSm8N1jXbk.exe	Get hash	malicious	S400 RAT	Browse
	enigma_loader.exe	Get hash	malicious	XWorm	Browse
	exe006.exe	Get hash	malicious	SheetRat	Browse
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse
	eternal.exe	Get hash	malicious	XWorm	Browse
	svchost.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	147.176.119.110
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.18
	dr2YKJiGH9.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	PjGz899RZV.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	ehxF3rusxJ.exe	Get hash	malicious	XWorm	Browse	147.185.221.24

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.316899506372099
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	reddit.exe
File size:	73'802 bytes
MD5:	23544090c6d379e3eca7343c4f05d4d2
SHA1:	c9250e363790a573e9921a68b7abe64f27e63df1
SHA256:	b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56
SHA512:	6aca78b0653e87ac80d7f562e6ab6d650f4d53d375cad043eb9613c7bbd642f7f82564a872b1b05520a77acbeba9da0540c4cd5a855a28a8188ebe3a4b57775c
SSDEEP:	1536:I15v3HYXkOXlgX3p+f4RYuL47YzAnsVebkTsT5Wj6Mb+KR0Nc8QsJq39:Y5v3Y0O1u3pplqvnsG+8e0Nc8QsC9
TLSH:	2873BF82E6C01562C1A6123E2B753B79A971F5F72205C19A7ACCCDE8DFD09E096363C7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L....5EJ...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4025b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4A4535B4 [Fri Jun 26 20:55:16 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	481f47bbb2c9c21e108d65f52b04c448

Entrypoint Preview

Instruction
dec eax
dec ebx
stc
xchg eax, ebx
xchg eax, ecx
cwde
xchg eax, ecx
xchg eax, ebx
aas
cld
inc ebx
xchg eax, ecx
nop
xchg eax, ebx
dec ebx
aaa
daa
inc edx
xchg eax, edx
cdq
clc
daa
xchg eax, edx
wait
dec ebx
dec ecx
dec ecx
cmc
lahf
stc
inc eax
xchg eax, edx
aaa
xchg eax, edx
clc
inc eax
inc eax
xchg eax, ebx
stc
inc edx
inc ebx
stc
inc ebx
das
dec eax
nop
wait
inc ebx
xchg eax, ecx
salc
inc eax
clc
xchg eax, ecx
aas
cld
cmc
lahf
clc
wait
dec ecx
nop
cdq
aaa
inc edx
xchg eax, ecx
stc
daa
inc edx
inc ebx
inc ecx
inc eax
std
daa
cdq
das
dec edx
xchg eax, ebx
cmc
stc
inc edx
wait
dec edx
dec edx
std
nop
inc eax
lahf
nop
cdq
cdq
xchg eax, ecx
aaa
xchg eax, ebx
clc
wait
inc eax
aaa
dec ecx
aaa
das
das
cdq
wait
dec ebx
dec ebx
std
clc
nop
lahf
xchg eax, ebx
dec eax
wait
wait
dec edx
wait
cdq
cwde
nop
wait
jmp 00007F5B88DCEB5Eh
fsub qword ptr [ebp-10h]
fld st(0), st(0)
fmul st(0), st(1)
faddp st(2), st(0)
fstp st(0)
jne 00007F5B88DCDC63h
fstp qword ptr [ebp-70h]
fucomp st(7)
aam DDh
xchg eax, edi
test al, EBh
push es
fld qword ptr [ebp-7F000088h]
add ebp, dword ptr [ebx+ebx*8-3B7CFFBFh]
add dword ptr [ebx+ebx-17h], esp
push eax
int3
pop ebp
hlt
fild dword ptr [ebp-11h]
fdivr st(0), st(1)
fsqrt
fstp qword ptr [ebp-00340088h]
jmp 00007F5B88DCDC76h
mov dword ptr [ebp-0000C688h], 00CF0000h
mov dword ptr [ebp+00FFFF7Ch], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x7c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa966	0xb000	a9f815ffbd66643081a2169d07241e2a	False	0.8152743252840909	data	7.006551052925149	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0xfe6	0x1000	25d7ceee3aa85bb3e8c5174736f6f830	False	0.46142578125	DOS executable (COM, 0x8C-variant)	5.318390353744998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x705c	0x4000	283b5f792323d57b9db4d2bcc46580f8	False	0.25634765625	Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0	4.407841023203495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x15000	0x7c8	0x1000	c13a9413aea7291b6fc85d75bfcde381	False	0.197998046875	data	1.958296025171192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x15060	0x768	data	English	United States	0.40189873417721517

Imports

DLL	Import
MSVCRT.dll	_iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp
KERNEL32.dll	PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid
WSOCK32.dll	getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError
WS2_32.dll	WSARecv, WSASend

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 19:47:57.804363966 CET	49732	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:47:57.924053907 CET	1121	49732	147.185.221.23	192.168.2.4
Dec 23, 2024 19:47:57.924144030 CET	49732	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:19.831070900 CET	1121	49732	147.185.221.23	192.168.2.4
Dec 23, 2024 19:48:19.831145048 CET	49732	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:19.831724882 CET	49732	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:19.833230972 CET	49737	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:19.951406002 CET	1121	49732	147.185.221.23	192.168.2.4
Dec 23, 2024 19:48:19.953059912 CET	1121	49737	147.185.221.23	192.168.2.4
Dec 23, 2024 19:48:19.953140974 CET	49737	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:41.847271919 CET	1121	49737	147.185.221.23	192.168.2.4
Dec 23, 2024 19:48:41.847418070 CET	49737	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:41.848009109 CET	49737	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:41.849226952 CET	49740	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:48:41.967668056 CET	1121	49737	147.185.221.23	192.168.2.4
Dec 23, 2024 19:48:41.968972921 CET	1121	49740	147.185.221.23	192.168.2.4
Dec 23, 2024 19:48:41.969059944 CET	49740	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:03.863554001 CET	1121	49740	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:03.863619089 CET	49740	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:03.864357948 CET	49740	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:03.865823984 CET	49757	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:03.984374046 CET	1121	49740	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:03.986341953 CET	1121	49757	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:03.986414909 CET	49757	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:25.879825115 CET	1121	49757	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:25.879899025 CET	49757	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:25.880302906 CET	49757	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:25.881195068 CET	49806	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:26.000469923 CET	1121	49757	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:26.001339912 CET	1121	49806	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:26.001420021 CET	49806	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:47.926482916 CET	1121	49806	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:47.926558018 CET	49806	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:47.926964045 CET	49806	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:47.927802086 CET	49855	1121	192.168.2.4	147.185.221.23
Dec 23, 2024 19:49:48.046982050 CET	1121	49806	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:48.048727989 CET	1121	49855	147.185.221.23	192.168.2.4
Dec 23, 2024 19:49:48.048851013 CET	49855	1121	192.168.2.4	147.185.221.23

Target ID:	0
Start time:	13:47:56
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\reddit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\reddit.exe"
Imagebase:	0x400000
File size:	73'802 bytes
MD5 hash:	23544090C6D379E3ECA7343C4F05D4D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.1666127553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000000.1666127553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	13.4%
Signature Coverage:	11.9%
Total number of Nodes:	67
Total number of Limit Nodes:	3

Executed Functions

Function 00510095 Relevance: 6.1, APIs: 4, Instructions: 81
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,61040002,17DDB993,0000000A,?,?,5F327377,00003233), ref: 005100D5
connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 005100E1
recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 005100FC
closesocket.WS2_32(614D6E75,?,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 0051013F

Memory Dump Source

Source File: 00000000.00000002.2933560908.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_reddit.jbxd

Yara matches

Similarity

API ID: Socketclosesocketconnectrecv
String ID:
API String ID: 2083937939-0
Opcode ID: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
Instruction ID: 3fee347e33b87f0ebe5642106a584ec561774f2897cd556e816026c25082c335
Opcode Fuzzy Hash: 84d56f8600d23d128e6293084ea8b9ff6e5c57e2ecd32b084406f59f59bbaeb3
Instruction Fuzzy Hash: 2B11ADB06C029C3EF53022629C4BFFB2D1CEB46BA4F100024BB45EA0C1C9D69DC482FA

Function 00403840 Relevance: 1.3, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2933416770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933461347.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933479737.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933499263.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_reddit.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ceb6121e470dd3cfc2d7d2917fae457fcaf0d6d10cf17591cb545ae1a2ff9fe
Instruction ID: c05b59b9f4d16bb34214b641b6d9fa06ca1f9ade271ab6cde73b9576214de40b
Opcode Fuzzy Hash: 3ceb6121e470dd3cfc2d7d2917fae457fcaf0d6d10cf17591cb545ae1a2ff9fe
Instruction Fuzzy Hash: 4DD0C2672CA205B9E120BC404C86BF60ECC570DB52F24D4B2B30B761C3C2BC0B4220DE

Function 0040384C Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 0040385C

Memory Dump Source

Source File: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2933416770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933461347.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933479737.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933499263.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_reddit.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: db0306e660f09edcc4f5f164cefd3230d4254f124b2ae6d508b866a97e50a146
Instruction ID: 4c74da6d6e42419762f900211d688d1802f97791c277bf9d3c462be40ba0076a
Opcode Fuzzy Hash: db0306e660f09edcc4f5f164cefd3230d4254f124b2ae6d508b866a97e50a146
Instruction Fuzzy Hash: 84C080E56606265FD113E8541CD15D57FDF4A0572234444BFE50187481C65545C3958E

Function 0040385B Relevance: 1.3, APIs: 1, Instructions: 3
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 0040385C

Memory Dump Source

Source File: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2933416770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933461347.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933479737.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933499263.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_reddit.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ba2b6113f8c1361e142327349295ae9b9a32fc9305af006692fd18a4717b3ee3
Instruction ID: aa9c93fac3d8d666de76663d130f4f6789e6514029e2e882532ee80fad553c2d
Opcode Fuzzy Hash: ba2b6113f8c1361e142327349295ae9b9a32fc9305af006692fd18a4717b3ee3
Instruction Fuzzy Hash:

Non-executed Functions

Function 00404823 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933435950.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2933416770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933461347.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933479737.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2933499263.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_reddit.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fd3fa50fbd8cf2bb7474e30977f42a20ef7becb69c517353e431a02ed97b9e
Instruction ID: 499dceeee35c5cbcfd260d2c75f29c8aca30d98019ce3b9202ad5b964b78262f
Opcode Fuzzy Hash: 28fd3fa50fbd8cf2bb7474e30977f42a20ef7becb69c517353e431a02ed97b9e
Instruction Fuzzy Hash: 19017B31A8C2961BD3018A645806D85BFA49B83230F0843BACC91EB3E3C355D45AC3CA

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report reddit.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: reddit.exePID: 3260, Parent PID: 2580

Windows Analysis Report
reddit.exe

Function 00510095 Relevance: 6.1, APIs: 4, Instructions: 81
networkCOMMON

Function 00403840 Relevance: 1.3, APIs: 1, Instructions: 26
COMMON

Function 0040384C Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Function 0040385B Relevance: 1.3, APIs: 1, Instructions: 3
memoryCOMMON