Edit tour
Windows
Analysis Report
mark_v7.exe
Overview
General Information
| Sample name: | mark_v7.exe |
| Analysis ID: | 1580601 |
| MD5: | 53c8388962d7d25bfd57ddda57097212 |
| SHA1: | a20d210fd3c0d006289025ccaa2f08a2b3d4fc0b |
| SHA256: | f35a62dc13fd9fc4707aac5039481f28c94ef217694df7ab8ea567a5d08ba920 |
| Tags: | exemalwaretrojanuser-Joker |
| Infos: |  |
 | |
Detection
| Score: | 68 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
Sigma detected: Communication To Uncommon Destination Ports
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
mark_v7.exe (PID: 3884 cmdline: "C:\Users\ user\Deskt op\mark_v7 .exe" MD5: 53C8388962D7D25BFD57DDDA57097212) 
conhost.exe (PID: 4152 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-25T12:01:57.759310+0100 | 2012736 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49699 | 167.99.31.61 | 8080 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-25T12:01:57.759310+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49699 | 167.99.31.61 | 8080 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6A4F64178 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00007FF6A4F54910 | |
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00007FF6A4F55E50 | |
| Source: | Code function: | 0_2_00007FF6A4F54910 | |
| Source: | Code function: | 0_2_00007FF6A4F67F10 | |
| Source: | Code function: | 0_2_00007FF6A4F6CD58 | |
| Source: | Code function: | 0_2_00007FF6A4F62DDC | |
| Source: | Code function: | 0_2_00007FF6A4F5E8D8 | |
| Source: | Code function: | 0_2_00007FF6A4F5D7E4 | |
| Source: | Code function: | 0_2_00007FF6A4F62948 | |
| Source: | Code function: | 0_2_00007FF6A4F64178 | |
| Source: | Code function: | 0_2_00007FF6A4F5D9E8 | |
| Source: | Code function: | 0_2_00007FF6A4F55450 | |
| Source: | Code function: | 0_2_00007FF6A4F6345C | |
| Source: | Code function: | 0_2_00007FF6A4F60494 | |
| Source: | Code function: | 0_2_00007FF6A4F683AC | |
| Source: | Code function: | 0_2_00007FF6A4F5E3B8 | |
| Source: | Code function: | 0_2_00007FF6A4F5DBEC | |
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF6A4F543F0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_00007FF6A4F64178 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF6A4F60C64 | |
| Source: | Code function: | 0_2_00007FF6A4F6685C | |
| Source: | Code function: | 0_2_00007FF6A4F59D44 | |
| Source: | Code function: | 0_2_00007FF6A4F60C64 | |
| Source: | Code function: | 0_2_00007FF6A4F5A4E8 | |
| Source: | Code function: | 0_2_00007FF6A4F5A344 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_00007FF6A4F55450 | |
| Source: | Code function: | 0_2_00007FF6A4F6CBA0 | |
| Source: | Code function: | 0_2_00007FF6A4F5A224 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 11 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | 12 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | Virustotal | Browse | ||
| 24% | ReversingLabs | |||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| vpn.reconix.co | 167.99.31.61 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 167.99.31.61 | vpn.reconix.co | United States | 14061 | DIGITALOCEAN-ASNUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1580601 |
| Start date and time: | 2024-12-25 12:01:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | mark_v7.exe |
| Detection: | MAL |
| Classification: | mal68.evad.winEXE@2/1@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197, 172.202.163.200
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| DIGITALOCEAN-ASNUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\mark_v7.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 95 |
| Entropy (8bit): | 4.682785614283304 |
| Encrypted: | false |
| SSDEEP: | 3:12OE4VbAZEkMJQXkyfnOBFReDRF2Iv:0Ovb+E3okQK0Rrv |
| MD5: | D5285F4EE776789D007ECF657E651AE2 |
| SHA1: | F26C7502EFE3FEB19D7A95D6257C2B2EACA8F3B0 |
| SHA-256: | 7EEBC929D33573533AA6C33CF5400E6A973B2CC22CF8E119BACF3F82E85398DC |
| SHA-512: | 1BD8833C7F02DDD3C70383EE4E6C6486F2515502AE0C751FEC1431FAF285BD963EA36AAA324246E9CF83CC2E421B6B2B1BB10BAB74BEF34B4741D7B8C79A5EDB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.944520754604166 |
| TrID: |
|
| File name: | mark_v7.exe |
| File size: | 224'768 bytes |
| MD5: | 53c8388962d7d25bfd57ddda57097212 |
| SHA1: | a20d210fd3c0d006289025ccaa2f08a2b3d4fc0b |
| SHA256: | f35a62dc13fd9fc4707aac5039481f28c94ef217694df7ab8ea567a5d08ba920 |
| SHA512: | b59287be8eeb663b7f6ee835325714775a495ca5d37a0cbe452f1a461cb4992e076e541cd8553be5fc846f91105e2fdae69bfccc82173b8dd06f90e493a707e8 |
| SSDEEP: | 3072:sQ+3DUdFE4tZnITe3DpQx6H/nps/wrZ91rlKJIUgN:fnoezpThywrP1UgN |
| TLSH: | F724810AA2DC7CE9C1B2C275A73687E4E32AFC118275C74E16C41356DEBE152BD25BE0 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P@...!...!...!.._Y...!.._Y...!.._Y...!.._Y...!...!..}!.......!.......!......<!.......!.......!....J..!...!"..!.......!..Rich.!. |
 | |
| Icon Hash: | 0d35784d5b5b4531 |
| Entrypoint: | 0x140009d30 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x676B76BE [Wed Dec 25 03:06:38 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 7328d481aa902ed47f38a690392dd326 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F0C38AB0E00h |
| dec eax |
| add esp, 28h |
| jmp 00007F0C38AB0787h |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| xor ecx, ecx |
| call dword ptr [0001534Bh] |
| dec eax |
| mov ecx, ebx |
| call dword ptr [0001533Ah] |
| call dword ptr [00015344h] |
| dec eax |
| mov ecx, eax |
| mov edx, C0000409h |
| dec eax |
| add esp, 20h |
| pop ebx |
| dec eax |
| jmp dword ptr [00015338h] |
| dec eax |
| mov dword ptr [esp+08h], ecx |
| dec eax |
| sub esp, 38h |
| mov ecx, 00000017h |
| call dword ptr [0001532Ch] |
| test eax, eax |
| je 00007F0C38AB0919h |
| mov ecx, 00000002h |
| int 29h |
| dec eax |
| lea ecx, dword ptr [00021212h] |
| call 00007F0C38AB0AE2h |
| dec eax |
| mov eax, dword ptr [esp+38h] |
| dec eax |
| mov dword ptr [000212F9h], eax |
| dec eax |
| lea eax, dword ptr [esp+38h] |
| dec eax |
| add eax, 08h |
| dec eax |
| mov dword ptr [00021289h], eax |
| dec eax |
| mov eax, dword ptr [000212E2h] |
| dec eax |
| mov dword ptr [00021153h], eax |
| dec eax |
| mov eax, dword ptr [esp+40h] |
| dec eax |
| mov dword ptr [00021257h], eax |
| mov dword ptr [0002112Dh], C0000409h |
| mov dword ptr [00021127h], 00000001h |
| mov dword ptr [00021131h], 00000001h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x29184 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3d000 | 0xb620 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x3b000 | 0x13e0 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x49000 | 0xa98 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x27810 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x276d0 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1f000 | 0x2e0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1d4c0 | 0x1d600 | c60d10abbd31f4864dfaca5adc5ddbe2 | False | 0.5114611037234043 | data | 6.343624939363486 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1f000 | 0xab46 | 0xac00 | cafea274428c3924cc41fee78ef5befe | False | 0.4578034156976744 | OpenPGP Secret Key Version 2 | 5.017051968584822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2a000 | 0x10120 | 0x1000 | 0b65c312d085056333aa7b0fc6995082 | False | 0.2177734375 | data | 2.9682242461520474 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x3b000 | 0x13e0 | 0x1400 | 3e044d51ee287a858396c4baa0314942 | False | 0.491015625 | PEX Binary Archive | 5.239721566095961 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x3d000 | 0xb620 | 0xb800 | e02ed0ed9c63f07b3046ab09986bb162 | False | 0.1734672214673913 | data | 3.8871426586005673 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x49000 | 0xa98 | 0xc00 | ce74d870bb09d0ebaa08d8ba431a9b32 | False | 0.6520182291666666 | data | 5.750710658448876 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x3d270 | 0xb13 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.8867724867724868 |
| RT_ICON | 0x3dd88 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.10341151385927505 |
| RT_ICON | 0x3ec30 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.12229241877256318 |
| RT_ICON | 0x3f4d8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.11416184971098266 |
| RT_ICON | 0x3fa40 | 0xc4a | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9164017800381437 |
| RT_ICON | 0x40690 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.03672649976381672 |
| RT_ICON | 0x448b8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.04854771784232365 |
| RT_ICON | 0x46e60 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.0698874296435272 |
| RT_ICON | 0x47f08 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.1400709219858156 |
| RT_GROUP_ICON | 0x48370 | 0x84 | data | English | United States | 0.6590909090909091 |
| RT_MANIFEST | 0x483f8 | 0x224 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminators | English | United States | 0.531021897810219 |
| DLL | Import |
|---|---|
| WININET.dll | InternetReadFile, InternetSetOptionW, InternetCloseHandle, InternetOpenW, InternetOpenUrlW |
| KERNEL32.dll | RtlPcToFileHeader, WriteConsoleW, CreateFileW, HeapReAlloc, GetModuleHandleA, LoadLibraryA, lstrcmpiA, CreateRemoteThreadEx, WriteProcessMemory, WaitForSingleObject, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, CloseHandle, VirtualAllocEx, GetThreadId, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, HeapSize, RtlUnwindEx, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-25T12:01:57.759310+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.6 | 49699 | 167.99.31.61 | 8080 | TCP |
| 2024-12-25T12:01:57.759310+0100 | 2012736 | ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin | 1 | 192.168.2.6 | 49699 | 167.99.31.61 | 8080 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 25, 2024 12:01:55.054814100 CET | 49699 | 8080 | 192.168.2.6 | 167.99.31.61 |
| Dec 25, 2024 12:01:55.174252987 CET | 8080 | 49699 | 167.99.31.61 | 192.168.2.6 |
| Dec 25, 2024 12:01:55.174369097 CET | 49699 | 8080 | 192.168.2.6 | 167.99.31.61 |
| Dec 25, 2024 12:01:55.182706118 CET | 49699 | 8080 | 192.168.2.6 | 167.99.31.61 |
| Dec 25, 2024 12:01:55.302211046 CET | 8080 | 49699 | 167.99.31.61 | 192.168.2.6 |
| Dec 25, 2024 12:01:57.759211063 CET | 8080 | 49699 | 167.99.31.61 | 192.168.2.6 |
| Dec 25, 2024 12:01:57.759310007 CET | 49699 | 8080 | 192.168.2.6 | 167.99.31.61 |
| Dec 25, 2024 12:01:57.759485006 CET | 49699 | 8080 | 192.168.2.6 | 167.99.31.61 |
| Dec 25, 2024 12:01:57.879153013 CET | 8080 | 49699 | 167.99.31.61 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 25, 2024 12:01:54.718370914 CET | 49195 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 25, 2024 12:01:55.046338081 CET | 53 | 49195 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 25, 2024 12:01:54.718370914 CET | 192.168.2.6 | 1.1.1.1 | 0xa8 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 25, 2024 12:01:55.046338081 CET | 1.1.1.1 | 192.168.2.6 | 0xa8 | No error (0) | 167.99.31.61 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49699 | 167.99.31.61 | 8080 | 3884 | C:\Users\user\Desktop\mark_v7.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 25, 2024 12:01:55.182706118 CET | 101 | OUT |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 06:01:52 |
| Start date: | 25/12/2024 |
| Path: | C:\Users\user\Desktop\mark_v7.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a4f50000 |
| File size: | 224'768 bytes |
| MD5 hash: | 53C8388962D7D25BFD57DDDA57097212 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 06:01:52 |
| Start date: | 25/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 19.1% |
| Total number of Nodes: | 446 |
| Total number of Limit Nodes: | 13 |
Graph
Function 00007FF6A4F54910 Relevance: 44.4, APIs: 14, Strings: 11, Instructions: 624networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F6799C Relevance: 6.2, APIs: 4, Instructions: 218COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F674EC Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F55450 Relevance: 30.3, APIs: 6, Strings: 11, Instructions: 560memoryinjectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F683AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F543F0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 311processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F60C64 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5A224 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F67F10 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F6CD58 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F62DDC Relevance: 2.6, Strings: 2, Instructions: 144COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F62948 Relevance: 1.5, Strings: 1, Instructions: 254COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5E3B8 Relevance: 1.5, Strings: 1, Instructions: 250COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F60494 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F6CBA0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5A4E8 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5BC70 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F61140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5AF24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F621E8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F6C568 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F62360 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F60160 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F6C9A0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F62428 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5A8B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5C140 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5C4F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F67074 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F6770C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6A4F5CF98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|