Edit tour
Windows
Analysis Report
beacon_x86.exe
Overview
General Information
| Sample name: | beacon_x86.exe |
| Analysis ID: | 1587368 |
| MD5: | bffe5dbe4d4ececc6652360ce37b8075 |
| SHA1: | 9e3ccfe33a88fd70ba6b5ac8f72b3bc0c760e798 |
| SHA256: | c86426eeb24a042903b302c21513defb1e61535fc008b7c9e847113ddb798666 |
| Tags: | CobaltStrikeexeuser-lontze7 |
| Infos: |  |
 | |
Detection
CobaltStrike
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
beacon_x86.exe (PID: 2952 cmdline: "C:\Users\ user\Deskt op\beacon_ x86.exe" MD5: BFFE5DBE4D4ECECC6652360CE37B8075)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
{"BeaconType": ["HTTP"], "Port": 80, "SleepTime": 15024, "MaxGetSize": 3341464, "Jitter": 45, "C2Server": "8.148.6.140,/api/v1/get", "HttpPostUri": "/api/v1/post", "Malleable_C2_Instructions": ["Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%allusersprofile%\\CrashReport\\CrashReport.exe", "Spawnto_x64": "%allusersprofile%\\CrashReport\\CrashReport64.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 666666666, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 10192, "ProcInject_PrependAppend_x86": ["Dx+EAAAAAAAPHwAPH0QAAJAPH4QAAAAAAA==", "Dx9EAAAPH0QAAA8fAA8fgAAAAABmDx9EAABmDx+EAAAAAAAPH0AADx9AAA8fQAA="], "ProcInject_PrependAppend_x64": ["kA8fQAAPH4QAAAAAAGYPH0QAAA8fQAAPH4QAAAAAAJBmDx+EAAAAAAAPH0QAAJAPHwAPH4AAAAAADx9AAA8fQABQWGaQZg8fhAAAAAAAZg8fhAAAAAAADx8A", "Dx+AAAAAAA8fhAAAAAAADx9EAABmDx9EAACQDx9EAAAPH4AAAAAAUFgPH4AAAAAADx8ADx+AAAAAAA8fgAAAAAAPH0AADx8AZg8fRAAADx9EAAAPH4QAAAAAAA8fQACQkA=="], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CobaltStrike_4 | Yara detected CobaltStrike | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Metasploit_7bc0f998 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
| |
| Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
| Windows_Trojan_CobaltStrike_f0b627fc | Rule for beacon reflective loader | unknown |
| |
| Windows_Trojan_Metasploit_7bc0f998 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
| |
| Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CobaltStrike_4 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_4 | Yara detected CobaltStrike | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00D6DF82 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00D64225 | |
| Source: | Code function: | 0_2_00D6970E | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00D61C3F | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00D6C3DF | |
| Source: | Code function: | 0_2_00D6C320 | |
| Source: | Code function: | 0_2_00D6C669 | |
| Source: | Code function: | 0_2_00D63A7E | |
| Source: | Code function: | 0_2_00D840D1 | |
| Source: | Code function: | 0_2_00D848FD | |
| Source: | Code function: | 0_2_00D83828 | |
| Source: | Code function: | 0_2_00D749E9 | |
| Source: | Code function: | 0_2_00D87190 | |
| Source: | Code function: | 0_2_00D86945 | |
| Source: | Code function: | 0_2_00D86BC0 | |
| Source: | Code function: | 0_2_00D86320 | |
| Source: | Code function: | 0_2_00D844DD | |
| Source: | Code function: | 0_2_00D83CFD | |
| Source: | Code function: | 0_2_00D79DDB | |
| Source: | Code function: | 0_2_03E00000 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00D631CB | |
| Source: | Code function: | 0_2_00D694E3 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00D611D8 | |
| Source: | Code function: | 0_3_00D212F1 | |
| Source: | Code function: | 0_3_00D214D5 | |
| Source: | Code function: | 0_3_00D239FD | |
| Source: | Code function: | 0_3_00D20372 | |
| Source: | Code function: | 0_3_00D24248 | |
| Source: | Code function: | 0_2_00D76ABD | |
| Source: | Code function: | 0_2_00D7A3FC | |
| Source: | Code function: | 0_2_00D775D7 | |
| Source: | Decision node followed by non-executed suspicious API: | graph_0-21391 | ||
| Source: | Evasive API call chain: | graph_0-21163 | ||
| Source: | Evasive API call chain: | graph_0-20848 | ||
| Source: | API coverage: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00D64225 | |
| Source: | Code function: | 0_2_00D6970E | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-21023 | ||
| Source: | Code function: | 0_2_00D7768B | |
| Source: | Code function: | 0_2_00D88375 | |
| Source: | Code function: | 0_2_00D611D8 | |
| Source: | Code function: | 0_3_00D29FDE | |
| Source: | Code function: | 0_3_00D2ACAE | |
| Source: | Code function: | 0_2_00D681C2 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_0040116C | |
| Source: | Code function: | 0_2_00401A5C | |
| Source: | Code function: | 0_2_00401A60 | |
| Source: | Code function: | 0_2_00401160 | |
| Source: | Code function: | 0_2_004013C1 | |
| Source: | Code function: | 0_2_004011A3 | |
| Source: | Code function: | 0_2_00D81950 | |
| Source: | Code function: | 0_2_00D7F331 | |
| Source: | Code function: | 0_2_00D7B4B2 | |
| Source: | Code function: | 0_2_00D6D272 | |
| Source: | Code function: | 0_2_00D6D442 | |
| Source: | Code function: | 0_2_00D84EF0 | |
| Source: | Code function: | 0_2_0040161C | |
| Source: | Code function: | 0_2_004019A0 | |
| Source: | Code function: | 0_2_00D66F09 | |
| Source: | Code function: | 0_2_00D66F09 | |
| Source: | Key value queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00D675B7 | |
| Source: | Code function: | 0_2_00D6DDB3 | |
| Source: | Code function: | 0_2_00D67699 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 2 Native API | 2 Valid Accounts | 2 Valid Accounts | 2 Valid Accounts | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 21 Access Token Manipulation | 21 Access Token Manipulation | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Process Injection | 1 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | 111 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 14 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 79% | Virustotal | Browse | ||
| 95% | ReversingLabs | Win32.Trojan.CobaltStrike | ||
| 100% | Avira | HEUR/AGEN.1344233 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 8.148.6.140 | unknown | Singapore | 37963 | CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1587368 |
| Start date and time: | 2025-01-10 09:32:22 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 0s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | beacon_x86.exe |
| Detection: | MAL |
| Classification: | mal92.troj.winEXE@1/0@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 8.148.6.140 | Get hash | malicious | CobaltStrike | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | Get hash | malicious | CobaltStrike | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | CobaltStrike, Metasploit | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.777438348295706 |
| TrID: |
|
| File name: | beacon_x86.exe |
| File size: | 324'096 bytes |
| MD5: | bffe5dbe4d4ececc6652360ce37b8075 |
| SHA1: | 9e3ccfe33a88fd70ba6b5ac8f72b3bc0c760e798 |
| SHA256: | c86426eeb24a042903b302c21513defb1e61535fc008b7c9e847113ddb798666 |
| SHA512: | a57a54cdc9411288b0058d90bd942c8954c40e184be11e8d4296355466f466bba111d845a3b906835f3755e204e7d7fe0977b9da989ea2050040654fa66019d3 |
| SSDEEP: | 6144:E1Qdv/pgihi5cFPr8OstxsUvuTHNPbNKuXjlM6SKj:Wi/pgOYXOtpHNPbNlXjqe |
| TLSH: | 0864CF6FA432C8E7C8FD71F01AC763AFA5AE127C5885CA7AD74EF094F421B045E84592 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................".....................0....@..........................@................ ............................ |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x4014a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x401b40, 0x401af0 |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f6243a15fa8eee8ee96b5e1144d461f6 |
| Instruction |
|---|
| sub esp, 0Ch |
| mov dword ptr [00450394h], 00000001h |
| call 00007F195CE92263h |
| add esp, 0Ch |
| jmp 00007F195CE91A1Bh |
| lea esi, dword ptr [esi+00000000h] |
| sub esp, 0Ch |
| mov dword ptr [00450394h], 00000000h |
| call 00007F195CE92243h |
| add esp, 0Ch |
| jmp 00007F195CE919FBh |
| lea esi, dword ptr [esi+00000000h] |
| sub esp, 1Ch |
| mov eax, dword ptr [esp+20h] |
| mov dword ptr [esp], eax |
| call 00007F195CE931EAh |
| test eax, eax |
| sete al |
| add esp, 1Ch |
| movzx eax, al |
| neg eax |
| ret |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| sub esp, 18h |
| mov dword ptr [esp], 00401520h |
| call 00007F195CE91D43h |
| leave |
| ret |
| lea esi, dword ptr [esi+00000000h] |
| lea esi, dword ptr [esi+00h] |
| nop |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| pop ebp |
| jmp eax |
| push ebp |
| mov edx, dword ptr [0040302Ch] |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| test edx, edx |
| jle 00007F195CE91D93h |
| cmp dword ptr [00403030h], 00000000h |
| jle 00007F195CE91D8Ah |
| mov ecx, dword ptr [00451148h] |
| mov dword ptr [eax+edx], ecx |
| mov ecx, dword ptr [0045114Ch] |
| mov edx, dword ptr [00403030h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x51000 | 0x644 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x4f030 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x5111c | 0xe0 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1a44 | 0x1c00 | 78084e5ca85835392a463f62abd5746c | False | 0.5334821428571429 | data | 5.700340700341032 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x3000 | 0x4bc6c | 0x4be00 | d09fab49fa7c820bc22a7bf525cb270c | False | 0.5702063169275123 | dBase III DBT, version number 0, next free block index 10, 1st item "\340\334\253\212\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+#\346\334\017\220\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334+\223\344\334\037\313\210\227E\277\344\334\376\002\346\334+\203\344\334+\001\346\334+\227\344\334+\223\344\334+\223\344\334+\223\344\334\013\223\344\274\037" | 6.802458719813997 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x4f000 | 0x634 | 0x800 | 667441c840a2c3ea7e1291acd47bf4c5 | False | 0.2275390625 | data | 4.495993508967327 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x50000 | 0x428 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x51000 | 0x644 | 0x800 | 7d72908e4c68f22d444c4e664d88dda3 | False | 0.3544921875 | data | 4.2935353496828945 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x52000 | 0x34 | 0x200 | a09a5f5fb4593e99cd0076e5f2fcec2e | False | 0.072265625 | Matlab v4 mat-file (little endian) \200\031@, numeric, rows 4198688, columns 0 | 0.2711142780062829 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x53000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, ReadFile, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile |
| msvcrt.dll | __getmainargs, __initenv, __lconv_init, __p__acmdln, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, _iob, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 09:33:14.741468906 CET | 49704 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:14.746558905 CET | 80 | 49704 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:14.746654034 CET | 49704 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:14.746783972 CET | 49704 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:14.751660109 CET | 80 | 49704 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:15.723031998 CET | 80 | 49704 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:15.723054886 CET | 80 | 49704 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:15.723104000 CET | 49704 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:15.723151922 CET | 49704 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:15.724241972 CET | 49704 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:15.729049921 CET | 80 | 49704 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:27.197143078 CET | 49705 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:27.202027082 CET | 80 | 49705 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:27.202100039 CET | 49705 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:27.206543922 CET | 49705 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:27.211359978 CET | 80 | 49705 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:28.167161942 CET | 80 | 49705 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:28.167187929 CET | 80 | 49705 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:28.167346954 CET | 49705 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:28.167346954 CET | 49705 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:28.167457104 CET | 49705 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:28.172367096 CET | 80 | 49705 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:43.110169888 CET | 49786 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:43.116633892 CET | 80 | 49786 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:43.116796017 CET | 49786 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:43.116868973 CET | 49786 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:43.121926069 CET | 80 | 49786 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:53.089167118 CET | 80 | 49786 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:53.089258909 CET | 49786 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:53.089340925 CET | 80 | 49786 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:53.089356899 CET | 80 | 49786 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:33:53.089538097 CET | 49786 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:53.089538097 CET | 49786 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:53.089554071 CET | 49786 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:33:53.094350100 CET | 80 | 49786 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:01.532318115 CET | 49902 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:01.538027048 CET | 80 | 49902 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:01.538142920 CET | 49902 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:01.538283110 CET | 49902 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:01.545789003 CET | 80 | 49902 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:02.534269094 CET | 80 | 49902 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:02.534312963 CET | 80 | 49902 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:02.534363031 CET | 49902 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:02.534420967 CET | 49902 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:02.535289049 CET | 49902 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:02.540169954 CET | 80 | 49902 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:13.596132994 CET | 49979 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:13.603368998 CET | 80 | 49979 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:13.603471041 CET | 49979 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:13.603579998 CET | 49979 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:13.610373020 CET | 80 | 49979 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:14.582881927 CET | 80 | 49979 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:14.582906008 CET | 80 | 49979 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:14.582984924 CET | 49979 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:14.583014011 CET | 49979 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:14.583213091 CET | 49979 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:14.588042021 CET | 80 | 49979 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:28.875695944 CET | 49980 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:28.880768061 CET | 80 | 49980 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:28.880867958 CET | 49980 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:28.881055117 CET | 49980 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:28.885910034 CET | 80 | 49980 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:29.857074976 CET | 80 | 49980 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:29.857170105 CET | 80 | 49980 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:29.857207060 CET | 80 | 49980 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:29.857393980 CET | 49980 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:29.857394934 CET | 49980 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:29.857583046 CET | 49980 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:29.862680912 CET | 80 | 49980 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:41.532005072 CET | 49982 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:41.537147999 CET | 80 | 49982 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:41.537275076 CET | 49982 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:41.537434101 CET | 49982 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:41.542279959 CET | 80 | 49982 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:42.526767969 CET | 80 | 49982 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:42.526854038 CET | 49982 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:42.526874065 CET | 80 | 49982 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:42.526918888 CET | 49982 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:42.529597998 CET | 49982 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:42.534514904 CET | 80 | 49982 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:56.219410896 CET | 49983 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:56.224865913 CET | 80 | 49983 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:56.224965096 CET | 49983 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:56.225063086 CET | 49983 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:56.229918003 CET | 80 | 49983 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:57.190067053 CET | 80 | 49983 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:57.190176964 CET | 80 | 49983 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:34:57.190387011 CET | 49983 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:57.190387011 CET | 49983 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:57.190491915 CET | 49983 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:34:57.195509911 CET | 80 | 49983 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:07.953865051 CET | 49984 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:07.959166050 CET | 80 | 49984 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:07.959280014 CET | 49984 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:07.959367037 CET | 49984 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:07.964194059 CET | 80 | 49984 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:08.935903072 CET | 80 | 49984 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:08.935966015 CET | 80 | 49984 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:08.936000109 CET | 80 | 49984 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:08.936041117 CET | 49984 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:08.936042070 CET | 49984 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:08.936131954 CET | 49984 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:08.936280966 CET | 49984 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:08.941191912 CET | 80 | 49984 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:23.510116100 CET | 49985 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:23.515228987 CET | 80 | 49985 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:23.515315056 CET | 49985 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:23.515551090 CET | 49985 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:23.521147013 CET | 80 | 49985 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:24.504993916 CET | 80 | 49985 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:24.505153894 CET | 80 | 49985 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:24.505187988 CET | 49985 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:24.505289078 CET | 49985 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:37.859551907 CET | 49985 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:37.859925032 CET | 49986 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:37.864607096 CET | 80 | 49985 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:37.864943027 CET | 80 | 49986 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:37.865081072 CET | 49986 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:37.865269899 CET | 49986 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:37.870114088 CET | 80 | 49986 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:39.461031914 CET | 80 | 49986 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:39.461090088 CET | 80 | 49986 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:39.461198092 CET | 49986 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:39.461424112 CET | 49986 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:39.466249943 CET | 80 | 49986 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:53.344727993 CET | 49987 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:53.349769115 CET | 80 | 49987 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:53.349895954 CET | 49987 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:53.350166082 CET | 49987 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:53.354962111 CET | 80 | 49987 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:54.346221924 CET | 80 | 49987 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:54.346281052 CET | 80 | 49987 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:35:54.346582890 CET | 49987 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:54.346582890 CET | 49987 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:54.346729040 CET | 49987 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:35:54.351588011 CET | 80 | 49987 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:08.906637907 CET | 49988 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:08.911773920 CET | 80 | 49988 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:08.911864042 CET | 49988 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:08.911976099 CET | 49988 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:08.916862965 CET | 80 | 49988 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:09.860977888 CET | 80 | 49988 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:09.861033916 CET | 80 | 49988 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:09.861068010 CET | 49988 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:09.861093044 CET | 49988 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:09.861226082 CET | 49988 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:09.866003990 CET | 80 | 49988 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:18.563385963 CET | 49989 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:18.568629026 CET | 80 | 49989 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:18.568744898 CET | 49989 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:18.569010973 CET | 49989 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:18.573852062 CET | 80 | 49989 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:19.533714056 CET | 80 | 49989 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:19.533763885 CET | 80 | 49989 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:19.533796072 CET | 80 | 49989 | 8.148.6.140 | 192.168.2.5 |
| Jan 10, 2025 09:36:19.533793926 CET | 49989 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:19.533884048 CET | 49989 | 80 | 192.168.2.5 | 8.148.6.140 |
| Jan 10, 2025 09:36:19.533884048 CET | 49989 | 80 | 192.168.2.5 | 8.148.6.140 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:33:14.746783972 CET | 544 | OUT | |
| Jan 10, 2025 09:33:15.723031998 CET | 529 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49705 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:33:27.206543922 CET | 544 | OUT | |
| Jan 10, 2025 09:33:28.167161942 CET | 505 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49786 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:33:43.116868973 CET | 544 | OUT | |
| Jan 10, 2025 09:33:53.089167118 CET | 185 | IN | |
| Jan 10, 2025 09:33:53.089340925 CET | 300 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49902 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:34:01.538283110 CET | 544 | OUT | |
| Jan 10, 2025 09:34:02.534269094 CET | 421 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49979 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:34:13.603579998 CET | 544 | OUT | |
| Jan 10, 2025 09:34:14.582881927 CET | 377 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49980 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:34:28.881055117 CET | 544 | OUT | |
| Jan 10, 2025 09:34:29.857074976 CET | 185 | IN | |
| Jan 10, 2025 09:34:29.857170105 CET | 236 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49982 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:34:41.537434101 CET | 544 | OUT | |
| Jan 10, 2025 09:34:42.526767969 CET | 337 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49983 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:34:56.225063086 CET | 544 | OUT | |
| Jan 10, 2025 09:34:57.190067053 CET | 272 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.5 | 49984 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:35:07.959367037 CET | 544 | OUT | |
| Jan 10, 2025 09:35:08.935903072 CET | 184 | IN | |
| Jan 10, 2025 09:35:08.935966015 CET | 88 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.5 | 49985 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:35:23.515551090 CET | 544 | OUT | |
| Jan 10, 2025 09:35:24.504993916 CET | 337 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 10 | 192.168.2.5 | 49986 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:35:37.865269899 CET | 544 | OUT | |
| Jan 10, 2025 09:35:39.461031914 CET | 421 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 11 | 192.168.2.5 | 49987 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:35:53.350166082 CET | 544 | OUT | |
| Jan 10, 2025 09:35:54.346221924 CET | 377 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 12 | 192.168.2.5 | 49988 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:36:08.911976099 CET | 544 | OUT | |
| Jan 10, 2025 09:36:09.860977888 CET | 505 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 13 | 192.168.2.5 | 49989 | 8.148.6.140 | 80 | 2952 | C:\Users\user\Desktop\beacon_x86.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 09:36:18.569010973 CET | 544 | OUT | |
| Jan 10, 2025 09:36:19.533714056 CET | 185 | IN | |
| Jan 10, 2025 09:36:19.533763885 CET | 216 | IN |
| Target ID: | 0 |
| Start time: | 03:33:13 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\beacon_x86.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 324'096 bytes |
| MD5 hash: | BFFE5DBE4D4ECECC6652360CE37B8075 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 4.6% |
| Dynamic/Decrypted Code Coverage: | 88.8% |
| Signature Coverage: | 13.9% |
| Total number of Nodes: | 747 |
| Total number of Limit Nodes: | 20 |
Graph
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D61C3F Relevance: 16.7, APIs: 11, Instructions: 186networkfileCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6DF82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44encryptionCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03E00000 Relevance: 1.4, APIs: 1, Instructions: 133sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401805 Relevance: 21.0, APIs: 3, Strings: 9, Instructions: 31threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D67E51 Relevance: 9.1, APIs: 6, Instructions: 113networkCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040156C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47memorythreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8511C Relevance: 6.1, APIs: 4, Instructions: 93memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401296 Relevance: 5.1, APIs: 4, Instructions: 79stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004013B3 Relevance: 5.1, APIs: 4, Instructions: 65stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D61F1B Relevance: 4.6, APIs: 3, Instructions: 68networkCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401700 Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004017AC Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 26sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6173C Relevance: 3.1, APIs: 2, Instructions: 115networkCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D61E6E Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00D69802 Relevance: 1.6, APIs: 1, Instructions: 70memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D72EF7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2A99E Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00D7968A Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2A89E Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004029E0 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D694E3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 157processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6970E Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D7F331 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D67699 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D675B7 Relevance: 9.1, APIs: 6, Instructions: 54networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A60 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A5C Relevance: 7.5, APIs: 5, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6DDB3 Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6D272 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6C320 Relevance: 6.1, APIs: 4, Instructions: 68memorynativeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6C669 Relevance: 6.1, APIs: 4, Instructions: 66threadnativeinjectionCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6C3DF Relevance: 6.1, APIs: 4, Instructions: 63memorynativeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D611D8 Relevance: 4.6, APIs: 3, Instructions: 131libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D631CB Relevance: 4.6, APIs: 3, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D63A7E Relevance: 4.6, APIs: 3, Instructions: 65processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6D442 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D87190 Relevance: .4, Instructions: 435COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D86BC0 Relevance: .4, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D848FD Relevance: .4, Instructions: 384COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D844DD Relevance: .4, Instructions: 378COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D840D1 Relevance: .4, Instructions: 361COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D83CFD Relevance: .4, Instructions: 351COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D29FDE Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00D2ACAE Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00D749E9 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D86945 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D67B1A Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 210networkCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D61962 Relevance: 16.7, APIs: 11, Instructions: 196networksleepCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6C15B Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D67919 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6D114 Relevance: 13.6, APIs: 9, Instructions: 122COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124filememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402110 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6D65A Relevance: 10.6, APIs: 7, Instructions: 81COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D67853 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59networksleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6360A Relevance: 9.1, APIs: 6, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6CF65 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D63870 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D63763 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D62927 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D608D3 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D661C8 Relevance: 7.6, APIs: 5, Instructions: 62pipeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6DC6F Relevance: 7.5, APIs: 5, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D77722 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6B0FD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6CA6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D63CCD Relevance: 6.1, APIs: 4, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D62F99 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D7822F Relevance: 6.1, APIs: 4, Instructions: 137COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D656BF Relevance: 6.1, APIs: 4, Instructions: 111sleeplibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D66303 Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D65C20 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D684FD Relevance: 6.1, APIs: 4, Instructions: 91threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D66017 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D622EC Relevance: 6.1, APIs: 4, Instructions: 76synchronizationpipeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6013A Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6B8C3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6CE47 Relevance: 6.0, APIs: 4, Instructions: 46sleepsynchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6D0A1 Relevance: 6.0, APIs: 4, Instructions: 42threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6DD4F Relevance: 6.0, APIs: 4, Instructions: 40networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6BF6B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6C492 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D87DF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022C0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|