Edit tour

Windows Analysis Report
2mtls.exe

Overview

General Information

Sample name:	2mtls.exe
Analysis ID:	1645394
MD5:	17af646cfbb7fcfe4f0f6dbcfc2e31dd
SHA1:	8f8423ec26ccb310950cfd30f705ea211ca5c237
SHA256:	a51690b6e1169a25bac4c016343ede9b47032e31e93508aa78f9499bec49ecb4
Infos:

Detection

Sliver

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Sliver Implants

Joe Sandbox ML detected suspicious sample

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Installs a raw input device (often for capturing keystrokes)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Classification

Process Tree

System is w10x64_ra

2mtls.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\2mtls.exe" MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)

cmd.exe (PID: 2024 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

2mtls.exe (PID: 4732 cmdline: 2mtls.exe MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)

2mtls.exe (PID: 3928 cmdline: 2mtls.exe /? MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)

2mtls.exe (PID: 4916 cmdline: 2mtls.exe -? MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Sliver	According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.	No Attribution	https://asec.ahnlab.com/en/47088/ https://asec.ahnlab.com/en/55652/ https://asec.ahnlab.com/en/56941/ https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2mtls.exe	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
2mtls.exe	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbb5424:$a1: ).RequestResend 0xba979d:$a2: ).GetPrivInfo
2mtls.exe	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x928a55:$s3: .WGTCPForwarder 0x929fb6:$s3: .WGTCPForwarder 0x92c595:$s3: .WGTCPForwarder 0x92d0bf:$s3: .WGTCPForwarder 0x92fc2b:$s3: .WGTCPForwarder 0x930b29:$s3: .WGTCPForwarder 0x9247e4:$s6: .BackdoorReq 0x9289bf:$s7: .ProcessDumpReq 0x92c186:$s8: .InvokeSpawnDllReq 0x920ac7:$s9: .SpawnDll 0x924902:$s9: .SpawnDll

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x72e24:$a1: ).RequestResend 0x6719d:$a2: ).GetPrivInfo
00000000.00000000.1142229569.0000000000F6D000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Process Memory Space: 2mtls.exe PID: 6284	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Process Memory Space: 2mtls.exe PID: 6284	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x5456c:$a1: ).RequestResend 0x89b5a:$a1: ).RequestResend 0x488e5:$a2: ).GetPrivInfo 0x7e506:$a2: ).GetPrivInfo
Process Memory Space: 2mtls.exe PID: 3928	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.2mtls.exe.660000.0.unpack	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbb5424:$a1: ).RequestResend 0xba979d:$a2: ).GetPrivInfo
0.0.2mtls.exe.660000.0.unpack	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x928a55:$s3: .WGTCPForwarder 0x929fb6:$s3: .WGTCPForwarder 0x92c595:$s3: .WGTCPForwarder 0x92d0bf:$s3: .WGTCPForwarder 0x92fc2b:$s3: .WGTCPForwarder 0x930b29:$s3: .WGTCPForwarder 0x9247e4:$s6: .BackdoorReq 0x9289bf:$s7: .ProcessDumpReq 0x92c186:$s8: .InvokeSpawnDllReq 0x920ac7:$s9: .SpawnDll 0x924902:$s9: .SpawnDll

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 2mtls.exe	Virustotal: Detection: 70%			Perma Link
Source: 2mtls.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.8% probability

Source: 2mtls.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.16:49697 -> 45.61.169.127:8443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.169.127

Source: 2mtls.exe, 00000000.00000002.2404113576.000000C000194000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_bbaebb25-c

System Summary

Malicious sample detected (through community Yara rule)

Source: 2mtls.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 2mtls.exe, type: SAMPLE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown

Source: 2mtls.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 2mtls.exe, type: SAMPLE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14

Source: classification engine

Classification label: mal68.troj.winEXE@9/0@0/1

Source: C:\Users\user\Desktop\2mtls.exe	File opened: C:\Windows\system32\3506369760cf325c99ab966f5dc8d1b439595726d411e078c7e7b9e1fdc922b0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	File opened: C:\Windows\system32\bbdff84da87860b9c50d3b92ea108440b10a50f6bcbc1c43f2f684601100f505AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	File opened: C:\Windows\system32\ad9eb333d06103b2b4895ece4d79c68b1c3607c831a356d3f18b2658e12c3b42AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	File opened: C:\Windows\system32\7afc84950546fbb0b05d23eaf7b897b9ee57badfbf3808314923af4785b21a3eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior

Source: 2mtls.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2mtls.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2mtls.exe	Virustotal: Detection: 70%
Source: 2mtls.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\2mtls.exe

File read: C:\Users\user\Desktop\2mtls.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2mtls.exe "C:\Users\user\Desktop\2mtls.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe -?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe /?	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe -?	Jump to behavior

Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: mswsock.dll	Jump to behavior

Source: 2mtls.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2mtls.exe

Static file information: File size 15661568 > 1048576

Source: 2mtls.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x90c000
Source: 2mtls.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x57a400

Source: 2mtls.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2mtls.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\2mtls.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 2mtls.exe, 00000010.00000002.2406057637.00000222D1D75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2mtls.exe, 00000000.00000002.2407699721.000001F98DCFC000.00000004.00000020.00020000.00000000.sdmp, 2mtls.exe, 0000000E.00000002.2406118928.0000027FED1B3000.00000004.00000020.00020000.00000000.sdmp, 2mtls.exe, 0000000F.00000002.2406375017.0000026BF9637000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe /?	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe -?	Jump to behavior

Source: C:\Users\user\Desktop\2mtls.exe	Queries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Queries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Queries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Queries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Sliver Implants

Source: Yara match	File source: 2mtls.exe, type: SAMPLE
Source: Yara match	File source: 0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1142229569.0000000000F6D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2mtls.exe PID: 3928, type: MEMORYSTR

Remote Access Functionality

Yara detected Sliver Implants

Source: Yara match	File source: 2mtls.exe, type: SAMPLE
Source: Yara match	File source: 0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1142229569.0000000000F6D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2mtls.exe PID: 3928, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2mtls.exe	71%	Virustotal		Browse
2mtls.exe	58%	ReversingLabs	Win64.Trojan.SliverMarte

Domains and IPs

Download Network PCAP: filtered – full

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.61.169.127	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1645394
Start date and time:	2025-03-21 17:46:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2mtls.exe
Detection:	MAL
Classification:	mal68.troj.winEXE@9/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 184.31.69.3, 2.23.227.208, 204.79.197.222, 150.171.29.254, 13.107.253.254
Excluded domains from analysis (whitelisted): www.bing.com, fp.msedge.net, fs.microsoft.com, t-ring-fallback.msedge.net, slscr.update.microsoft.com, t-ring-fdv2.msedge.net, ax-ring-fallback.msedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 17:47:29.254081964 CET	49697	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:47:29.386987925 CET	8443	49697	45.61.169.127	192.168.2.16
Mar 21, 2025 17:47:29.893747091 CET	49697	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:47:30.024806023 CET	8443	49697	45.61.169.127	192.168.2.16
Mar 21, 2025 17:47:30.534459114 CET	49697	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:47:30.666887045 CET	8443	49697	45.61.169.127	192.168.2.16
Mar 21, 2025 17:47:31.181773901 CET	49697	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:47:31.317667007 CET	8443	49697	45.61.169.127	192.168.2.16
Mar 21, 2025 17:47:31.832735062 CET	49697	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:47:31.966953993 CET	8443	49697	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:31.976988077 CET	49705	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:32.981861115 CET	49705	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:34.996768951 CET	49705	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:36.455749035 CET	8443	49705	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:36.957763910 CET	49705	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:37.393513918 CET	8443	49705	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:37.897746086 CET	49705	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:40.244434118 CET	8443	49705	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:48.679126978 CET	49725	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:48.811469078 CET	8443	49725	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:49.317517996 CET	49725	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:49.448748112 CET	8443	49725	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:49.955733061 CET	49725	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:50.088466883 CET	8443	49725	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:50.592578888 CET	49725	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:50.726644039 CET	8443	49725	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:51.231585026 CET	49725	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:51.366413116 CET	8443	49725	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:53.616662979 CET	49726	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:54.627118111 CET	49726	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:56.634968996 CET	49726	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:57.809670925 CET	8443	49726	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:58.312971115 CET	49726	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:58.824978113 CET	8443	49726	45.61.169.127	192.168.2.16
Mar 21, 2025 17:48:59.334995985 CET	49726	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:48:59.440938950 CET	49727	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:49:00.170594931 CET	8443	49726	45.61.169.127	192.168.2.16
Mar 21, 2025 17:49:00.450754881 CET	49727	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:49:00.583482027 CET	8443	49727	45.61.169.127	192.168.2.16
Mar 21, 2025 17:49:01.089818954 CET	49727	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:49:01.224437952 CET	8443	49727	45.61.169.127	192.168.2.16
Mar 21, 2025 17:49:01.724798918 CET	49727	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:49:01.856554985 CET	8443	49727	45.61.169.127	192.168.2.16
Mar 21, 2025 17:49:02.364799023 CET	49727	8443	192.168.2.16	45.61.169.127
Mar 21, 2025 17:49:02.498446941 CET	8443	49727	45.61.169.127	192.168.2.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 17:48:42.570401907 CET	53	64187	1.1.1.1	192.168.2.16

Statistics

CPU Usage

• 2mtls.exe
• cmd.exe
• conhost.exe
• 2mtls.exe
• 2mtls.exe
• 2mtls.exe

Click to jump to process

Memory Usage

• 2mtls.exe
• cmd.exe
• conhost.exe
• 2mtls.exe
• 2mtls.exe
• 2mtls.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	12:47:27
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\2mtls.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2mtls.exe"
Imagebase:	0x660000
File size:	15'661'568 bytes
MD5 hash:	17AF646CFBB7FCFE4F0F6DBCFC2E31DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1142229569.0000000000F6D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:48:38
Start date:	21/03/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe"
Imagebase:	0x7ff7e7b10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:48:38
Start date:	21/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6aa7d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:48:47
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\2mtls.exe
Wow64 process (32bit):	false
Commandline:	2mtls.exe
Imagebase:	0x660000
File size:	15'661'568 bytes
MD5 hash:	17AF646CFBB7FCFE4F0F6DBCFC2E31DD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:48:52
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\2mtls.exe
Wow64 process (32bit):	false
Commandline:	2mtls.exe /?
Imagebase:	0x660000
File size:	15'661'568 bytes
MD5 hash:	17AF646CFBB7FCFE4F0F6DBCFC2E31DD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:48:58
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\2mtls.exe
Wow64 process (32bit):	false
Commandline:	2mtls.exe -?
Imagebase:	0x660000
File size:	15'661'568 bytes
MD5 hash:	17AF646CFBB7FCFE4F0F6DBCFC2E31DD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	1https.exe	Get hash	malicious	Sliver	Browse	45.61.169.127
	http://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzQyNDg1MjAxLCJuYmYiOjE3NDI0ODUyMDEsImFjY291bnRfaWQiOiI5MjExNzMxIiwiZGVsaXZlcnlfaWQiOiI2ZGY2cmIydXVwbjY4cnNhdWo0NCIsInRva2VuIjoiNmRmNnJiMnV1cG42OHJzYXVqNDQiLCJzZW5kX2F0IjoxNzQyNDgzOTQ4LCJlbWFpbF9pZCI6MTA1MDc4ODcsImVtYWlsYWJsZV90eXBlIjoiQnJvYWRjYXN0IiwiZW1haWxhYmxlX2lkIjo0MTkzMDc4LCJ1cmwiOiJodHRwOi8vZ2NyLnVwcGxleC5jby5rZT9fX3M9cWMwZ2JsdTk1emZnYmh3ZHp5OG4mdXRtX3NvdXJjZT1kcmlwJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPVdlK2dvdCthK21ha2VvdmVyLiJ9.nJ9tzd3-jhbWgSNwRLHamHKYwZXuNcZIG2E1QBFM5fg	Get hash	malicious	HTMLPhisher	Browse	45.61.169.110
	ATT11027.xhtml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.76
	http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.245.240.188
	AVISO DE COBRO DHL - 1606604473.PDF.exe	Get hash	malicious	DarkCloud	Browse	204.44.192.90
	splx86.elf	Get hash	malicious	Unknown	Browse	64.189.38.253
	resgod.arm5.elf	Get hash	malicious	Mirai	Browse	104.247.172.118
	https://office.mx-senora.com/validate-captcha?user_id=4bP8rZrJvBAKS5wfleIW	Get hash	malicious	Unknown	Browse	45.61.166.78
	Factura - FAT120250320.pdf(94KB).com.exe	Get hash	malicious	DarkTortilla, XWorm	Browse	104.245.240.123
	huawei.elf	Get hash	malicious	Mirai	Browse	104.223.82.201

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.117190676288544
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	2mtls.exe
File size:	15'661'568 bytes
MD5:	17af646cfbb7fcfe4f0f6dbcfc2e31dd
SHA1:	8f8423ec26ccb310950cfd30f705ea211ca5c237
SHA256:	a51690b6e1169a25bac4c016343ede9b47032e31e93508aa78f9499bec49ecb4
SHA512:	dfc0be3f522fbe8b08defa8c260bc94c8fe5fb006c17e3813f3d047c3c2e38afd5c75a0eb5e732782ae95728d9559145881bee93a11ee9b54ff14d7f476901c3
SSDEEP:	98304:a3NEDxPmHdK08B4MATOkEtqr1KUREyTj4nCOe:aNMDB4MoOkEtqr1KUyyPJOe
TLSH:	CCF60903E8962198C4EAD2B489214172F971785C1B7933DF2B61F7B42B727F08E7A791
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...........................@.............................. ............`... ............................

Entrypoint:	0x45d0a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	f0ea7b7844bbc5bfa9bb32efdcea957c

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf38000	0x490	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf39000	0x274ea	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe88040	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x90bf8f	0x90c000	c6a8cc1e5eadb4a1e9e515990cb1e674	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x90d000	0x57a348	0x57a400	383de41ae1a10b3fd5c44c6c92544ab6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe88000	0xaf350	0x41200	4fba39db86a01676293316c950eb23fb	False	0.38813954534548945	data	4.779334866566355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xf38000	0x490	0x600	520ce628015e913ff43b204119edb209	False	0.3359375	data	3.6105306322353172	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xf39000	0x274ea	0x27600	afe604a3d4b32f8e89794fe60821a75f	False	0.14068700396825398	data	5.439219324617001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xf61000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2mtls.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
2mtls.exe