Edit tour

Windows Analysis Report
2mtls.exe

Overview

General Information

Sample name:2mtls.exe
Analysis ID:1645394
MD5:17af646cfbb7fcfe4f0f6dbcfc2e31dd
SHA1:8f8423ec26ccb310950cfd30f705ea211ca5c237
SHA256:a51690b6e1169a25bac4c016343ede9b47032e31e93508aa78f9499bec49ecb4
Infos:

Detection

Sliver
Score:68
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
Joe Sandbox ML detected suspicious sample
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • 2mtls.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\2mtls.exe" MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)
  • cmd.exe (PID: 2024 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 2mtls.exe (PID: 4732 cmdline: 2mtls.exe MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)
    • 2mtls.exe (PID: 3928 cmdline: 2mtls.exe /? MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)
    • 2mtls.exe (PID: 4916 cmdline: 2mtls.exe -? MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SliverAccording to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
No configs have been found
SourceRuleDescriptionAuthorStrings
2mtls.exeJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
    2mtls.exeMulti_Trojan_Bishopsliver_42298c4aunknownunknown
    • 0xbb5424:$a1: ).RequestResend
    • 0xba979d:$a2: ).GetPrivInfo
    2mtls.exeINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
    • 0x928a55:$s3: .WGTCPForwarder
    • 0x929fb6:$s3: .WGTCPForwarder
    • 0x92c595:$s3: .WGTCPForwarder
    • 0x92d0bf:$s3: .WGTCPForwarder
    • 0x92fc2b:$s3: .WGTCPForwarder
    • 0x930b29:$s3: .WGTCPForwarder
    • 0x9247e4:$s6: .BackdoorReq
    • 0x9289bf:$s7: .ProcessDumpReq
    • 0x92c186:$s8: .InvokeSpawnDllReq
    • 0x920ac7:$s9: .SpawnDll
    • 0x924902:$s9: .SpawnDll
    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
      0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
        0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
          00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
            00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmpMulti_Trojan_Bishopsliver_42298c4aunknownunknown
            • 0x72e24:$a1: ).RequestResend
            • 0x6719d:$a2: ).GetPrivInfo
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            0.0.2mtls.exe.660000.0.unpackMulti_Trojan_Bishopsliver_42298c4aunknownunknown
            • 0xbb5424:$a1: ).RequestResend
            • 0xba979d:$a2: ).GetPrivInfo
            0.0.2mtls.exe.660000.0.unpackINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
            • 0x928a55:$s3: .WGTCPForwarder
            • 0x929fb6:$s3: .WGTCPForwarder
            • 0x92c595:$s3: .WGTCPForwarder
            • 0x92d0bf:$s3: .WGTCPForwarder
            • 0x92fc2b:$s3: .WGTCPForwarder
            • 0x930b29:$s3: .WGTCPForwarder
            • 0x9247e4:$s6: .BackdoorReq
            • 0x9289bf:$s7: .ProcessDumpReq
            • 0x92c186:$s8: .InvokeSpawnDllReq
            • 0x920ac7:$s9: .SpawnDll
            • 0x924902:$s9: .SpawnDll
            No Sigma rule has matched
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 2mtls.exeVirustotal: Detection: 70%Perma Link
            Source: 2mtls.exeReversingLabs: Detection: 57%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.8% probability
            Source: 2mtls.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: global trafficTCP traffic: 192.168.2.16:49697 -> 45.61.169.127:8443
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: unknownTCP traffic detected without corresponding DNS query: 45.61.169.127
            Source: 2mtls.exe, 00000000.00000002.2404113576.000000C000194000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_bbaebb25-c

            System Summary

            barindex
            Source: 2mtls.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 2mtls.exe, type: SAMPLEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 2mtls.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 2mtls.exe, type: SAMPLEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 0.0.2mtls.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: classification engineClassification label: mal68.troj.winEXE@9/0@0/1
            Source: C:\Users\user\Desktop\2mtls.exeFile opened: C:\Windows\system32\3506369760cf325c99ab966f5dc8d1b439595726d411e078c7e7b9e1fdc922b0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeFile opened: C:\Windows\system32\bbdff84da87860b9c50d3b92ea108440b10a50f6bcbc1c43f2f684601100f505AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeFile opened: C:\Windows\system32\ad9eb333d06103b2b4895ece4d79c68b1c3607c831a356d3f18b2658e12c3b42AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeFile opened: C:\Windows\system32\7afc84950546fbb0b05d23eaf7b897b9ee57badfbf3808314923af4785b21a3eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
            Source: 2mtls.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 2mtls.exeVirustotal: Detection: 70%
            Source: 2mtls.exeReversingLabs: Detection: 57%
            Source: C:\Users\user\Desktop\2mtls.exeFile read: C:\Users\user\Desktop\2mtls.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\2mtls.exe "C:\Users\user\Desktop\2mtls.exe"
            Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe /?
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe -?
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe /?Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe -?Jump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeSection loaded: mswsock.dllJump to behavior
            Source: 2mtls.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: 2mtls.exeStatic file information: File size 15661568 > 1048576
            Source: 2mtls.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x90c000
            Source: 2mtls.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x57a400
            Source: 2mtls.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: 2mtls.exeStatic PE information: section name: .symtab
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: 2mtls.exe, 00000010.00000002.2406057637.00000222D1D75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 2mtls.exe, 00000000.00000002.2407699721.000001F98DCFC000.00000004.00000020.00020000.00000000.sdmp, 2mtls.exe, 0000000E.00000002.2406118928.0000027FED1B3000.00000004.00000020.00020000.00000000.sdmp, 2mtls.exe, 0000000F.00000002.2406375017.0000026BF9637000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe /?Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\2mtls.exe 2mtls.exe -?Jump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeQueries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeQueries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeQueries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\2mtls.exeQueries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformationJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 2mtls.exe, type: SAMPLE
            Source: Yara matchFile source: 0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1142229569.0000000000F6D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 2mtls.exe PID: 3928, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 2mtls.exe, type: SAMPLE
            Source: Yara matchFile source: 0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1142229569.0000000000F6D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2mtls.exe PID: 6284, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 2mtls.exe PID: 3928, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading
            11
            Process Injection
            11
            Process Injection
            11
            Input Capture
            1
            Security Software Discovery
            Remote Services11
            Input Capture
            1
            Non-Standard Port
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            1
            DLL Side-Loading
            LSASS Memory1
            File and Directory Discovery
            Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager12
            System Information Discovery
            SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1645394 Sample: 2mtls.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 68 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected Sliver Implants 2->25 27 Joe Sandbox ML detected suspicious sample 2->27 6 cmd.exe 1 2->6         started        8 2mtls.exe 2->8         started        process3 dnsIp4 11 2mtls.exe 6->11         started        13 2mtls.exe 6->13         started        15 2mtls.exe 6->15         started        17 conhost.exe 1 6->17         started        19 45.61.169.127, 49697, 49705, 49725 ASN-QUADRANET-GLOBALUS United States 8->19 process5

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            2mtls.exe71%VirustotalBrowse
            2mtls.exe58%ReversingLabsWin64.Trojan.SliverMarte
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            No contacted domains info
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            45.61.169.127
            unknownUnited States
            8100ASN-QUADRANET-GLOBALUSfalse
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1645394
            Start date and time:2025-03-21 17:46:52 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 7s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsinteractivecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:17
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:2mtls.exe
            Detection:MAL
            Classification:mal68.troj.winEXE@9/0@0/1
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.109.210.53, 184.31.69.3, 2.23.227.208, 204.79.197.222, 150.171.29.254, 13.107.253.254
            • Excluded domains from analysis (whitelisted): www.bing.com, fp.msedge.net, fs.microsoft.com, t-ring-fallback.msedge.net, slscr.update.microsoft.com, t-ring-fdv2.msedge.net, ax-ring-fallback.msedge.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            No simulations
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            45.61.169.1271https.exeGet hashmaliciousSliverBrowse
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ASN-QUADRANET-GLOBALUS1https.exeGet hashmaliciousSliverBrowse
              • 45.61.169.127
              http://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzQyNDg1MjAxLCJuYmYiOjE3NDI0ODUyMDEsImFjY291bnRfaWQiOiI5MjExNzMxIiwiZGVsaXZlcnlfaWQiOiI2ZGY2cmIydXVwbjY4cnNhdWo0NCIsInRva2VuIjoiNmRmNnJiMnV1cG42OHJzYXVqNDQiLCJzZW5kX2F0IjoxNzQyNDgzOTQ4LCJlbWFpbF9pZCI6MTA1MDc4ODcsImVtYWlsYWJsZV90eXBlIjoiQnJvYWRjYXN0IiwiZW1haWxhYmxlX2lkIjo0MTkzMDc4LCJ1cmwiOiJodHRwOi8vZ2NyLnVwcGxleC5jby5rZT9fX3M9cWMwZ2JsdTk1emZnYmh3ZHp5OG4mdXRtX3NvdXJjZT1kcmlwJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPVdlK2dvdCthK21ha2VvdmVyLiJ9.nJ9tzd3-jhbWgSNwRLHamHKYwZXuNcZIG2E1QBFM5fgGet hashmaliciousHTMLPhisherBrowse
              • 45.61.169.110
              ATT11027.xhtmlGet hashmaliciousHTMLPhisherBrowse
              • 185.174.100.76
              http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3DGet hashmaliciousHTMLPhisherBrowse
              • 104.245.240.188
              AVISO DE COBRO DHL - 1606604473.PDF.exeGet hashmaliciousDarkCloudBrowse
              • 204.44.192.90
              splx86.elfGet hashmaliciousUnknownBrowse
              • 64.189.38.253
              resgod.arm5.elfGet hashmaliciousMiraiBrowse
              • 104.247.172.118
              https://office.mx-senora.com/validate-captcha?user_id=4bP8rZrJvBAKS5wfleIWGet hashmaliciousUnknownBrowse
              • 45.61.166.78
              Factura - FAT120250320.pdf(94KB).com.exeGet hashmaliciousDarkTortilla, XWormBrowse
              • 104.245.240.123
              huawei.elfGet hashmaliciousMiraiBrowse
              • 104.223.82.201
              No context
              No context
              No created / dropped files found
              File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
              Entropy (8bit):6.117190676288544
              TrID:
              • Win64 Executable (generic) (12005/4) 74.95%
              • Generic Win/DOS Executable (2004/3) 12.51%
              • DOS Executable Generic (2002/1) 12.50%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
              File name:2mtls.exe
              File size:15'661'568 bytes
              MD5:17af646cfbb7fcfe4f0f6dbcfc2e31dd
              SHA1:8f8423ec26ccb310950cfd30f705ea211ca5c237
              SHA256:a51690b6e1169a25bac4c016343ede9b47032e31e93508aa78f9499bec49ecb4
              SHA512:dfc0be3f522fbe8b08defa8c260bc94c8fe5fb006c17e3813f3d047c3c2e38afd5c75a0eb5e732782ae95728d9559145881bee93a11ee9b54ff14d7f476901c3
              SSDEEP:98304:a3NEDxPmHdK08B4MATOkEtqr1KUREyTj4nCOe:aNMDB4MoOkEtqr1KUyyPJOe
              TLSH:CCF60903E8962198C4EAD2B489214172F971785C1B7933DF2B61F7B42B727F08E7A791
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...........................@.............................. ............`... ............................
              Icon Hash:90cececece8e8eb0
              Entrypoint:0x45d0a0
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:1
              File Version Major:6
              File Version Minor:1
              Subsystem Version Major:6
              Subsystem Version Minor:1
              Import Hash:f0ea7b7844bbc5bfa9bb32efdcea957c
              Instruction
              jmp 00007F9B1881F680h
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              pushfd
              cld
              dec eax
              sub esp, 000000E0h
              dec eax
              mov dword ptr [esp], edi
              dec eax
              mov dword ptr [esp+08h], esi
              dec eax
              mov dword ptr [esp+10h], ebp
              dec eax
              mov dword ptr [esp+18h], ebx
              dec esp
              mov dword ptr [esp+20h], esp
              dec esp
              mov dword ptr [esp+28h], ebp
              dec esp
              mov dword ptr [esp+30h], esi
              dec esp
              mov dword ptr [esp+38h], edi
              movups dqword ptr [esp+40h], xmm6
              movups dqword ptr [esp+50h], xmm7
              inc esp
              movups dqword ptr [esp+60h], xmm0
              inc esp
              movups dqword ptr [esp+70h], xmm1
              inc esp
              movups dqword ptr [esp+00000080h], xmm2
              inc esp
              movups dqword ptr [esp+00000090h], xmm3
              inc esp
              movups dqword ptr [esp+000000A0h], xmm4
              inc esp
              movups dqword ptr [esp+000000B0h], xmm5
              inc esp
              movups dqword ptr [esp+000000C0h], xmm6
              inc esp
              movups dqword ptr [esp+000000D0h], xmm7
              dec eax
              sub esp, 30h
              dec ecx
              mov ebp, ecx
              dec ecx
              mov edi, eax
              dec eax
              mov edx, dword ptr [00EC6B6Bh]
              dec eax
              mov edx, dword ptr [edx]
              dec eax
              cmp edx, 00000000h
              jne 00007F9B1882334Eh
              dec eax
              mov eax, 00000000h
              jmp 00007F9B18823413h
              dec eax
              mov edx, dword ptr [edx]
              dec eax
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xf380000x490.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xf390000x274ea.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0xe880400x148.data
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x90bf8f0x90c000c6a8cc1e5eadb4a1e9e515990cb1e674unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x90d0000x57a3480x57a400383de41ae1a10b3fd5c44c6c92544ab6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xe880000xaf3500x412004fba39db86a01676293316c950eb23fbFalse0.38813954534548945data4.779334866566355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0xf380000x4900x600520ce628015e913ff43b204119edb209False0.3359375data3.6105306322353172IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .reloc0xf390000x274ea0x27600afe604a3d4b32f8e89794fe60821a75fFalse0.14068700396825398data5.439219324617001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .symtab0xf610000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              DLLImport
              kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

              Download Network PCAP: filteredfull

              TimestampSource PortDest PortSource IPDest IP
              Mar 21, 2025 17:47:29.254081964 CET496978443192.168.2.1645.61.169.127
              Mar 21, 2025 17:47:29.386987925 CET84434969745.61.169.127192.168.2.16
              Mar 21, 2025 17:47:29.893747091 CET496978443192.168.2.1645.61.169.127
              Mar 21, 2025 17:47:30.024806023 CET84434969745.61.169.127192.168.2.16
              Mar 21, 2025 17:47:30.534459114 CET496978443192.168.2.1645.61.169.127
              Mar 21, 2025 17:47:30.666887045 CET84434969745.61.169.127192.168.2.16
              Mar 21, 2025 17:47:31.181773901 CET496978443192.168.2.1645.61.169.127
              Mar 21, 2025 17:47:31.317667007 CET84434969745.61.169.127192.168.2.16
              Mar 21, 2025 17:47:31.832735062 CET496978443192.168.2.1645.61.169.127
              Mar 21, 2025 17:47:31.966953993 CET84434969745.61.169.127192.168.2.16
              Mar 21, 2025 17:48:31.976988077 CET497058443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:32.981861115 CET497058443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:34.996768951 CET497058443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:36.455749035 CET84434970545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:36.957763910 CET497058443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:37.393513918 CET84434970545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:37.897746086 CET497058443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:40.244434118 CET84434970545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:48.679126978 CET497258443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:48.811469078 CET84434972545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:49.317517996 CET497258443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:49.448748112 CET84434972545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:49.955733061 CET497258443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:50.088466883 CET84434972545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:50.592578888 CET497258443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:50.726644039 CET84434972545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:51.231585026 CET497258443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:51.366413116 CET84434972545.61.169.127192.168.2.16
              Mar 21, 2025 17:48:53.616662979 CET497268443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:54.627118111 CET497268443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:56.634968996 CET497268443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:57.809670925 CET84434972645.61.169.127192.168.2.16
              Mar 21, 2025 17:48:58.312971115 CET497268443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:58.824978113 CET84434972645.61.169.127192.168.2.16
              Mar 21, 2025 17:48:59.334995985 CET497268443192.168.2.1645.61.169.127
              Mar 21, 2025 17:48:59.440938950 CET497278443192.168.2.1645.61.169.127
              Mar 21, 2025 17:49:00.170594931 CET84434972645.61.169.127192.168.2.16
              Mar 21, 2025 17:49:00.450754881 CET497278443192.168.2.1645.61.169.127
              Mar 21, 2025 17:49:00.583482027 CET84434972745.61.169.127192.168.2.16
              Mar 21, 2025 17:49:01.089818954 CET497278443192.168.2.1645.61.169.127
              Mar 21, 2025 17:49:01.224437952 CET84434972745.61.169.127192.168.2.16
              Mar 21, 2025 17:49:01.724798918 CET497278443192.168.2.1645.61.169.127
              Mar 21, 2025 17:49:01.856554985 CET84434972745.61.169.127192.168.2.16
              Mar 21, 2025 17:49:02.364799023 CET497278443192.168.2.1645.61.169.127
              Mar 21, 2025 17:49:02.498446941 CET84434972745.61.169.127192.168.2.16
              TimestampSource PortDest PortSource IPDest IP
              Mar 21, 2025 17:48:42.570401907 CET53641871.1.1.1192.168.2.16

              Click to jump to process

              Click to jump to process

              • File
              • Network

              Click to dive into process behavior distribution

              Target ID:0
              Start time:12:47:27
              Start date:21/03/2025
              Path:C:\Users\user\Desktop\2mtls.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\2mtls.exe"
              Imagebase:0x660000
              File size:15'661'568 bytes
              MD5 hash:17AF646CFBB7FCFE4F0F6DBCFC2E31DD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Go lang
              Yara matches:
              • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000000.1142229569.00000000011A3000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
              • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000000.1142229569.0000000000F6D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              Target ID:10
              Start time:12:48:38
              Start date:21/03/2025
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\system32\cmd.exe"
              Imagebase:0x7ff7e7b10000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Target ID:11
              Start time:12:48:38
              Start date:21/03/2025
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6aa7d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              Target ID:14
              Start time:12:48:47
              Start date:21/03/2025
              Path:C:\Users\user\Desktop\2mtls.exe
              Wow64 process (32bit):false
              Commandline:2mtls.exe
              Imagebase:0x660000
              File size:15'661'568 bytes
              MD5 hash:17AF646CFBB7FCFE4F0F6DBCFC2E31DD
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:Go lang
              Reputation:low
              Has exited:false

              Target ID:15
              Start time:12:48:52
              Start date:21/03/2025
              Path:C:\Users\user\Desktop\2mtls.exe
              Wow64 process (32bit):false
              Commandline:2mtls.exe /?
              Imagebase:0x660000
              File size:15'661'568 bytes
              MD5 hash:17AF646CFBB7FCFE4F0F6DBCFC2E31DD
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:Go lang
              Yara matches:
              • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 0000000F.00000002.2402545951.000000C000168000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 0000000F.00000002.2402545951.000000C00016C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 0000000F.00000002.2402545951.000000C00013A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              Target ID:16
              Start time:12:48:58
              Start date:21/03/2025
              Path:C:\Users\user\Desktop\2mtls.exe
              Wow64 process (32bit):false
              Commandline:2mtls.exe -?
              Imagebase:0x660000
              File size:15'661'568 bytes
              MD5 hash:17AF646CFBB7FCFE4F0F6DBCFC2E31DD
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:Go lang
              Reputation:low
              Has exited:false

              No disassembly